Brokers hardly ever act alone. A consumer asks an agent to do one thing. The agent calls a instrument. The instrument calls one other agent. By the point work will get carried out, three or 4 actors have touched the request, every appearing on behalf of the one earlier than it.
Identification has to outlive that chain. At each hop, you should reply two questions, not one. Who initially requested this? And which actor is making this particular name? Lose both reply and also you lose the power to authorize the decision appropriately or clarify it afterward.
Two claims carry the entire chain
The requirements already mannequin this. RFC 8693 defines token alternate: an actor trades the token it acquired for a brand new one to make the subsequent name, with out discarding who got here earlier than. The token carries two claims that matter right here.
The sub declare is the topic, the unique principal. It’s the consumer who began the entire thing, and it doesn’t change because the request strikes down the chain.
The act declare is the actor, the get together making the present name. It does change. And when one agent calls one other, act nests: Agent B appearing on behalf of Agent A appearing on behalf of the consumer. Nested act is the one trustworthy strategy to symbolize a multi-hop chain, as a result of it retains each hyperlink as an alternative of collapsing them.
The failure mode has a reputation
The shortcut is to flatten the chain. As a substitute of exchanging tokens and nesting act, an agent re-mints a recent token that claims, in impact, “that is me, calling alone behalf.” It’s less complicated. It additionally destroys the chain.
Now sub factors on the agent, not the consumer. The unique principal is gone. Attribution is gone with it: the downstream instrument sees the agent and has no thought whose request set this in movement. And since the instrument solely sees the agent’s id, it authorizes towards the agent’s permissions, that are broader than what this particular activity ought to enable. You over-grant on each downstream name.
That is the confused deputy: a course of appearing with authority that was granted to another person, used for a objective the grantor by no means supposed. The flattened token is how the confused deputy will get created in an agent system. The preserved chain is the way you keep away from it. The distinction is whether or not you may nonetheless examine, on the instrument, who requested and who’s appearing.
The place the chain lives or dies in apply
This isn’t solely a requirements story. The chain is preserved or destroyed at two protocol surfaces the first viewers is deploying proper now.
Agent to instrument runs over the Mannequin Context Protocol (MCP). The mid-2025 MCP spec adopted OAuth 2.1 and RFC 9728 protected-resource metadata. That issues as a result of it lets an agent uncover what authorization a instrument requires as an alternative of hardcoding it. The agent reads the useful resource’s metadata, learns the place to get a token and what scope it wants, and asks for precisely that. Discovery is what makes scoped, per-tool authorization sensible at runtime.
Now the deployed actuality, as a result of the spec shouldn’t be the identical as what’s working. A big share of MCP servers within the wild ship with weak or absent authorization. The protocol helps doing this appropriately. Many deployments don’t. That hole is the whole topic of this collection: the requirements exist, and the techniques constructed on prime of them skip the elements that shield the chain.
Agent to agent runs over A2A and its Agent Playing cards. An Agent Card is a discoverable declaration of what an agent is, what it may possibly do, and which authentication schemes it accepts. It’s how one agent learns the right way to name one other and not using a human wiring the 2 collectively upfront. The cardboard can also be the place an agent advertises whether or not it expects a delegated token or will fortunately take something. Learn the playing cards in your ecosystem. They inform you the place the chain is revered and the place it’s about to be flattened.
These two surfaces, MCP and A2A, are the concrete locations the delegation chain is both inspectable finish to finish or quietly collapsed right into a token that lies about who’s appearing.
The take-away
Delegation shouldn’t be a token handed down the road. It’s a chain, and a wholesome chain is one you may examine at each hop: sub fastened on the unique principal, act nested via each actor that touched the request. Flatten it and you’ve got constructed a confused deputy that over-grants and can’t be audited.
In your individual techniques, the chain is preserved or misplaced at MCP and A2A. Verify two issues. Do your brokers alternate and nest tokens, or re-mint flat ones? And do the MCP servers and Agent Playing cards in your ecosystem truly require delegated authorization, or do they settle for no matter reveals up?
Now you can describe an agent, give it an id, and carry that id via a series of calls. The following query is the place the principles for all of this dwell. Who decides what an agent is allowed to do, and what occurs the second an agent has to behave someplace its personal platform doesn’t attain? That’s the subsequent submit.
