> ## Documentation Index > Fetch the complete documentation index at: https://docs.kontext.security/llms.txt > Use this file to discover all available pages before exploring further. # Why Agents Need Credentials > Agents call APIs on behalf of users. Those APIs require authentication. ## What an agent actually is An agent is a process that calls APIs on behalf of a user, making decisions autonomously. It reads data, takes actions, and chains tool calls together without a human approving each step. Every API call the agent makes requires authentication. When it opens a PR on GitHub, posts to a Slack channel, or updates a Linear ticket, it needs a credential for each service — and that credential must encode who is acting, on whose behalf, with what permissions, and for how long. A typical agent loop looks like this: ```python theme={"system"} # A simplified agent loop def agent_loop(task: str, tools: list[Tool]): plan = llm.plan(task, tools) for step in plan: # The agent decides which tool to call and with what arguments result = step.tool.execute(**step.args) # Each tool call hits a real API: GitHub, Slack, Linear, database, etc. # The agent needs credentials for every one of these calls ``` Agents are often confused with two things they are not: * They are not users. There is no human at the keyboard approving each action. * They are not service accounts. They do not run fixed system logic; they interpret user intent dynamically. Consider a concrete example. A user says: "Summarize the open issues in my repo and post a summary to #engineering." The agent needs: * GitHub API access to list issues (scoped to that user and repo) * Slack API access to post the summary (scoped to that workspace and channel policy) ```typescript theme={"system"} // What the agent does under the hood const issues = await github.issues.listForRepo({ owner: "acme-corp", repo: "backend", state: "open", }); const summary = await llm.summarize(issues.data); await slack.chat.postMessage({ channel: "#engineering", text: summary, }); ``` Without credentials, the agent can only generate text that a human must copy and paste. With credentials, it can actually take action. This makes agents a fundamentally new kind of principal, one most identity infrastructure was not built to handle. ## Why credentials matter Agents do not just generate text. The moment an agent opens a PR, comments on a review, posts in Slack, updates Linear, or queries a database, it must authenticate to those APIs. A single task can require multiple credentials: ```typescript theme={"system"} async function handleTask(task: string) { // Step 1: Read context from GitHub const pr = await github.pulls.get({ // needs GitHub credential owner: "acme-corp", repo: "backend", pull_number: 42, }); // Step 2: Analyze and decide const review = await llm.analyze(pr.data); // Step 3: Post review comment await github.pulls.createReview({ // needs GitHub write scope owner: "acme-corp", repo: "backend", pull_number: 42, body: review.summary, event: "COMMENT", }); // Step 4: Notify the team await slack.chat.postMessage({ // needs Slack credential channel: "#code-review", text: `Review posted for PR #42: ${review.summary}`, }); // Step 5: Update the ticket await linear.issueUpdate({ // needs Linear credential id: "LIN-123", stateId: "in-review", }); } ``` Without credentials, the agent produces text. With credentials, it becomes an autonomous actor. ## The delegation chain Every agent action is a chain of trust: ```text theme={"system"} User Agent API | | | | "summarize my PRs" | | |----------------------->| | | | GET /repos/.../pulls | | |--------------------------->| | | Authorization: Bearer ... | | | | | | 200 OK | | |<---------------------------| ``` The credential must encode delegation: "this user authorized this agent to act on their behalf with specific permissions for a limited time." ```typescript theme={"system"} // Example delegated credential claims { sub: "agent:pr-reviewer-v2", // WHO is acting act: { sub: "user:alice@acme.com" }, // ON BEHALF OF whom scope: "repo:read repo:write", // WITH what permissions exp: 1709510400, // UNTIL when aud: "https://api.github.com" // FOR which API } ``` The user is not directly performing the API call. The agent is not acting on independent authority. It is delegated authority, made verifiable through credentials. ## The identity gap Most identity systems model humans and service accounts. Agents fit neither model. | Principal | Authentication | Decision model | Typical scope | | --------------- | ---------------------------- | ------------------------ | -------------------------------- | | Human user | Interactive login (SSO, MFA) | Human makes decisions | Broad user permissions | | Service account | Static secret or key | Fixed programmatic logic | Pre-provisioned system scope | | Agent | Needs delegated credentials | Autonomous, LLM-driven | Per-user, per-task, time-limited | Agents act for specific users, make dynamic decisions, and need tightly scoped, short-lived access. That combination does not map cleanly to existing identity primitives. *** There is no standard identity type for "an AI acting on behalf of Alice, read-only GitHub access, valid for 10 minutes." That is the gap where most security issues begin.