The trust layer
for the agent economy.
The identity and access platform for AI agents.
- Connect any agent to any system.
- Observe every call.
- Enforce any rule.
<0s
token revocation
One
chokepoint. Every agent, every service.
Zero
raw credentials exposed
Nine
live proofs in the demo
Works with your agent stack
0%
of organizations have reported an AI-agent-related security event
Industry survey 2025-2026
0%
of agents have dedicated credentials (the rest borrow human tokens)
IDC 2024
1.3B
enterprise AI agents projected by 2028
IDC Worldwide AI Agents Forecast
The agentic
identity crisis
When the first AI agents needed to call an API, engineers did what they always do: grabbed an API key from the environment, or borrowed an OAuth token from the user who triggered the workflow.
That was the original sin of agent security.
CREDENTIAL SPRAWL
One agent, 37 API keys, none expiring for 90 days. It was created for a one-hour task three months ago.
Fidea: Ephemeral, task-scoped tokens
INVISIBLE DELEGATION
Agent A calls Agent B, which calls Agent C, which accesses your payment system. Nobody approved that chain.
Fidea: Explicit delegation chains with audit
NO KILL SWITCH
You revoke the agent's token. But the 12 sub-agents it spawned still have active credentials.
Fidea: Cascading revocation in <50ms
4 of 8 dimensions are critical gaps
Why traditional IAM
was never designed for this
The gap between human identity and machine trust is not a feature request. It's a design flaw.
| HUMAN USER | AI AGENT | ||
|---|---|---|---|
| Authentication | Once, at login | Continuous, per-action | |
| Session duration | Hours | Milliseconds to weeks | |
| Delegation model | Explicit consent | Automatic, chain-based | |
| Credential lifecycle | Long-lived, renewable | Should be ephemeral, task-scoped | |
| Identity source | Corporate directory | Created programmatically | |
| Revocation speed needed | Hours (acceptable) | Milliseconds (critical) | |
| Audit granularity | Session-level | Action-level | |
| Spawn behavior | Never | Frequently, recursively |
Real-world failure scenarios
01 — RECURSIVE DELEGATION
Support agent calls a fulfillment agent, which calls a logistics API. Three levels of delegation, all using the original human's OAuth token. The logistics API has no idea an AI is involved.
Impact: Payment system exposed
Fidea fixes this02 — CREDENTIAL HOARDING
A coding assistant accumulates 43 active OAuth tokens across 12 services over six months. Its service account has more production access than any individual engineer. Nobody can enumerate the tokens.
Impact: 43 tokens, zero visibility
Fidea fixes this03 — PHANTOM AGENTS
A test agent spawns sub-agents over the weekend. By Monday, seven autonomous processes are running under a single identity, all with database access, none of them intentional.
Impact: 7 rogue processes by Monday
Fidea fixes thisThe trust layer
Four primitives. One infrastructure. Zero inherited credentials.
01
IDENTITY
Every agent gets a cryptographic identity. Not a borrowed human credential. Not a shared service account. Its own identity, issued at creation, revocable in milliseconds.
02
SCOPING
Credentials are scoped to exactly the task, the API, and the time window required. A token issued for "read order #4521" cannot access order #4522.
03
DELEGATION
When Agent A spawns Agent B, the delegation is explicit, recorded, and scoped. B inherits a subset of A's permissions, never the full set.
04
REVOCATION
Any credential, any agent, any delegation chain — revoked in milliseconds. Not hours. Not "after the token expires." The kill switch works at machine speed.
How they compose
Identity: Agent receives unique ID
Scoping: Token scoped to task + API + time
Rules: Deny by default, allow by policy
Delegation: Agent never sees raw credential
Audit Service observes every step — cryptographic chain
Your agents never see raw credentials.
The credential proxy sits between agents and the APIs they access. When an agent needs to call Stripe, it doesn't receive a Stripe API key. It receives a scoped, ephemeral Fidea token. The proxy translates that token into the real credential at the gateway.
A compromised agent has nothing to steal. No credential to exfiltrate, no key to copy, no secret to leak. The blast radius is bounded by the scope and lifetime of its Fidea token.
0
secrets in agent memory
<50ms
revocation latency
100%
audit coverage
The question every CTO should be asking
If an agent goes rogue
at 3am on a Saturday,
how fast can you shut it down?
Within seconds. Every credential revoked, every sub-agent killed, every delegation chain terminated.
You're rotating API keys by hand while the agent keeps running on borrowed credentials.
Six services, one trust layer
The platform
Purpose-built services for the complete lifecycle of agent trust — from identity issuance to credential management to real-time monitoring.
AVAILABLE NOW
Agent Registry
Identity, metadata, lifecycle management, instant kill switch.
Token Issuer
OAuth 2.1 + PKCE, opaque tokens, on-behalf-of delegation, task-scoped.
Credential Proxy
Gateway-mode enforcement. Agents never see raw credentials. Sensitive data in outbound request bodies is redacted before it reaches the upstream.
Policy Engine
Embedded rules. Deny by default. Scope-aware. Time-windowed access.
Audit Service
Append-only cryptographic chain. Tamper-evident. Complete delegation trail.
Python SDK + CLI
pip install fidea. Three lines to authenticate. Core API coverage.
COMING NEXT
Agent SOC
Real-time anomaly detection, behavior baselines, threat response for AI agents.
2026
Agent DAST
Automated discovery of permission escalation paths and credential exposure in agent workflows.
