Agents Turn Consumer Identity Into Authorization
Reed McGinley-Stempel, CEO of Stytch, on authentication for AI agents
Agents turn consumer identity into an authorization problem, not just a login problem. Before agents, most consumer apps only needed to know that a person had signed in, because the person clicked through the app directly. Once an agent can read messages, create orders, edit settings, or trigger payments, the app needs Google style consent logic, fine grained scopes, revocation, and audit trails for actions taken on someone else’s behalf.
-
That is why agent identity looks more like B2B software than classic consumer auth. In B2B, vendors already manage admin versus support versus developer access. Stytch argues agents bring that same role logic into consumer apps, because a user and that user’s agent should not automatically have identical powers.
-
The concrete workflow is the familiar Google and Calendly pattern, applied everywhere. A user grants an app or agent permission to read some data, write some data, and ask for approval on sensitive actions. Stytch built Connected Apps to let customer apps become OAuth identity providers with consent screens and auditability without rebuilding auth from scratch.
-
This also explains why Stytch pairs permissioning with agent detection. Cloudflare’s Signed Agents and Web Bot Auth use cryptographic signatures so websites can recognize legitimate delegated agents, while Stytch combines that with fingerprinting for unsanctioned automation. The market is moving toward explicit allow, deny, and step up rules for agent traffic, not a simple human versus bot split.
The next step is that consumer apps will increasingly expose the same delegated access controls that enterprise software built years ago. Identity vendors that can package login, consent, scoped permissions, and trusted agent verification into one developer workflow will become core infrastructure for the agent internet.