This article was originally published on LinkedIn.
Table of contents
Open Table of contents
The Problem Nobody Is Talking About Yet
AI agents are getting powerful fast.
They can write code, manage infrastructure, modify policies, disable users - and typically do so under a single authenticated session.
That means:
- They authenticate once… and then act freely.
We spent years improving human authentication:
- Passkeys replaced passwords
- FIDO2 enabled phishing-resistant login
Then we handed that access to agents with standing privilege.
That’s not progress. That’s a regression.
Just-In-Time Authorization with Passkeys
Just-In-Time (JIT) Authorization is based on a simple principle: do not grant standing access - require approval at the moment of action.
We applied this directly to AI agents.
When an agent attempts a sensitive operation, something different happens:
- The workflow pauses
- A fresh authorization is required
- The user approves using a device-bound Passkey
The action proceeds only after verification, producing a cryptographic proof of human intent bound to that exact operation.
This shifts the model from session-based trust to action-level verification. It is no longer enough that a user authenticated earlier - each sensitive action requires explicit, real-time approval.
How It Works in Practice
This model combines a policy engine, the agent runtime, and Passkeys based on WebAuthn.
A policy evaluates each action and determines whether step-up authorization is required. When it is, the agent workflow pauses and a WebAuthn challenge is issued. The user is prompted directly in the terminal, approves the request, and the authenticator generates a signed assertion using a private key that never leaves the device. Once verified, the action continues.
From the user’s perspective, the experience is simple:
- No browser redirects
- No codes to copy
- No context switching
Everything happens inline, inside the CLI.
From a security perspective, the guarantees are stronger than traditional MFA:
- Phishing-resistant by design
- Device-bound credentials
- Challenge-based, non-replayable assertions
Each approval is unique, verifiable, and tied to a specific action.
A New Model for Agent Security
What emerges is a different approach to authorization - one where access is not assumed, but explicitly granted at the moment it is needed.
We call this Agent Native Authorization.
The principle is straightforward:
- Agents should not operate with standing privilege.
- They should operate with verified, moment-in-time human approval.
This model applies regardless of how the agent is implemented. Whether it runs through MCP, inside a CLI, or via direct API calls, the same pattern holds:
- A sensitive action requires a cryptographically verifiable human decision
Built on open standards such as Passkeys (WebAuthn/FIDO2), OAuth, OpenID, and MCP, this approach is composable and extensible.
As AI agents become more capable, authorization needs to evolve with them. Moving from session-based trust to action-based verification ensures that every critical operation is not just allowed - but explicitly and provably approved.
Deep Dive into the Live Demo with Claude Code
This architecture was implemented in a working prototype using our AuthZEN MCP Gateway and our MCP App Layer (First-Party MCP Layer), which enforces authorization decisions based on policies defined in the AuthZEN Policy Decision Point.
Our custom Keycloak IAM extension enables native Passkey support and integrates with the structured elicitation flow to enforce Just-In-Time (JIT) authorization.
In the demo, an AI agent attempts to perform a protected administrative action. The gateway evaluates the request and determines that the operation requires additional authorization. At that point, the workflow is paused and a Just-In-Time verification step is triggered using device-bound Passkeys.
Behind the scenes, a Claude Code hook handles this interaction. It detects a structured elicitation message from the MCP layer, based on information defined by the Identity Provider, extracts the WebAuthn challenge, and invokes a local script to request approval from the user’s authenticator. The user is prompted directly in the terminal to approve the action, and the Passkey generates a signed assertion on-device.
Once the assertion is returned and verified, the workflow resumes and the action proceeds.
This integration allows the entire approval flow to happen inline within the CLI, without exposing credentials, without browser redirects, and without breaking the agent’s execution model.
Looking Ahead
AI agents are rapidly becoming part of everyday developer workflows. As their autonomy increases, the security models around them need to evolve accordingly.
Just-In-Time authorization, powered by device-bound Passkeys, introduces a way to enforce meaningful control without sacrificing the usability that makes these tools effective.
By combining Passkeys, open standards, human verification, and cryptographic proof, it becomes possible to design agent workflows that are both autonomous and accountable by design.
If you are working on secure AI agents, MCP infrastructure, Zero Trust architectures, or authorization frameworks like AuthZEN, I would welcome the opportunity to connect and exchange ideas.