Phase 1: AI Assisted (2018-2022)
Autocomplete. Suggestions. Answering questions. The human clicked every button. In this era, AI was a tool inside an application. GitHub Copilot suggested lines of code — you hit Tab to accept. ChatGPT drafted an email — you read it, edited it, and clicked Send yourself. Google Smart Compose filled in sentences — you decided which ones to keep. The security model was simple: the human had the credentials, the human performed the actions, and the AI was just text generation sandboxed inside the UI. There was nothing to authorize because the AI never acted. OAuth 2.0 handled this perfectly. The user logged in, the app got a token, and every action was the user’s action.Phase 2: AI Generated (2023-2024)
Copilot writes the code. ChatGPT drafts the email. The human still reviews everything. This was the generation era. AI produced artifacts — code, text, images, data analysis — but the human was always in the loop before anything reached production. You reviewed the PR. You proofread the draft. You checked the analysis before presenting it. The security model held, barely. The AI generated content, but the human executed actions. The boundary between “AI suggested it” and “the human did it” was clear. Credentials still belonged to humans, and humans still made the final call. OAuth 2.0 still worked. A bit awkwardly — who authored the code, the human or the AI? — but the token holder was always human.Phase 3: AI Acts (2025-Now)
Agents read files, push code, call APIs, send emails, spend money — autonomously. This is where everything breaks. In 2025, AI agents stopped being generators and became actors. An agent does not suggest a calendar invite — it creates one. It does not draft a Slack message — it sends one. It does not recommend a purchase — it makes one. And it does all of this without a human reviewing each step, because the entire point of an agent is autonomous execution. The security model collapsed. OAuth 2.0 was designed for a human at a keyboard. The token represents the user’s session. The scopes were chosen at app registration time. Revocation is advisory, not instant. There is no concept of delegation depth, cascade invalidation, or per-agent identity. No auth layer exists for this phase.Why This Matters Now
The shift from Phase 2 to Phase 3 is not gradual — it is a cliff. Consider what changes:| Phase 2: Generated | Phase 3: Acts | |
|---|---|---|
| Who holds the credential? | Human | Agent |
| Who performs the action? | Human | Agent |
| Review before execution? | Always | Sometimes, often never |
| Blast radius of compromise? | Limited to human session | Everything the key can reach |
| Attribution | Clear — human did it | Unclear — which agent, authorized by whom? |
| Revocation urgency | Hours acceptable | Seconds required |
The Gap Is Being Exploited
Attackers figured this out before defenders did. In 2025 alone, 18.1 million API keys were stolen (SpyCloud). 29 million secrets were committed to GitHub — up 34% year-over-year. The average breakout time from initial access to lateral movement is now 29 minutes. But here is the critical insight: agents make the damage worse. A stolen API key in a human’s hands is dangerous. A stolen API key in an agent’s hands — running autonomously, 24/7, at machine speed — is catastrophic. A human with a compromised key might access a few files before someone notices. An agent with the same key will systematically traverse every accessible resource, exfiltrate data, and pivot to connected services in minutes. And it will do so silently, because agents do not trigger the behavioral heuristics designed to catch human attackers.What Authorization Needs to Look Like
The authorization layer for autonomous agents needs five properties that do not exist in OAuth 2.0:1. Per-Agent Identity
Every agent instance needs its own cryptographic identity — not a sharedclient_id, not an inherited API key. When an action happens, you need to know which specific agent did it, not just which application it came from.
Grantex assigns each agent a DID (Decentralized Identifier) backed by a key pair. The agent’s identity is verifiable, rotatable, and independent of the platform it runs on.
2. Human Consent Before Action
The user must see — in plain language — what the agent wants to do and explicitly approve it. Not a checkbox buried in a Terms of Service. A clear consent screen: “This agent wants to read your calendar and send emails on your behalf.” This is not just good UX. It is required by OWASP ASI-01, EU AI Act Article 13, and basic trust architecture.3. Scoped, Time-Limited Tokens
The agent gets exactly the permissions it needs —calendar:read, email:send — not unrestricted access to every API you have ever integrated. The token expires. The scopes are signed into the JWT and verified at every API call.
If the token is compromised, the attacker gets limited access for a limited time. Not root forever.
4. Instant, Cascading Revocation
One API call revokes the agent’s token. If the agent delegated to sub-agents, all their tokens are invalidated in the same operation. The revocation takes effect immediately — not at the next token expiry. In a world where breach-to-exfiltration takes 4 minutes, you cannot afford 1-hour token windows.5. Tamper-Proof Audit Trails
Every action is cryptographically linked to the grant that authorized it. Who approved it, when, what scopes were active, what the agent did with them. Hash-chained, append-only, exportable for compliance. When the auditor asks “what did this agent do?”, you have an answer that cannot be retroactively edited.The Standard Is Here
Grantex implements all five properties as an open protocol. Apache 2.0 licensed. IETF Internet-Draft submitted. SOC 2 Type I certified. SDKs for TypeScript, Python, and Go. Integrations with every major agent framework. The shift from copilot to autonomous agent happened fast. Authorization needs to catch up.Get Started
- How Grantex Works — the 5-step authorization flow
- Grantex vs. OAuth 2.0 — a detailed comparison
- Quickstart — authorize your first agent in 5 minutes
- Protocol Specification — the full open standard