AI & Agents 23 May 2026 · 8 min

Agent-to-Agent Auth in 2026: Why OAuth Breaks Down for Crews

By wGrow Project Team · 23 May 2026

The recursive research sub-agent ran for six hours before anyone noticed. By morning it had consumed $50.34 in API credits, cycling through the same three endpoints in a tight loop. The parent orchestrator held a valid OAuth bearer token. The sub-agent inherited it. Every request authenticated cleanly. The audit log showed zero anomalies. The system functioned exactly as designed — and that is the architectural flaw.

OAuth 2.0 issues bearer tokens tied to an authorization grant — the grant can come from an interactive browser flow or a machine-to-machine exchange. The token identifies the human or a static service account. OAuth tracks who authorized the credential. It does not track which execution thread is spending it. When you move to autonomous agent crews, those two things — authorization and execution — split apart completely.

The Inherited Token Problem

Female engineer reviewing dense server activity logs on a vertical monitor.

Our Article Crew orchestrator spawns up to five asynchronous sub-agents: a researcher, a drafter, a fact-checker, a style reviewer, and a publication handler. Each sub-agent can recursively invoke tools. The researcher, in particular, chains web-scraping APIs, embedding APIs, and summarization endpoints in sequence.

At the time of the incident, all five were running under a single OAuth bearer token issued to the Article Crew service account — full read/write permissions to our API gateway, a 24-hour TTL, and no per-agent scoping or per-thread quotas anywhere in the chain.

The researcher hit a loop condition on a source URL returning partial content. Its retry logic correctly detected incomplete data and re-triggered the fetch sequence. Every re-trigger was a fully authorized API call. Nothing in the auth layer could distinguish “researcher retrying a valid task” from “runaway loop burning money.” The token was valid. The requests went through.

The blast radius extended to every API endpoint the service account could reach — which was most of our tooling stack. We got lucky it was read-heavy. A loop with write permissions and the same inherited token would have been considerably harder to clean up.

OAuth 2.0, specifically RFC 6749, defines tokens as representing the authorization grant. The grant belongs to the entity that requested it. In a human workflow, that entity is sitting at a keyboard making sequential decisions. In an agent crew, the entity that requested the token — the orchestrator — is not the entity spending it — the sub-agent. That gap is not an edge case. It is the standard operating mode of any concurrent multi-agent system.

Decoupling Authorization from Execution

Token Inheritance

Rate limiting is not the fix. Rate limiting controls volume, not identity. A sub-agent hitting a rate limit is an operational problem. A sub-agent whose identity is indistinguishable from four sibling agents and the parent orchestrator is an architectural one.

The required shift: identity must live at the execution thread, not the service account.

Human workflows are serial by default. A user authenticates, performs a task, gets a result. Intent and execution are bundled in a single session. Agent crews are concurrent by design. The orchestrator spawns sub-agents, and those sub-agents may spawn further sub-agents. At any moment, dozens of threads could be executing under the same root authorization. Which one burned the credits? Which one touched a sensitive endpoint? Which one is stuck in a loop?

Without execution-level identity, you cannot answer any of those questions from the auth layer. You are left reconstructing events from application logs after the fact, hoping the log is complete enough to trace the thread.

The architecture splits along two distinct boundaries: communication between separate crews, and execution within a single crew. The right control at each boundary is different.

mTLS Between Crews

Technical illustration of two server clusters connected by a locked data pipeline.

The boundary between our BD Crew and Finance Crew is the cleaner problem. Two separate orchestrators, two separate toolsets. The BD Crew generates engagement summaries and contract proposals. The Finance Crew handles pricing models and invoice generation. When the BD orchestrator needs a pricing validation from Finance, it makes an API call.

Under the original design, that call used a static API key living in an environment variable, rotated quarterly. This is a common setup. It is also a consistently inadequate one.

The failure mode is straightforward: anything running under the BD Crew’s environment — a sub-agent, a tool plugin, a prompt injection — that can read environment variables can make authenticated calls to Finance endpoints. The Finance gateway has no way to distinguish a legitimate pricing request from a rogue process that grabbed the key from memory.

We replaced static keys with mutual TLS for all inter-crew handoffs. The Finance Crew’s API gateway now requires a client certificate on every inbound request — issued to the BD orchestrator process, with the orchestrator’s identity encoded in a custom certificate extension. The certificate chain ties back to our internal CA, and the gateway validates the client certificate during the TLS handshake, before any application logic executes.

Unauthorized inter-agent requests are dropped at the transport layer. A sub-agent cannot impersonate the BD orchestrator provided the private key is held outside the sub-agent runtime and signing is restricted to the orchestrator process. A prompt injection cannot forge the certificate itself, though it can still abuse any code path that triggers authenticated orchestrator calls — key isolation is not optional. The Finance Crew’s exposure surface shrinks to entities holding valid certificates from our CA — not to any process that knows a static string.

