AI Agent Authorization Glossary

Plain definitions of the terms AgentAdmit works with. Each one answers a real question about giving AI agents scoped, revocable, user-controlled access to the data behind your app.

User-Mediated Authorization

The authorization credential is delivered to the human, not to the agent, and the human hands it to the agent.

A pattern for granting an AI agent access in which the authorization credential is delivered to the human user through a channel the user controls (an in-app display, email, SMS, or QR code), and the user then hands it to their agent out of band. Because there is no redirect, callback, webhook, or other agent-addressable path, the authorization decision happens outside the agent’s execution context. A prompt-injected agent cannot obtain or escalate access on its own.

Read the full explainer

Self-Describing Credential

A credential that tells the agent where to exchange it, with no preconfiguration.

A connection credential that encodes where it should be exchanged, so an AI agent can determine the exchange endpoint from the credential itself, with no preconfigured knowledge of the application, its APIs, or its authorization infrastructure. This removes the cold-start problem of connecting an agent to an application it has never seen before.

Read the full explainer

Discovery-by-Introspection

One exchange returns the access token plus a scope-filtered, field-level map of what the agent may call.

A connection-level discovery mechanism in which exchanging or introspecting a credential returns not just an access token but scope-filtered operational metadata: the application identity, only the endpoints the agent is authorized to call, and field-level request schemas for each. An agent with read-only scope sees only read endpoints. The agent can construct valid requests directly, without external documentation.

Read the full explainer

The authorization layer for AI agents

Scoped, revocable, user-controlled access for the agents calling your APIs.

See how it works