Every AI agent framework today handles authorization the same way: an API key in an environment variable. The agent gets the key, the agent gets full access. This is the equivalent of giving every employee the CEO's badge.
Why API keys fail for agents
Three reasons:
- No scope limitation — An agent with a GitHub token can read, write, delete, and admin. Even if it only needs to read one repo.
- No delegation chain — When Agent A spawns Agent B, there's no way to give B a subset of A's permissions.
- No audit trail — You can see that a token was used, but not which agent used it, for what task, or why.
The Zanzibar model
Google's Zanzibar paper introduced relationship-based access control (ReBAC). Instead of roles, you define relationships: "User X is an editor of Document Y." OpenFGA implements this model as an open-source project.
For agents, this translates to: "Agent A has tool:execute permission on github:read for repo:my-project within task:fix-bug-123."
Task-scoped delegation
The key pattern is task-scoped capability tokens:
Agent receives task → System mints scoped token → Token grants only required permissions → Token expires when task completes
This is what agentic-authz implements. Each MCP tool call is authorized against an OpenFGA policy in real-time. No static keys. No over-provisioning.
Audit everything
Every authorization decision becomes an audit event:
- Which agent requested access
- Which tool and resource were involved
- Whether access was granted or denied
- The task context that justified the request
This isn't just good security practice — it's a regulatory requirement for any agent operating in production with access to customer data.
Getting started
If you're building agents today, start with these steps:
- Replace static API keys with scoped tokens
- Define an authorization model for your tools (OpenFGA makes this straightforward)
- Log every authorization decision
- Set token expiry tied to task lifecycle
The infrastructure exists. The patterns are proven. The only thing missing is adoption.