2026
Federation
Cross-organization agent trust with verifiable identity and scoped delegation.
Exploring
Authorize once. Control everything.
The OAuth Broker
Your agents talk to Slack, GitHub, and Stripe. Today, each holds its own credentials. Fidea holds them all — and controls what every agent can do.
1
consent flow per service
Instant
per-agent revocation
0
credentials in agent memory
Scope Narrowing
The real OAuth token has broad permissions. Fidea’s policy engine narrows what each agent can actually do. Read+write becomes read-only.
Cross-Agent Sharing
Five agents need Slack access? One user consent. Each agent gets its own scoped token through policy — no five separate OAuth flows.
Token Lifecycle
Agents never handle refresh tokens. Kill one agent’s access — the others keep working. The underlying OAuth connection stays intact.
Developer Experience
Three lines.
That's it.
From zero to authenticated agent in under five minutes. No config files, no ceremony, no credential management.
Install
One package. Zero config.
pip install fidea
Authenticate
Three lines to get a scoped token.
client = FideaClient(agent_id="...") task = client.start_task(...) token = task.request_token(scope="db:read:customers.*")
Call APIs
Agent never sees the real credential.
result = task.query("cloudsql:support-db", "SELECT 1")Developer Resources
SDK Reference
Full Python SDK docs. Types, methods, error handling.
View docs →CLI Tool
fidea-cli for local dev and CI/CD integration.
Install CLI →API Reference
OpenAPI 3.1 spec. Every endpoint, every parameter.
Browse API →Architecture Guide
How the components fit together. Sequence diagrams.
Read guide →Example Agents
Six examples from simple to multi-delegation chain.
See examples →GitHub
Apache-2.0 license. Contribute, fork, or read the source.
View repo →Technical reference
Deep dives
The architecture behind every security claim we make.
Fidea's token issuance follows OAuth 2.1 with PKCE, adapted for machine-to-machine authentication. The Token Issuer validates the agent's identity against the Agent Registry, evaluates scopes against the Policy Engine, and issues an opaque token — not a JWT.
Opaque tokens have no embedded claims, which means they cannot be decoded, forwarded, or replayed. Every validation requires a round-trip to the issuer, enabling instant revocation. Tokens are scoped to a specific task, API permissions, and time window.
token = agent.authenticate(
task_id="order-4521",
scopes=["orders:read"],
ttl=300 # 5 minutes
)Opaque tokens prevent token forwarding attacks. A compromised sub-agent cannot decode or reuse a parent's token.
The Credential Proxy operates as a gateway between agents and external APIs. It validates the token, checks scope, retrieves the real credential from the secret store, injects it into the outgoing request, and forwards it to the target API.
The response passes back through the proxy, stripping any credential information. The agent never sees, handles, or stores the real API credential.
response = agent.proxy.get(
"https://api.stripe.com/v1/charges",
params={"limit": 1}
)If an agent is compromised, the attacker gets an opaque token with a 5-minute TTL and read-only scope. They do not get the Stripe API key.
When Agent A spawns Agent B, it uses the on-behalf-of (OBO) flow. B receives its own identity and token, scoped to a subset of A's permissions. If B spawns C, the same narrowing applies.
Every delegation event is recorded in the Audit Service with cryptographic linking — each event references the hash of the previous, forming a tamper-evident chain. Delegation depth can be limited by policy.
child = agent.spawn(
name="shipping-checker",
scopes=["shipping:read"],
max_depth=2
)Every sub-agent is explicitly created, identity-linked to its parent, and revocable by revoking any ancestor.
Every significant event — agent creation, token issuance, credential access, delegation, revocation — is recorded with the event type, agent identity, scopes, timestamp, and the SHA-256 hash of the previous entry.
Cryptographic linking means any tampering breaks the chain and is immediately detectable. The chain is append-only: entries cannot be modified or deleted.
trail = fidea.audit.query(
agent_id="agent-abc123",
event_types=["token.issued", "api.accessed"],
since="2026-01-01T00:00:00Z"
)Same cryptographic linking principle as blockchain — without the consensus overhead. A verifiable log, not a distributed ledger.
The Policy Engine evaluates every token request against rules. Default: deny-all. Policies match on agent identity, requested scopes, time of day, delegation depth, and target API.
The kill switch is a global override: when activated, it immediately invalidates all tokens for that agent and all descendants, regardless of TTL. Policy evaluation happens at issuance time, keeping proxy latency low.
fidea.policy.create(
name="billing-hours-only",
match={"scopes": ["billing:*"]},
conditions={
"time_window": "09:00-17:00 UTC",
"max_delegation_depth": 1
},
effect="allow"
)Kill switch propagates in under 100ms globally. It invalidates at the validation layer — the next proxy check fails immediately.
Ready to build with these primitives?
Request a sandboxNOW
- Cryptographic Identity
- Scoped Credentials
- Credential Proxy
- Outbound Data Redaction
- Audit Chain
- Instant Kill Switch
- OAuth Token Brokering
NEXT
- Multi-Provider Integration
- Cross-Agent Token Sharing
- Agent SOC
- Compliance Reporting
FUTURE
- Cross-Org Federation
- Intent-Based Access
- Agent Marketplace Trust
- Autonomous Governance
The agent economy
won't wait for you
to catch up.
Every week, another team discovers their agents have been running on borrowed credentials. The ones who act first set the standard.
No credit card required · SOC 2 coming · Apache-2.0 licensed