Agent-Native Authorization

Agent-Native Authorization
with Human-in-the-Loop

Agent-Native Authorization (ANA) is a new framework that enables AI agents to orchestrate secure, Just-In-Time authorization through structured Human-in-the-Loop steps directly inside AI conversations and CLI tools, producing real-time cryptographic proof bound to the exact operation. Built on open standards, our modular IA+ AI/IAM Security framework delivers true interoperability: the same authorization flow works natively across any AI assistant (GitHub Copilot, Claude, OpenAI) or CLI agent, with no proprietary lock-in and no browser redirect.

See the Flow
View Architecture
Watch Demo

The Framework

Agent-Native Authorization (ANA)

ANA is a new authorization framework that combines OAuth 2.0 Native Flows with Elicitation metadata interpreted natively by AI agents.
The IA+ IAM Platform controls the authentication flow and exposes structured step metadata that any agent can interpret and act on.
When elevated privileges are required, the agent requests Human-in-the-Loop input mid-flow, completing the authentication challenge without leaving the conversation or terminal.
The result: Just-In-Time, context-aware authorization with real-time cryptographic proof, built on open standards, proven across any AI assistant.

Works for Every Type of Agent

Built on open standards and a modular IA+ framework, ANA delivers the same native authorization flow regardless of how the agent interacts with protected resources. Proven across multiple AI assistants and CLI tools.

AI Agents

Enterprise AI assistants like GitHub Copilot, Claude, OpenAI, and other AI-native interfaces. The Human-in-the-Loop step happens directly inside the conversation, with no context switch.

CLI Agents

Terminal-based agents like Claude Code, GitHub CLI, and custom automation scripts. Authentication steps are requested and completed natively in the terminal, with no browser redirect.

How It Works

How Agent-Native Authorization Works

A structured flow that enforces Zero Trust authorization for agent actions requiring elevated privileges. Each numbered step in the terminal maps directly to the flow and applies to any agent type.

  1. 1

    User Requests a Critical Action

    The user asks the AI agent (AI assistant or CLI) to perform a sensitive or privileged operation, such as disabling a policy or modifying access rules.

  2. 2

    Authorization Layer Enforces Protection

    The gateway intercepts the request and applies AuthZEN-compliant authorization decisions, detecting that elevated authentication is required.

  3. 3

    Agent Requests Human-in-the-Loop Input

    The agent detects the step-up requirement and triggers MCP Elicitation to request structured HITL input directly inside the conversation or terminal.

  4. 4

    User Completes Authentication

    The user fulfills the authentication challenge (OTP, Authenticator App, WebAuthn) natively, with no browser redirect needed.

  5. 5

    Elevated Token Issued — Action Succeeds

    The Identity Provider issues a cryptographically-bound token with elevated privileges. The agent completes the original action successfully.

AI Agent CLI
1 user@agent ~ Disable User X0001
2 AI Security Gateway: DENIED. Just-in-time Authorization required.
3 Elicitation triggered...
4
Identity Provider: Passkey challenge
| Touch your security key...
5 Passkey verified. Elevated token issued.
Action authorized. User X0001 disabled.
AI Agent Web Available · Powered by TwoGenIdentity
1
Disable User X0001
2 Biometric Authentication required to proceed.
3

Please authenticate with Passkeys to execute this action.

Tool: disable_user_by_id · args: {"user":"X0001"}
4
5 ✓ Elevated token issued. User X0001 disabled.
How can I help you today?

Multiple Layer Security

Zero Trust Across AI & API Services

AI agents access resources via MCP or directly via API. Both paths enforce the same AuthZEN policy engine through dedicated IA+ gateways — nothing is trusted by default.

Zero Trust AI / API Security Architecture DiagramIdentity Access Plus (IA+) IAM PlatformAuthentication · OAuth 2.1 / OIDC · JIT Authorization ContextAuthentication EnginePolicy Decision Point · OpenID AuthZENEvaluates every authorization request · Returns allow / denySecurity GW (PEP)IAM / IdentityAgent / ActorService / APIData FlowOAuth 2.0Authorization EngineAI / MCP LAYERAPI LAYERMCP Protocoltool/callREST / HTTPREST / HTTPAI AgentCLI / Web / DesktopIA+ MCP GW(AuthZEN PEP #1)AI / MCP Security LayerMCP Server& MCP AppsIA+ API GW(AuthZEN PEP #2)API Security LayerAPIBackend

Agent-Native Authorization Flow

How Elicitation Drives Native Authorization

When a sensitive action is requested, the gateway detects insufficient authorization and triggers a challenge. The Identity Provider returns structured verification steps the AI agent presents inline — no browser redirect, no context switch. Once verified, an elevated token is issued and the action proceeds automatically.

Agent-Native Authorization FlowREQUESTVERIFYDONEYouUserAI AssistantAgent / CLISecurity GatewayMCP Gateway · ServerIdentity ProviderIA+ IAM Platform1Ask AI to perform a sensitive action2AI calls tool on your behalf (MCP)3Needs higher auth — request challenge4Returns list of verification steps required⟳ VERIFY LOOPrepeats for each verification step until complete5Send verification challenge prompt6Prompt you inline — no redirect7You verify: passkey · OTP · biometric8Submit your verification result9Forward proof to Identity Provider10Elevated token issued ✓⚡ retry original request with elevated token11Action completed — return result12Done ✓ — action completed

Live Demo

See Agent-Native Authorization in Action

Two demos, one framework. The same ANA flow works natively whether the user authenticates with an OTP, Authenticator App, or a Device-Bound Passkey. No browser redirect and no context switch required.

Claude Code & GH Copilot: OTP / Authenticator App

Gateway AuthZEN enforces access control
Agent Orchestrates JIT AuthZ via MCP Elicitation
User Authenticates via OTP or Authenticator App
Done Elevated token issued, action proceeds

Claude Code: Device-Bound Passkeys (Security Key)

Gateway AuthZEN enforces access control
Agent Orchestrates JIT AuthZ via MCP Elicitation
User Device-bound passkey signs a non-replayable, phishing-resistant assertion
Done Cryptographic proof bound to the exact operation

Why Agent-Native Authorization

Built on open standards, designed for the agentic era, regardless of how agents interact with APIs.

Based on Open Standards

Built on OAuth 2.0 Native Flows (FiPA) and MCP Elicitation, both open standards that enable native interoperability across any AI assistant or CLI agent, with no proprietary lock-in.

No Browser Redirect

Authentication flows run natively inside AI assistants and CLI tools. Zero friction for humans and agents.

Cryptographic Proof

Every elevated action is backed by a token cryptographically bound to that exact operation. The Identity Provider issues proof tied to the specific context, not a generic elevated session.

Works Everywhere

Compatible with any AI assistant, CLI agent, or custom agent, whether using MCP or calling APIs directly.

Authenticator-Agnostic

Supports OTP, Authenticator Apps, WebAuthn, and any IdP-supported authentication method.

Zero Trust Enforced

Every request, from humans and agents, is verified. Trust is never assumed, always earned.

Explore the Full Platform

Agent-Native Authorization is powered by the TwoGenIdentity Identity Access Plus (IA+) platform. Explore the IAM platform, the AuthZEN MCP Gateway that enforces policy at every agent request, and the Keycloak MCP App that drives JIT authorization flows.

IA+ IAM Platform
AuthZEN MCP Gateway
Keycloak MCP App