Descope has launched its Agentic Identity Hub to address issues of authentication and authorisation of AI agents. It wants to address the challenge many organisations face with letting AI agents access and use applications. Among those challenges, are being able to identify an agent and understand what rights and permissions it requires in order to complete tasks.
Slavik Markovich, Co-founder and CEO of Descope, said, “As AI systems make our lives easier, we must ensure the lives of developers building AI don’t become harder. The Agentic Identity Hub provides a set of tools to help developers spend more time on the interesting work of building and fine-tuning their AI systems and hardly any time on the nitty-gritties of authentication and access control.
“True enterprise AI adoption won’t happen without a robust, interoperable identity infrastructure working behind the scenes, and we’re excited to be a part of that infrastructure.”
What is the problem Descope is addressing?
Interest in using agents to complete tasks and increase automation is rising. But how do you assign access rights to applications and data to an agent? Should it inherit the role-based access from the user who instantiates it? What if it needs more rights? How does it get those? How do you control and understand what is an AI, and what is a user, if it masquerades as a user?
These are all hard questions that are creating a lot of conversations as organisations worry about agentic AI and what it accesses. IT Security teams, in particular, are concerned about being able to distinguish a valid agentic AI approach from malware using stolen credentials.
For organisations and individuals to get the most out of AI, there needs to be a way for users to grant AI the rights it needs. That doesn’t mean all rights, just those required for the task the user is giving it.
Descope reviving OAuth to solve the problem
Descope has decided that the easiest way for a human to grant an AI agent rights is to use a proven technology, OAuth. When the agent asks for permission to act on behalf of the user, they can grant it read/write/edit access for specific tasks. In the case of a calendar app, that might be to create/update/delete meetings. Users can also revoke rights when no longer needed.
OAuth and similar mechanisms are already used by a number of apps. It is not uncommon to link apps together and find an app asking for permission to post or create on your behalf. However, many of these apps take far more permissions than a user might want and make it difficult to rein them in. This is where Descope says its approach is better. The user retains control of what the agent can do.
Descope says that it has support for over 50+ third-party tools and apps. This breadth of support is important. It means that organisations that look to adopt the Descope solution are not left having to build their own integrations. For those who want to go further, the company also supports developers using the Model Context protocol (MCP) through its “purpose-built authorisation APIS and SDKS.”
What is new with this announcement?
Descope is announcing three capabilities with this announcement. They are:
- Inbound Apps, which provide every application an easy way to become its own identity provider using the OAuth standard. This allows AI agents to securely authenticate, access authorized user data, and take scoped actions on behalf of users with their explicit consent.
- Outbound Apps, which provide every AI agent builder a secure, scalable way to connect AI agents to external tools without having to manually manage and store tokens, scopes, and permissions. Developers can choose from over 50 out-of-the-box tool integration templates including Gmail, HubSpot, GitHub, Snowflake, Slack, Notion, and Shopify.
- MCP Auth SDKs and APIs that help developers building and managing remote MCP servers secure their systems with robust authorization controls as well as extend the MCP servers’ functionality by connecting them with multiple OAuth-based services.
Enterprise Times: What does this mean?
This is an exciting announcement from Descope and offers a good solution to a problem that is very real for a lot of organisations. Making use of OAuth rather than creating a new protocol or solution is a sensible move. It gives the company access to a lot of developers and apps that are already using OAuth or are at least OAuth-ready.
It will be interesting too see how far this goes. One of the historic problems with OAuth is that many app owners have refused to allow it to set granular permissions. How will Descope get around that? It does have its own API and SDK, so they are possible solutions.
Another challenge is ensuring that IT can effectively track all the agents in use and what they are accessing. A user might grant an agent access for a task but give it perpetual rather than time-limited rights. Limiting the time is essential, as is knowing how often it is used. If it turns out that it isn’t used often, there needs to be a way for IT to revoke access. If granted and not used, there is a case for asking if the user needs the app.
Next week, Enterprise Times will publish an interview with Rishi Bhargava, co-founder at Descope, where we talk in more detail about this announcement.
