[gregw2]

I have a related question, is anyone developing standards on how agents can proxy the requestor identity to backend database or application layers? (short lived oauth tokens perhaps, not long lived credentials like the ShowHN seems to focus on?)

[mooreds]

Well, there's the token exchange RFC, which defines on-behalf-of/delegation and impersonation semantics.

https://datatracker.ietf.org/doc/html/rfc8693 has all the details, but here's an example:

   {
      "aud":"https://consumer.example.com",
      "iss":"https://issuer.example.com",
      "exp":1443904177,
      "nbf":1443904077,
      "sub":"user@example.com",
      "act":
      {
        "sub":"admin@example.com"
      }
   }

In this case, the user is user@example.com, but the actor is admin@example.com. (In the agentic case, the actor would be the AI agent.)

Is this kinda what you are looking for?