This approach carries real operational overhead. Running an internal PKI means managing certificate issuance, distribution, and lifecycle across every crew boundary — none of which is free. Our rotation cycle runs at four hours for active crew sessions; OCSP-based revocation is checked synchronously on the gateway. When we decommission a BD orchestrator instance, its certificate is revoked within the same transaction that terminates the process. In our experience, teams without existing PKI infrastructure hit this wall quickly. mTLS pays off when the cost of exposure exceeds the cost of cert management, which is generally true the moment crews start touching financial or sensitive operational data.

Limiting Blast Radius with Scoped JWTs

mTLS Handshake

Initiation

Transport Layer

Application Layer

BD Crew

Present Client Cert

Finance Crew

Verify Crypto Proof

Execute Logic

The intra-crew problem is harder because sub-agents share a trust domain. They are all spawned by the same orchestrator and call overlapping tool sets. Within the Article Crew, the drafter and the fact-checker both call the same embedding API. Certificate-based isolation is impractical here. You need claim-level control.

We moved to short-lived JWTs scoped to specific execution branches. When the Article Crew orchestrator spawns a sub-agent, it mints a JWT for that sub-agent’s process. The payload extends the standard claims with three fields: agent_role (e.g. researcher, drafter), execution_branch_id (a UUID tied to the current pipeline run), and allowed_tools (an explicit list of permitted API endpoints).

Token TTL is 15 minutes. Sub-agents needing more time request a refresh from the orchestrator, which logs each extension. The API gateway validates allowed_tools on every inbound request — requiring custom claim-aware logic beyond standard JWT signature and expiry checks. A drafter JWT that attempts a web-scraping call gets a 403, not because the drafter lacks credentials, but because scraping is not in its declared tool scope.

There is a trust assumption baked into this model worth naming explicitly: it places significant trust in the orchestrator. If the orchestrator process itself is compromised, it can mint JWTs with whatever permissions it chooses. Intra-crew scoping is effective against runaway sub-agents and logic errors; it is not a defense against an attacker who has already gained control of the orchestrator. Network segmentation, least-privilege on the orchestrator’s own credentials, and anomaly detection on token-minting patterns remain necessary layers.

After the $50 incident, we added a credit quota field to the JWT payload. Each sub-agent receives a credit budget at spawn time, tracked against its `execution_branch_id`. When a sub-agent exhausts its quota, the gateway stops accepting its requests without affecting any sibling agent or the parent orchestrator's session. The researcher that hit the loop would have burned its branch budget and stopped. Total damage under the new scheme: approximately$ 2.50 per branch cap, not $50.34.

Revocation is immediate and surgical. If a sub-agent hits a recursion trap, we revoke its JWT by execution_branch_id. The orchestrator continues. Siblings continue. The dead branch is removed from the auth graph in under 200 milliseconds. That is what blast radius containment actually means in practice: the exact execution thread is isolated and terminated while everything else keeps moving.

What This Changes About Agent Design

Two IT professionals working on a system architecture diagram in a meeting room.

Decoded Payload

1	{
2	"sub": "user_414",
3	"crew": "crw_article",
4	"process_id": "pid_7729",	← ①
5	"exp": 1735689600	← ②
6	}
7

① Ties auth to the exact execution thread
② Short-lived expiry limits blast radius

Every API call in a correctly-designed agent crew should be attributable to a specific sub-agent, in a specific pipeline run, operating under a specific grant of permissions. If you cannot answer “which sub-agent made that call and under what authority,” your auth layer is underspecified for the system you are operating.

OAuth 2.0 is not broken — it works exactly as specified. The gap is narrower than it looks: a bearer token confirms that the API call was authorized; it says nothing about which execution thread, sub-agent branch, or recursive invocation is spending that authorization. Most teams building agent systems did not revisit their security model when they removed the human from the execution loop.

Static bearer tokens issued to service accounts will get you off the ground quickly. They will also make it impossible to isolate a bad prompt, a runaway loop, or an exploited sub-agent without taking the entire crew offline. For a prototype or a low-stakes single-agent tool, that trade-off may be acceptable. It is not acceptable for a system that runs overnight, touches financial data, or spawns more than two concurrent agents.

mTLS at the inter-crew boundary and scoped JWTs at the execution level are not exotic security choices. They are, in this context, the minimum viable auth architecture for concurrent multi-agent systems operating on sensitive data. The alternative is waking up to a $50 API bill and a log file that tells you nothing useful about which thread caused it.

Authentication in a multi-agent system is only meaningful when it cryptographically identifies the exact execution context making the request. Everything else is access control theater.

← All field notes Brief a crew →