When an AI agent calls your API with a user's credentials, your logs say the user did it. That small lie compounds into real problems: support can't tell a runaway loop from a customer, security can't write policies that treat agents differently from humans, and when something goes wrong, nobody can prove who — or what — acted. The fix is to stop conflating two identities that were never the same thing.
Users have identity; agents have delegation
A user identity answers "who is this person?" — established with proofs like email, phone, a wallet signature or KYC, and it changes rarely. An agent is different in kind: it is software, it may be one of dozens the same person runs, it can be cloned or go rogue, and its lifetime might be a single task. An agent should therefore never own the user's identity; it should carry a delegation: a time-boxed, scoped grant that says "this principal acts for that human, within these limits."
What a delegation must encode
- The human anchor — which verified person stands behind the agent, and at what proof level. This is what lets a vendor apply its own risk bar (a mailer may accept email proof; a bank may require email + SMS + wallet + KYC).
- Scope — which vendors or categories the agent may touch. Pre-authorization beats per-action approval: the human decides once, calmly, instead of being consent-fatigued into clicking "allow" forever.
- Budget — a spend cap (Notlogin denominates in USDC, metered via x402) so the worst-case cost of a compromised or buggy agent is a number chosen in advance.
- Expiry and revocation — delegations end by default and can be killed instantly. A stable nonce per credential means one revocation call invalidates every copy.
Why this needs cryptography, not a database row
Inside one company, delegation can be a row in your own auth system. Across company boundaries — an agent from anywhere showing up at a vendor it has never met — no shared database exists. The delegation has to be portable and self-proving: a credential signed by a broker both sides trust, verifiable against published public keys, optionally co-signed by the user's wallet (EIP-712) and anchored on-chain for independent verification. The vendor checks a signature, not a session; see what an auth broker does for the full flow.
What vendors gain from splitting the identities
Clean separation turns agent traffic from a threat into a segment. You can price agent tiers differently, rate-limit them sanely, offer them machine-readable onboarding (an auth.md contract instead of a signup form), and answer audits with cryptographic evidence: this action was taken by agent X, under delegation Y, for verified human Z, within budget. That is a better story than most purely human authentication can tell — and it is a five-line SDK integration away.