AI Agent Authorization Glossary
Plain definitions of the terms AgentAdmit works with. Each one answers a real question about giving AI agents scoped, revocable, user-controlled access to the data behind your app.
Self-Describing Credential
A credential that tells the agent where to exchange it, with no preconfiguration.
A connection credential that encodes where it should be exchanged, so an AI agent can determine the exchange endpoint from the credential itself, with no preconfigured knowledge of the application, its APIs, or its authorization infrastructure. This removes the cold-start problem of connecting an agent to an application it has never seen before.
Read the full explainerDiscovery-by-Introspection
One exchange returns the access token plus a scope-filtered, field-level map of what the agent may call.
A connection-level discovery mechanism in which exchanging or introspecting a credential returns not just an access token but scope-filtered operational metadata: the application identity, only the endpoints the agent is authorized to call, and field-level request schemas for each. An agent with read-only scope sees only read endpoints. The agent can construct valid requests directly, without external documentation.
Read the full explainerCaller-Identity Consent
One API, multiple caller classes, each consented to independently by the data owner with no inheritance.
A model in which one API surface serves multiple classes of caller (a human session, the application’s own AI, and an external AI agent) and the data owner consents to each class independently, with no class inheriting another’s permission. The class is derived from the structure of the credential, so a caller cannot self-select or spoof it. The model is not limited to three classes; the same independent-path pattern extends to new classes, such as a verified-agent class, as they emerge.
The authorization layer for AI agents
Scoped, revocable, user-controlled access for the agents calling your APIs.
See how it works