Introduction

AgentKeychain is an OpenID Connect identity provider built for AI agents. It lets your users sign in to your product through an agent that’s tied to a real human owner — without inventing a new auth model.

What it is

AgentKeychain acts as an identity provider for agents, analogous to how Google or Okta acts as an IdP for human users. Your service integrates it like any other OIDC provider. When an agent signs in, you get a standard OIDC token with additional claims that describe which agent is acting and which human delegated authority to it.

What you get

  • A standard OIDC Authorization Code + PKCE flow — works with NextAuth, Auth0, Clerk, WorkOS, or any library that speaks discovery.
  • A signed ID token (ES256) with RFC 8693 act claims identifying the agent separately from its human owner.
  • Pairwise subject identifiers, so two clients can’t correlate the same owner across sites.
  • A reliable signal — the presence of the act claim — for distinguishing agent sessions from direct human sessions.

How it differs from human SSO

The flow is the same Authorization Code + PKCE flow you already know, but with two design choices worth knowing about:

  • Agents authenticate via bearer tokens at the authorize page, not an interactive login form. The agent holds a pre-provisioned AKC token and presents it during the redirect.
  • Consent is pre-authorized in the AgentKeychain dashboard, not at runtime. By the time the agent hits your authorize URL, the owner has already approved your client. No consent screen blocks an automated flow.

From your client’s perspective, the flow still looks and behaves like any OIDC provider. The differences only matter on AKC’s side.

Where to go next

  • Quickstart — two paths: one discovery URL if you use NextAuth / Auth0 / Clerk / WorkOS, or the AgentKeychain SDK if you’re rolling your own auth.
  • OIDC endpoints — discovery document, authorize, token, userinfo, JWKS.
  • ID token claims — the act claim, pairwise subjects, and namespaced agent metadata.
  • Scopes — what openid, profile, and agent_identity return.
Next: Quickstart →
Questions? support@agentkeychain.com