AgentScope — Dynamic Least-Privilege Engine for AI Agents

AI agents get OAuth scopes once and keep them forever. AgentScope monitors permissions agents actually use vs what they have surfacing a least-privilege score, heatmap,anomaly detection * CIBA

Comment

Bonus Blog Post

3 Things We Learned About AI Agent Permission Creep — And How Token Vault Changes Everything

When we started building AgentScope for the "Authorized to Act" hackathon, we thought the hard problem was getting AI agents to call GitHub APIs securely. We were wrong. The hard problem is what happens after you grant access.

1. Agents Accumulate Permissions Like Employees — But Nobody Audits Them

In enterprise security, employees go through periodic access reviews. Unused permissions get revoked. Departing employees get deprovisioned. But AI agents? They get OAuth scopes once and keep them forever.

We built a GitHub agent with repo scope — the standard approach. But when we instrumented every Token Vault token exchange, we discovered something uncomfortable: our agent only ever used issues:read and repo:read. It never touched delete_repo, repo:write, or half the other scopes bundled into the repo permission. The agent was massively over-privileged, and without active monitoring, nobody would have noticed.

This is OWASP LLM08 (Excessive Agency) in action — not because of a misconfiguration, but because OAuth scopes are coarse-grained and agents rarely need everything they're granted.

2. Token Vault + CIBA Together Enable Dynamic Least-Privilege

Static scoping isn't enough. An agent's needs change depending on the task. Reading issues requires different permissions than creating a pull request.

We combined Auth0 Token Vault with CIBA (Client-Initiated Backchannel Authentication) to create what we call "adaptive authorization." Token Vault manages the credential lifecycle — the agent never stores or sees raw tokens. But here's the key insight: when our Permission Engine detects the agent trying to use a scope it has never exercised before, we don't just log it. We trigger CIBA step-up authentication, sending a push notification to the user: "Your agent wants to use write permissions for the first time. Approve?"

This transforms authorization from a one-time checkbox into a continuous, context-aware decision. The user stays in control without being overwhelmed — they only get prompted when something genuinely new happens.

3. The Biggest Risk Isn't Stolen Tokens — It's Over-Scoped Agents Doing Valid But Unintended Things

Security teams focus on token theft and credential leakage. Token Vault already solves that beautifully — tokens are exchanged per-call, short-lived, and never stored in the application.

But the subtler risk is an agent with valid credentials doing something the user didn't intend. A prompt injection could make an agent with repo scope delete a repository using a perfectly valid, non-stolen token. The token isn't compromised — the intent is.

Our AgentScope dashboard addresses this by tracking behavioral baselines. If an agent has spent 50 API calls reading issues and suddenly tries to delete a repo, that's an anomaly worth flagging — even though the token technically allows it. We surface a "Least-Privilege Score" (used scopes / granted scopes) that gives users an at-a-glance measure of how over-privileged their agent is. In our testing, a typical agent uses only 25-35% of its granted scopes.

Why Existing Approaches Fall Short

Most AI agent frameworks treat authorization as a one-time gate. OpenAI's function calling lets you restrict which tools an agent can use, but once a tool is allowed, every invocation is treated equally — there's no distinction between a routine read and a suspicious first-time write. Capability-based security models (like UCAN or Macaroons) improve on this by enabling delegation chains, but they don't adapt based on runtime behavior.

Token Vault + CIBA changes the equation. Token Vault ensures agents never hold raw credentials, and CIBA adds a real-time human-in-the-loop approval channel. But neither alone solves the intelligence problem — knowing when to prompt and when to let the agent proceed. That's what AgentScope's Permission Engine adds: behavioral context that makes authorization decisions smarter over time.

Limitations We're Honest About

CIBA requires the user to have a push-capable authenticator enrolled (Auth0 Guardian). If they don't, write operations are blocked entirely — safe, but not graceful. Our anomaly detection is also simple: it flags first-time scope usage. A more sophisticated engine would use sliding windows and frequency analysis to catch gradual permission creep, not just binary "used vs never-used."

What We'd Build Next

If we had more time, we'd add automatic scope downgrade recommendations that feed back into Token Vault — suggesting narrower OAuth scopes based on actual usage patterns. We'd also explore time-boxed permissions: "This agent can use write scopes for the next 30 minutes, then they expire." And we'd add write-velocity detection — flagging not just novel scope usage but unusual bursts of write activity.

The fundamental insight is this: granting an AI agent access is easy. Knowing whether that access is still appropriate is the unsolved problem. Token Vault gives us the secure credential layer. What's missing — and what AgentScope begins to address — is the intelligence layer on top.

Built with Auth0 Token Vault, CIBA, FastAPI, LangGraph, and DeepSeek. GitHub Repository

Built With

  • aiosqlite
  • auth0-ciba
  • auth0-token-vault
  • auth0-universal-login
  • deepseek
  • fastapi
  • htmx
  • jinja
  • langchain
  • langgraph
  • playwright
  • pytest
  • python
  • slowapi
  • sqlite
  • tailwind-css
Share this project:

Updates