How to Let an AI Agent Access a User’s Account Safely

Short answer: To let an AI agent access a user’s account safely, keep the credential off any automated channel between your app and the agent. Most agent access today runs on API keys, OAuth redirects and callbacks, or environment variables, and those channels can be intercepted through prompt injection or misconfiguration. The safer path is user-mediated delivery: the credential is delivered to the human, and the human gives it to their agent. Pair that with access that is scoped to specific actions, time-limited, and revocable, and the user stays in control of exactly what their agent can do, with a record of who approved what.

Why an AI agent changes the security picture

A normal login authenticates a person who is present and reacting to what they see. An AI agent is different. It acts on the user’s behalf, often continuously, often across several services at once, and it decides in the moment which calls to make. It also reads untrusted content along the way, and that content can carry instructions.

This is not hypothetical. In 2025, researchers showed that a single crafted email could make Microsoft 365 Copilot pull internal data and leak it to an outside server with no click from the user, a zero-click flaw tracked as CVE-2025-32711 and nicknamed EchoLeak. Around the same time, Invariant Labs demonstrated a “toxic agent flow” on the GitHub MCP server: a malicious public issue steered an assistant into exposing private repositories, using the same access the user had already granted it. In both cases the agent had a valid credential. The problem was what that credential could reach and how it was handled.

Handing that kind of actor a broad, long-lived credential through an automated channel creates three problems:

  • The channel can be intercepted. API keys, redirects, and environment variables move a credential with no human at the point of delivery, so a prompt injection or a misconfiguration can quietly capture it.
  • The access is broader than the task. A single shared key usually grants far more than the one thing the agent was asked to do, so a leak exposes the whole account.
  • No one can prove or undo consent. If access was arranged through automated plumbing, there is no clean record that the user approved it, and no easy way to revoke one agent without breaking the rest.

The default today leans into all three. An audit of more than 5,200 MCP servers found only 8.5% use OAuth. The majority rely on static API keys or personal access tokens, and most pass them through environment variables. Long-lived, broad, and sitting on an automated channel is exactly the combination these attacks feed on.

What user-mediated delivery means

User-mediated delivery puts the human back in the loop at the moment access is granted. Instead of the credential flowing straight from your app to the agent, it is delivered to the user. The user then gives it to their agent. There is no redirect, no callback, and no automated path between your app and the agent. The developer never has to hold the user’s raw credentials, and the user can see and control exactly what they are handing over.

The reason this matters is where the authorization decision happens. It happens outside the agent’s execution context, in the user’s own authenticated session. So an instruction injected into the agent has nothing to hijack. There is no programmatic path from “injected prompt” to “new grant of access.”

A safe-access checklist

  1. Keep credentials off automated app-to-agent channels. Don’t push an API key, a redirect, or an environment variable straight to the agent.
  2. Deliver the credential to the user. Route it back through the account holder, who passes it to their agent.
  3. Scope it to specific actions. Grant the minimum the task needs, in plain language the user approves.
  4. Time-limit it and make it revocable. Let the user set how long access lasts and revoke a single agent’s connection at any time, without affecting others.
  5. Use a self-describing token. A good token tells the agent where to exchange it and, after exchange, hands back its scopes, endpoints, and request schemas, so the agent can operate without extra configuration or shared secrets.
  6. Keep an audit trail. Record who approved which scope and when, and show it to the user.

What this looks like in practice

When access is delivered this way, it is least-privilege by default. An agent authorized to read one thing cannot quietly reach everything else. A single leaked token is limited to one scope on one account and can be revoked on its own. And because the user granted access directly and it was recorded, both the user and the platform can answer the question that matters as agents multiply: who authorized this, and for what.

For the model behind this and why the credential goes to the user in the first place, see What is user-mediated authorization for AI agents?

Frequently asked questions

Can I just give an AI agent an API key?

You can, but it is the least safe option. An API key is usually broad, moves through an automated channel that can be intercepted, cannot express who approved it, and is hard to revoke without breaking everything else that uses it. Scoped, user-delivered credentials limit the damage if the agent or its host is compromised.

Does user-mediated delivery replace OAuth or a normal login?

No. It complements standards like OAuth. It changes how the resulting credential reaches the agent, through the user rather than an automated redirect or callback, and adds per-agent scoping and revocation, so the human stays in control at the moment of access.

Does the agent still end up with a credential?

Yes, and that is fine. The difference is the path. The credential is delivered to the user, and the user gives it to their agent, so there is no automated channel between your app and the agent for an attacker to intercept.

What is the simplest first step to make agent access safer today?

Stop pushing raw, broad credentials to agents through automated channels. Move to scoped access that the user approves and delivers, keep a record of each grant, and make each connection revocable on its own.

AgentAdmit is the authorization layer for the agent economy: user-mediated, scoped authorization that lets AI agents access user accounts with the credential delivered to the user, not an automated channel. Scoped. Revocable. Auditable. See how AgentAdmit works.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *