← All terms Day 41 · AI Power Tools

define oauth-agent-identity --plain-english

Illustration for "OAuth / Agent Identity" — Day 41 of the Non-Technical Technical Dictionary

OAuth / Agent Identity

TLDR:A valet key for your accounts, not the master key.

You've done this a hundred times without thinking about it. You go to sign up for some new app, and instead of inventing yet another password, you click "Sign in with Google." A little screen pops up, asks if it's okay, you hit allow, and you're in. You never gave that app your Google password. You never typed it. And yet somehow it knows who you are.

That little dance is OAuth, and it's quietly one of the best ideas in software.

The thing it solves is trust between strangers.

Picture handing your car to a hotel valet. You don't hand over your whole keyring. You hand over the valet key, the one cut to do exactly one job: start the engine and move the car twenty feet. It won't open the glovebox where your registration lives. It won't pop the trunk. The valet does the one thing you allowed and physically cannot do the rest, even if they wanted to. You walk away relaxed because the key itself enforces the limit.

OAuth is the valet key for your accounts. When you click "Sign in with Google," here's what actually happens, in plain steps:

  1. The new app says "I'd like to know who this person is." It never asks for your password.

  2. Google steps in as the trusted middleman and asks you directly: "This app wants your name and email. Allow?"

  3. You say yes. Google hands the app a limited pass, not your password.

  4. The app uses that pass to do the few specific things you approved, and nothing else.

Your real login never leaves Google's hands. The app only ever holds a pass that says "this person let me do these specific things," and you can tear that pass up whenever you want.

That pass has a name, and it's worth knowing: a token.

Not the same kind of token from earlier (those are the LEGO bricks of language). This one is more like a backstage wristband. It proves you're allowed in, it says exactly which rooms you can enter, and the bouncer can cut it off your wrist the second you cause trouble. Three things baked into one little band:

  • Who you are. The app knows it's really you.
  • What you're allowed to touch. Read your calendar, sure. Delete your whole calendar, no.
  • For how long. Many of these expire on their own, so a forgotten pass doesn't stay live forever.

Now here's why this went from a nice convenience to a thing that genuinely matters: agents.

For most of this thread, the AI's key to the outside world has been the API key. One long secret string that says "this is me, charge it to my account, let it through." And an API key has a real problem hiding in it: it's all-or-nothing. Whoever holds it can do everything your account can do. There's no "read but don't delete." There's no "this channel but not billing." It's the master key to the whole house.

That was fine-ish when you were the only one holding it. It is not fine when you start handing keys to an AI that acts on your behalf, runs while you sleep, and can be confidently wrong mid-task. You do not want to give that thing your master password and walk away.

So instead, you give the agent its own identity: its own scoped pass, separate from yours. A pass cut to do precisely the job you hired it for and not one inch more. For example:

  • Read your calendar, but never delete an event.
  • Post to one specific channel, but never touch billing.
  • Pull last week's orders, but never refund them.
  • Draft an email, but never send without you.

Each of those is the valet key again. The agent literally cannot order off the part of the menu you didn't unlock. And the day it does something dumb? You revoke that one pass. The agent goes dark. Your password never changed, your other tools never noticed, the rest of the house stayed locked the whole time. You snipped one wristband, not the whole keyring.

Hold these two side by side, because this is the entire point:

  • An API key is one master key. Whoever holds it can do anything you can do. Lose it and you're changing every lock.
  • OAuth is a ring of valet keys. Limited, labeled, expiring, and revocable one at a time. Lose one and you snip that single key while everything else keeps working.

When you were the only one with the keys, all-or-nothing was a risk you could babysit. The moment something other than you is doing the work (overnight, at speed, unsupervised), you want the key itself to say no for you. A good valet key doesn't trust the valet. It just can't open the trunk.

Hand out valet keys. Never your house keys.