Traditional auth was built for predictable software: we designed flows, (hopefully) tested them, shipped them. AI agents work diferent. They’re open-ended, tool-using orchestrators behind a single text endpoint.
We don’t know which path they’ll take for a given input. We just know that they seem incredibly powerful, versatile and (un)reliable.
The quick fix is to give your agent broad, long-lived admin creds “just in case.” It’s the same thing new hires try: “make me an admin so I can do my job.” But in real organizations we don’t do that: we gate access, escalate rights carefully, and add process so one person can’t wipe production on day one.
With AI agents we drop that discipline. We hand a probabilistic machine the keys and hope it will only use what it needs. They’re fast, literal, and unpredictable, a combination makes them incredibly useful and incredibly dangerous.
The right unit of authorization for AI isn’t the agent. It’s the task.
Not all tasks are equal
Take GitHub MCP from your editor as an example. It can:
Commit (low risk, easy to revert).
Push to main (medium risk, affects everyone immediately).
Change branch protections / add collaborator (high risk, escalates permissions).
These are all “GitHub actions,” but they carry radically different risks. We can think about tasks in concrete terms: a verb, a resource, some bounds, and a time-to-live.
Each deserves its own scoped, short-lived authority. Github MCP will ask you to OAuth and give the agent access to ALL scopes ALL the time.
If I ask you to commit, you shouldn’t also be able to push. If I ask you to push, you shouldn’t be able to delete. And if I do ask you to delete, that power should extend only to that repo, and only for a few minutes.
Your agent shouldn’t walk around with standing credentials at all. It should assemble just enough permission for the task at hand then drop it.
Meet Wafers
Wafers are portable, layered capability tokens designed for this new world. Instead of giving an agent broad, standing credentials, you “bake” a wafer for a single task: scoped, time-bound, and cryptographically sealed.
Wafers also allow safe delegation. Each holder can narrow it further tightening the scope, shortening the lifetime, or constraining the actions.
An app can hand an agent a wafer trimmed down to exactly what’s needed: “commit this branch in the next 10 minutes.” When the request comes back, the service can verify the full chain of custody and enforce every constraint. No surprise escalations, no hidden standing privileges.
Because wafers are offline and auditable, they fit seamlessly into multi-agent workflows too. Each spawned agent gets only what it needs, nothing more, nothing longer.
If JWTs were made for users, wafers are made for agents. They bring least privilege, traceability, and safe delegation to a class of software that is powerful, unpredictable, and here to stay.
Wafers are open source with the first reference implementation in Go.
If you’re building systems where agents act on behalf of humans, this is your chance to help shape the next layer of the auth stack. Feedback, contributions, and experiments are all welcome.