Documentation Index
Fetch the complete documentation index at: https://docs.kontext.security/llms.txt
Use this file to discover all available pages before exploring further.
What an agent actually is
An agent is a process that calls APIs on behalf of a user, making decisions autonomously. It reads data, takes actions, and chains tool calls together without a human approving each step.
Every API call the agent makes requires authentication. When it opens a PR on GitHub, posts to a Slack channel, or updates a Linear ticket, it needs a credential for each service — and that credential must encode who is acting, on whose behalf, with what permissions, and for how long.
A typical agent loop looks like this:
# A simplified agent loop
def agent_loop(task: str, tools: list[Tool]):
plan = llm.plan(task, tools)
for step in plan:
# The agent decides which tool to call and with what arguments
result = step.tool.execute(**step.args)
# Each tool call hits a real API: GitHub, Slack, Linear, database, etc.
# The agent needs credentials for every one of these calls
- They are not users. There is no human at the keyboard approving each action.
- They are not service accounts. They do not run fixed system logic; they interpret user intent dynamically.
Consider a concrete example. A user says: “Summarize the open issues in my repo and post a summary to #engineering.” The agent needs:
- GitHub API access to list issues (scoped to that user and repo)
- Slack API access to post the summary (scoped to that workspace and channel policy)
// What the agent does under the hood
const issues = await github.issues.listForRepo({
owner: "acme-corp",
repo: "backend",
state: "open",
});
const summary = await llm.summarize(issues.data);
await slack.chat.postMessage({
channel: "#engineering",
text: summary,
});
Why credentials matter
Agents do not just generate text. The moment an agent opens a PR, comments on a review, posts in Slack, updates Linear, or queries a database, it must authenticate to those APIs.
A single task can require multiple credentials:
async function handleTask(task: string) {
// Step 1: Read context from GitHub
const pr = await github.pulls.get({ // needs GitHub credential
owner: "acme-corp",
repo: "backend",
pull_number: 42,
});
// Step 2: Analyze and decide
const review = await llm.analyze(pr.data);
// Step 3: Post review comment
await github.pulls.createReview({ // needs GitHub write scope
owner: "acme-corp",
repo: "backend",
pull_number: 42,
body: review.summary,
event: "COMMENT",
});
// Step 4: Notify the team
await slack.chat.postMessage({ // needs Slack credential
channel: "#code-review",
text: `Review posted for PR #42: ${review.summary}`,
});
// Step 5: Update the ticket
await linear.issueUpdate({ // needs Linear credential
id: "LIN-123",
stateId: "in-review",
});
}
The delegation chain
Every agent action is a chain of trust:
User Agent API
| | |
| "summarize my PRs" | |
|----------------------->| |
| | GET /repos/.../pulls |
| |--------------------------->|
| | Authorization: Bearer ... |
| | |
| | 200 OK |
| |<---------------------------|
// Example delegated credential claims
{
sub: "agent:pr-reviewer-v2", // WHO is acting
act: { sub: "user:[email protected]" }, // ON BEHALF OF whom
scope: "repo:read repo:write", // WITH what permissions
exp: 1709510400, // UNTIL when
aud: "https://api.github.com" // FOR which API
}
The identity gap
Most identity systems model humans and service accounts. Agents fit neither model.
| Principal | Authentication | Decision model | Typical scope |
|---|
| Human user | Interactive login (SSO, MFA) | Human makes decisions | Broad user permissions |
| Service account | Static secret or key | Fixed programmatic logic | Pre-provisioned system scope |
| Agent | Needs delegated credentials | Autonomous, LLM-driven | Per-user, per-task, time-limited |
There is no standard identity type for “an AI acting on behalf of Alice, read-only GitHub access, valid for 10 minutes.” That is the gap where most security issues begin.
