Authentication

Atlassian Rovo's MCP server makes a precise security tradeoff visible: OAuth 2.1 handles identity and consent; API tokens handle non-interactive automation. Neither governs what agents can actually do at tool-call time. Here is what that gap looks like in practice.

Treating AI agents like service accounts is a useful starting point — but it fails at runtime. Here's why scoped tokens are necessary but not sufficient, and how runtime authorization fills the gap.

Microsoft Entra Agent ID and SD-JWT agent identity solve registration, governance, and authentication — but they don't decide whether a specific MCP tool call is permissible right now. This article explains the gap and the runtime authorization architecture needed to close it.

In April 2026, the NSA published 'Careful Adoption of Agentic AI Services' — the first intelligence-community advisory specifically targeting AI agent authorization failures. Here is what it actually demands and why most engineering teams are not close to meeting it.

OAuth 2.1 is the right foundation for MCP security, but most implementations stop one layer too early. This guide covers every spec-required piece: protected resource metadata, authorization server discovery, PKCE, dynamic client registration, resource indicators, and where fine-grained authorization picks up where OAuth ends.

Coding agents execute code, run commands, and call APIs — not just generate text. This guide covers the real security risks, why authorization must happen at the tool-call level, and how Permit.io and the Permit MCP Gateway enforce least-privilege access for agentic workflows.

AI agents acting across tools, APIs, and multi-agent pipelines raise hard questions about identity, authentication, and authorization. This article covers agentic identity (delegating human + workflow context + intent), agent interrogation, SPIFFE, OAuth token exchange, least privilege at runtime, and what audit actually means for agentic systems.

Explore best practices for authentication and authorization in API with clear, practical examples. Including a differentiation guide, and helpful code tips.

Explore the essential guide to OAuth Tokens. Learn about Access Tokens and Refresh Tokens for secure user authentication and authorization.

Explore JWT and OAuth distinct roles in web app security, how they work together, and their importance in modern web development.

Explore token-based authentication, its advantages over sessions, various token types, and the role of authorization tokens in security.

Top 5 trends in access control for 2024: passkey authentication, fine-grained authorization, policy as code, and more. Get ready to secure your application.

Everything you need to know on the principles of authentication and authorization in applications. Including a comparison table and real-world use cases.

Learn how to add RBAC Authorization to your Auth0 application with Permit.io. Implement authz with low code and ensure only the right users have access.