> ## Documentation Index
> Fetch the complete documentation index at: https://docs.usechar.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Identity Modes

> User-scoped, agent identity, or hybrid

<Note>
  **Private Beta** — [Contact us](mailto:alex@mcp-b.ai?subject=Autonomous%20Char) to get set up.
</Note>

Autonomous execution raises a question: *whose identity does the agent use?*

The identity determines what the agent can access—both browser-based applications (via token injection) and remote MCP servers (via [ID-JAG](/reference/remote-mcp-auth) token exchange). Three models are supported.

## User-scoped execution

The agent acts as a specific user. Their identity, their permissions, their audit trail—just without them present.

```mermaid theme={null}
sequenceDiagram
    participant Agent as Autonomous Char
    participant IDP as Your IDP
    participant Browser as Browser Tabs
    participant MCP as Remote MCP Servers

    Agent->>IDP: Token exchange (as user)
    IDP-->>Agent: User-scoped token
    Agent->>Browser: Inject credentials
    Agent->>MCP: ID-JAG (user identity)
    Note over Browser,MCP: Acts as the user everywhere
```

This is [session inheritance](/explanation/session-inheritance) extended to unattended execution. The agent can only do what the user could do—in browser applications and in remote MCP servers. Audit logs show the user as the actor.

**When to use it:**

* Tasks the user would do themselves, just automated
* Accessing resources the user already has permission for
* When accountability should trace back to a specific person

**The tradeoff:** The user's permissions must cover everything the agent needs—both browser access and MCP server access. If the agent needs access the user doesn't have, you either grant the user broader permissions (security risk) or the task fails.

## Agent identity

The agent has its own identity in your IDP—a service principal, workload identity, or machine account registered specifically for this agent.

```mermaid theme={null}
sequenceDiagram
    participant Agent as Autonomous Char
    participant IDP as Your IDP
    participant Browser as Browser Tabs
    participant MCP as Remote MCP Servers

    Agent->>IDP: Authenticate as agent
    IDP-->>Agent: Agent credentials
    Agent->>Browser: Inject credentials
    Agent->>MCP: ID-JAG (agent identity)
    Note over Browser,MCP: Acts as the agent everywhere
```

The agent authenticates as itself, not as a user. It has its own permissions for browser applications, its own role assignments for MCP servers, its own audit trail. When it acts, the logs show the agent as the actor.

**When to use it:**

* Agents that need permissions no single user should have
* Cross-functional workflows spanning multiple users' domains
* When the agent's decisions are its own, not a user's automation
* Compliance scenarios requiring clear human/agent separation

**The tradeoff:** You need to provision and manage agent identities in your IDP. The agent needs its own role assignments for both browser apps and MCP servers. This is more infrastructure, but cleaner accountability.

## Hybrid: Agent acting on behalf of user

There's a middle ground. The agent has its own identity, but the token also preserves who authorized it. This uses the `act` (actor) claim pattern from [RFC 8693 Token Exchange](https://datatracker.ietf.org/doc/html/rfc8693):

```json theme={null}
{
  "sub": "user-123",           // Who the data belongs to
  "act": {
    "sub": "agent-456"         // Who decided to act
  }
}
```

The `sub` is the user—their permissions apply (for both browser apps and MCP servers). The `act` is the agent—visible in audit logs. This separates "whose authority is being used" from "who made the decision to use it."

```mermaid theme={null}
sequenceDiagram
    participant Agent as Autonomous Char
    participant IDP as Your IDP
    participant Browser as Browser Tabs
    participant MCP as Remote MCP Servers

    Agent->>IDP: Token exchange (OBO)
    IDP-->>Agent: Token with act claim
    Agent->>Browser: Inject credentials
    Agent->>MCP: ID-JAG (user + agent)
    Note over Browser,MCP: User's access, agent's attribution
```

**When to use it:**

* When you need user-scoped permissions but agent-attributed actions
* Compliance scenarios that require distinguishing human actions from agent actions
* Multi-agent workflows where you need to track which agent did what

This is what Microsoft Entra's [Agent ID OBO flow](https://learn.microsoft.com/en-us/entra/agent-id/identity-platform/agent-identities) implements, and what standards-based token exchange enables.

## Choosing between them

| Consideration      | User-scoped       | Hybrid (OBO)                        | Agent identity       |
| ------------------ | ----------------- | ----------------------------------- | -------------------- |
| **Permissions**    | User's access     | User's access                       | Agent's own roles    |
| **Audit trail**    | "User did X"      | "Agent did X (as user)"             | "Agent did X"        |
| **Accountability** | User              | User authorized, agent acted        | Agent (and sponsor)  |
| **IDP setup**      | Token exchange    | Token exchange + agent registration | Agent registration   |
| **Best for**       | Simple automation | Attributed automation               | Autonomous decisions |

Many organizations start with user-scoped execution for simple automation, move to hybrid OBO when they need attribution, then to full agent identities as agents become truly autonomous.

## Further reading

* [Explaining OAuth Delegation, OBO, and Agent Identity](https://blog.christianposta.com/explaining-oauth-delegation-on-behalf-of-and-agent-identity-for-ai-agents/) — Christian Posta on how token exchange works for agents
* [Agent Identity: Impersonation or Delegation?](https://blog.christianposta.com/agent-identity-impersonation-or-delegation/) — The accountability tradeoffs
* [What Kind of Identity Should Your AI Agent Have?](https://aembit.io/blog/what-kind-of-identity-should-your-ai-agent-have/) — Aembit's analysis of identity options
* [Agent Identities in Microsoft Entra](https://learn.microsoft.com/en-us/entra/agent-id/identity-platform/agent-identities) — Microsoft's approach to agent identity
* [Identity 101 for AI Agents](https://www.secureauth.com/agentic-ai/white-paper-identity-101-for-ai-agents/) — SecureAuth whitepaper on the fundamentals
