Agent-Native Authorization

Agent-Native Authorization
with Human-in-the-Loop

Agent-Native Authorization (ANA) is a framework that enables AI agents to request Just-in-Time authorization through structured Human-in-the-Loop steps, directly inside AI conversations and CLI tools. Built on open standards and the TwoGenIdentity IA+ framework, the same flow works natively across any AI assistant or CLI agent, with no proprietary lock-in and no browser redirect.

See the Flow
View Architecture
Watch Demo

The Framework

Works for Every Type of Agent

Built on open standards and the TwoGenIdentity IA+ framework, ANA delivers the same native authorization flow regardless of how the agent interacts with protected resources. When elevated privileges are required, the agent requests Human-in-the-Loop input mid-flow, completing the challenge without leaving the conversation or terminal.

TwoGenIdentity Agents

Our agentic orchestration layer supports JIT and Intent Authorization natively, with MCP Apps, A2A protocol, workload identity, and multiple PEPs across the full agentic stack.

AI Assistants

Enterprise AI assistants like GitHub Copilot, Claude, and OpenAI. The Human-in-the-Loop step happens directly inside the conversation, with no context switch.

CLI Agents

Terminal-based agents like Claude Code, GitHub CLI, and custom automation scripts. Authentication steps are requested and completed natively in the terminal, with no browser redirect.

How It Works

How Agent-Native Authorization Works

A structured flow that enforces Zero Trust authorization for agent actions requiring elevated privileges. Each numbered step in the terminal maps directly to the flow and applies to any agent type.

  1. 1

    User Requests a Critical Action

    The user asks the AI agent (AI assistant or CLI) to perform a sensitive or privileged operation, such as disabling a policy or modifying access rules.

  2. 2

    Authorization Layer Enforces Protection

    The gateway intercepts the request and applies AuthZEN-compliant authorization decisions, detecting that elevated authentication is required.

  3. 3

    Agent Requests Human-in-the-Loop Input

    The agent detects the step-up requirement and triggers MCP Elicitation to request structured HITL input directly inside the conversation or terminal.

  4. 4

    User Completes Authentication

    The user fulfills the authentication challenge (OTP, Authenticator App, WebAuthn) natively, with no browser redirect needed.

  5. 5

    Elevated Token Issued — Action Succeeds

    The Identity Provider issues a cryptographically bound token with elevated privileges. The agent completes the original action successfully.

AI Agent CLI
1 user@agent ~ Disable User X0001
2 AI Security Gateway: DENIED. Just-in-time Authorization required.
3 Elicitation triggered...
4
Identity Provider: Passkey challenge
| Touch your security key...
5 Passkey verified. Elevated token issued.
Action authorized. User X0001 disabled.
AI Agent Web
1
Disable user alice
2 Authorization required to proceed
3 Operation
Subject [email protected]
Action disable_user
Resource alice
5
Elevated token issued. User alice disabled.
How can I help you today?

Technical Reference

How It Works in Depth

Zero Trust architecture across AI and API services. Both routes enforce the same AuthZEN policy engine through dedicated IA+ gateways.

Zero Trust AI / API Security Architecture DiagramIdentity Access Plus (IA+) IAM PlatformAuthentication · OAuth 2.1 / OIDC · JIT Authorization ContextAuthentication EnginePolicy Decision Point · OpenID AuthZENEvaluates every authorization request · Returns allow / denySecurity GW (PEP)IAM / IdentityAgent / ActorService / APIData FlowOAuth 2.0Authorization EngineAI / MCP LAYERAPI LAYERMCP Protocoltool/callREST / HTTPREST / HTTPAI AgentCLI / Web / DesktopIA+ MCP GW(AuthZEN PEP #1)AI / MCP Security LayerMCP Server& MCP AppsIA+ API GW(AuthZEN PEP #2)API Security LayerAPIBackend

How MCP Elicitation drives inline authorization. The gateway triggers a challenge, the agent presents it natively, and an elevated token is issued once verified.

Agent-Native Authorization FlowREQUESTVERIFYDONEYouUserAI AssistantAgent / CLISecurity GatewayMCP Gateway · ServerIdentity ProviderIA+ IAM Platform1Ask AI to perform a sensitive action2AI calls tool on your behalf (MCP)3Needs higher auth — request challenge4Returns list of verification steps required⟳ VERIFY LOOPrepeats for each verification step until complete5Send verification challenge prompt6Prompt you inline — no redirect7You verify: passkey · OTP · biometric8Submit your verification result9Forward proof to Identity Provider10Elevated token issued ✓⚡ retry original request with elevated token11Action completed — return result12Done ✓ — action completed

Live Demo

See Agent-Native Authorization in Action

Three demos, one framework. The TwoGenIdentity Agent runs the full agentic stack with MCP Apps and runtime JIT authorization. The same ANA flow also works natively across other AI assistants, whether the user authenticates with OTP, Authenticator App, or a Device-Bound Passkey.

TwoGenIdentity Agent

TwoGenIdentity Agent: Full Agentic Stack with runtime just-in-time Authorization

TwoGenIdentity Agentic Orchestration Layer · MCP Apps · A2A · Passkeys

Agent Attempts sensitive action via Agentic Orchestration Layer. Multiple PEPs enforce policy across the stack.
MCP App Surfaces JIT authorization request inline using SARC model (Subject, Action, Resource, Context). No browser redirect.
User Approves with registered Passkey. Same credential as standard login, extended to agent authorization.
Done Cryptographic proof issued. Agent continues with an elevated token bound to the exact operation.
AI Assistants Claude Code · GitHub Copilot · and others

Claude Code & GH Copilot: OTP / Authenticator App

Gateway AuthZEN enforces access control
Agent Orchestrates JIT AuthZ via MCP Elicitation
User Authenticates via OTP or Authenticator App
Done Elevated token issued, action proceeds

Claude Code: Device-Bound Passkeys (Security Key)

Gateway AuthZEN enforces access control
Agent Orchestrates JIT AuthZ via MCP Elicitation
User Device-bound passkey signs a hardware-bound, phishing-resistant assertion. The key never leaves the device.
Done Cryptographic proof bound to the exact operation

Why Agent-Native Authorization

Built on open standards, designed for the agentic era. A full runtime security layer for both humans and AI agents.

No Browser Redirect

Authentication flows run natively inside AI assistants and CLI tools. Zero friction for humans and agents.

Cryptographic Proof

Every elevated action is backed by a token cryptographically bound to that exact operation. Proof tied to the specific context, not a generic elevated session.

SARC Authorization Model

Runtime approvals use a Subject-Action-Resource-Context model. The flow works the same regardless of the agent framework or AI assistant.

Zero Trust Enforced

Every request, from humans and agents, is verified. Trust is never assumed, always earned.

Explore the Full Platform

Agent-Native Authorization is powered by the TwoGenIdentity Identity Access Plus (IA+) platform. Explore the IAM platform, the AuthZEN MCP Gateway that enforces policy at every agent request, and the Keycloak MCP App that drives JIT authorization flows.

IA+ IAM Platform
AuthZEN MCP Gateway
Keycloak MCP App