ID-JAG, Transaction Tokens, WIF: The Three Layers of AI Agent Auth

Introduction

Something clicked when I looked at the Workload Identity Federation that Anthropic shipped in May 2026. Delete the sk-ant-... API key, have a k8s service account JWT mint a short-lived sk-ant-oat01-... token, call anthropic.Anthropic() with no arguments, and it just works. The security posture clearly went up.

But the actual day-to-day flow, where an agent "runs Cursor on Alice's GitHub PAT and opens a PR," did not change one bit. Cursor, Claude Code, Comet: all of them ultimately hold the user's own credentials and act with them. Around the same time I was following the IETF drafts for ID-JAG (Identity Assertion JWT Authorization Grant) and Transaction Tokens, and I kept feeling this gap: the specs are converging, yet nobody is adopting them.

That raises one obvious question. "Tighter scope," "auditable," "smaller blast radius" are all true, and yet the agent UX you use every day does not change. So is this stuff actually going to catch on?

This article takes that question head on. The conclusions up front: