defense 2025

Agentic JWT: A Secure Delegation Protocol for Autonomous AI Agents

Abhishek Goswami

University of Chicago

0 citations
α

Published on arXiv

2509.13597

Excessive Agency

OWASP LLM Top 10 — LLM08

Insecure Plugin Design

OWASP LLM Top 10 — LLM07

Key Finding

Python proof-of-concept demonstrates functional blocking of scope-violating requests, replay attacks, impersonation, and prompt-injection privilege escalation with sub-millisecond overhead on commodity hardware.

Agentic JWT (A-JWT)

Novel technique introduced

Autonomous LLM agents can issue thousands of API calls per hour without human oversight. OAuth 2.0 assumes deterministic clients, but in agentic settings stochastic reasoning, prompt injection, or multi-agent orchestration can silently expand privileges. We introduce Agentic JWT (A-JWT), a dual-faceted intent token that binds each agent's action to verifiable user intent and, optionally, to a specific workflow step. A-JWT carries an agent's identity as a one-way checksum hash derived from its prompt, tools and configuration, and a chained delegation assertion to prove which downstream agent may execute a given task, and per-agent proof-of-possession keys to prevent replay and in-process impersonation. We define a new authorization mechanism and add a lightweight client shim library that self-verifies code at run time, mints intent tokens, tracks workflow steps and derives keys, thus enabling secure agent identity and separation even within a single process. We illustrate a comprehensive threat model for agentic applications, implement a Python proof-of-concept and show functional blocking of scope-violating requests, replay, impersonation, and prompt-injection pathways with sub-millisecond overhead on commodity hardware. The design aligns with ongoing OAuth agent discussions and offers a drop-in path toward zero-trust guarantees for agentic applications. A comprehensive performance and security evaluation with experimental results will appear in our forthcoming journal publication

Key Contributions

  • Dual-faceted intent token (A-JWT) that binds agent actions to verifiable user intent and specific workflow steps, carrying a one-way checksum of the agent's identity (prompt, tools, config)
  • Chained delegation assertion mechanism proving which downstream agent may execute a task, with per-agent proof-of-possession keys preventing replay and in-process impersonation
  • Lightweight client shim library that self-verifies code at runtime, mints intent tokens, tracks workflow steps, and derives keys — demonstrated with sub-millisecond overhead blocking scope violations, replay, impersonation, and prompt-injection pathways

🛡️ Threat Analysis

Details

Domains
nlp
Model Types
llm
Threat Tags
inference_time
Applications
llm agentsmulti-agent systemsautonomous ai agentsagentic api orchestration
Read PDF arXiv

Similar Papers

defense

Autonomous Action Runtime Management(AARM):A System Specification for Securing AI-Driven Actions at Runtime

2026 0 cit.
100%
defense

Tracking Capabilities for Safer Agents

2026 0 cit.
100%
defense

MiniScope: A Least Privilege Framework for Authorizing Tool Calling Agents

2025 4 cit.
100%
defense

TraceAegis: Securing LLM-Based Agents via Hierarchical and Behavioral Anomaly Detection

2025 2 cit.
100%
defense

Securing AI Agent Execution

2025 7 cit.
92%
defense

From Tool Orchestration to Code Execution: A Study of MCP Design Choices

2026 0 cit.
92%
defense

Authenticated Workflows: A Systems Approach to Protecting Agentic AI

2026 0 cit.
79%
defense

Execution Is the New Attack Surface: Survivability-Aware Agentic Crypto Trading with OpenClaw-Style Local Executors

2026 0 cit.
79%