Northwind Financial
Demo/Section 2
Section 2

Agent Auth

Credentials on demand. No secrets in code.

Both agents authenticate to Descope STS to get a JWT. Policies are enforced at issuance — if the identity doesn't satisfy the condition, the token is denied before the agent reaches any downstream system. With a valid JWT the agent can either present it directly to a Descope-protected internal service (a Descope Resource), or exchange it for credentials stored in the Connections vault API keys or OAuth tokens for external services that don't use Descope.

Two identity patterns. The AgentCore copilot uses authorization_code — a user JWT, user consent, user-scoped tokens. The n8n nightly sweep uses client_credentials — an m2m JWT, no user in the loop.

Section 2 · Agent outbound auth

Agents authenticate to Descope and receive scoped tokens. Policies fire at issuance. Downstream credentials are fetched from the Connections Vault — never stored in agent code.

AGENTSDESCOPE STSDOWNSTREAMauth_codeclient_credentialsAPI keyOAuth tokenAgentCore Copilotauthorization_code · user-delegatedn8n nightly sweepclient_credentials · machineDescope STSauth · policy · token exchangePolicy Engineenforced at every token issuanceToken ExchangeJWT → scoped connection tokenConnections VaultAPI keys · OAuth tokens · never in agent codeInternal ServiceDescope Resource · JWT-protectedLoan APIAPI key via ConnectionsHubSpotOAuth token via Connections
Token acquisition / resource token
Connections token → downstream credential
  1. 1
    AgentCore copilot, user-delegated
    HubSpot, Slack, Loan API — fetched at runtime.
    Open →
  2. 2
    n8n nightly sweep, machine identity
    client_credentials. Rotate keys in one place.
    Open →