Consumer Apps Need Role-Based Access Control
Reed McGinley-Stempel, CEO of Stytch, on authentication for AI agents
Agent access turns consumer identity into a permissions problem, not just a login problem. Once an app lets ChatGPT, Claude, or a custom agent act for a user, it needs separate scopes for reading, writing, approvals, and revocation, much like Gmail deciding what Superhuman can touch. That is why consumer apps are starting to need the same authorization machinery that used to live mostly in B2B software.
-
The concrete workflow is delegated action. A user signs into an app, connects an agent over OAuth, sees a consent screen, and grants only certain capabilities. Stytch packages that with Connected Apps so a product can become its own OAuth provider without rebuilding its core auth stack.
-
This is different from classic consumer auth, where one logged in person usually had one broad permission set. With agents, the app has to distinguish between the human account owner and one or more delegated actors, each with narrower scopes, audit logs, and sometimes human confirmation before sensitive writes.
-
The market implication is that customer identity vendors move up the stack. Stytch now sells not only sign in, but also delegation, consent UI, org policy controls, and agent management. WorkOS is pushing adjacent enterprise ready infrastructure, while MCP itself is standardizing OAuth based authorization rails that make these controls mandatory for many integrations.
The next step is consumer apps exposing more of their product through agent friendly interfaces and tightening permissions around every action. As read access expands into write access, role models will get finer grained, approval loops will become standard, and identity platforms that can manage human and agent behavior together will capture a larger share of application infrastructure spend.