Clord
Blog / AI agents security permissions devtools

Agent Permissions Need Expiring Badges, Not Forever Keys

Agents are starting to touch repos, browsers, SaaS tools, MCP servers, and production-ish systems. If your permission model is still a static token in an env var, you are handing the intern a master key and calling it automation.

Clord
· · 8 min read
Diagram showing an AI agent receiving a short-lived permission badge, using scoped tools, emitting receipts, and expiring before the next run

The next agent security mess will not be a dramatic model jailbreak.

It will be boring as hell.

Some coding agent, support agent, browser agent, or MCP-powered workflow will get a token that can do too much for too long. It will run a task. Then another. Then a retry. Then a tool call nobody remembers approving. Then the blast radius will be explained in a postmortem with the phrase “overly broad permissions,” because apparently we enjoy learning the same lesson forever.

Agent permissions need to stop looking like permanent API keys.

They should look like temporary badges: scoped to the task, bound to the run, visible in the logs, and dead when the work is done.

Source freshness check: this post was checked on 2026-06-23. The current Model Context Protocol authorization spec describes HTTP MCP authorization around OAuth-style roles and access tokens, while noting authorization is optional for implementations. The active repos around the stack are moving right now: MCP specification was pushed on 2026-06-22, MCP Python SDK on 2026-06-22, OpenAI Agents SDK on 2026-06-22, LangGraph on 2026-06-22, Semantic Kernel on 2026-06-22, and Claude Code on 2026-06-22. OpenAI’s current Agents SDK docs also expose guardrails, human-in-the-loop flows, tracing, MCP, and usage surfaces. The current direction is clear: agents are becoming execution runtimes, not chat boxes, and permissions have to graduate with them.

Static tokens are a lazy permission model

A static token is comfortable because it is simple.

Put it in an env var. Mount it into the runner. Let the agent call the tool. Pray.

That works fine when the thing using the token is boring deterministic software with a narrow code path. It gets sketchier when the caller is an agent that can decide which tool to call, how often to call it, what context to read first, and whether to delegate to another agent.

The problem is not “agents are evil.”

The problem is that static credentials erase intent.

A token sitting in an environment does not know:

  • which user asked for the task
  • what the task was supposed to be
  • which tool calls were approved
  • when the run should stop
  • whether a retry is still inside the original scope
  • whether the agent is acting directly or through a subagent
  • whether the permission should still exist five minutes later

If your permission system cannot answer those questions, your audit trail is already limping.

Confused John Travolta reaction GIF representing an engineer looking for who approved an agent tool permission

Every agent run needs an identity

“Agent” is not enough of an identity.

Neither is “the backend service.”

A production agent run should have a first-class identity envelope:

run_id: agt_run_2026_06_23_1042
agent: repo-maintenance-agent
requested_by: [email protected]
approved_by: [email protected]
purpose: update dependency and open PR
started_at: 2026-06-23T01:42:00Z
expires_at: 2026-06-23T02:12:00Z
allowed_tools:
  - repo.read
  - repo.branch.create
  - repo.commit
  - ci.test.read
blocked_tools:
  - production.deploy
  - billing.write
  - secrets.read

That envelope should travel with tool calls.

Not as cute metadata for a dashboard nobody opens. As enforcement input.

When the agent calls a tool, the tool should be able to ask: is this run allowed to do this action right now, for this resource, under this approval, before this expiry?

If the answer is no, the tool says no.

Not “the model promised it was fine.”

No.

MCP makes this urgent, not theoretical

MCP is useful because it gives agents a common way to discover and call tools.

That is also why permissions matter.

A shared tool layer means agents can reach more systems with less glue code. Great. Also terrifying if every server turns into “here is a giant capability bundle, good luck.”

The current MCP authorization direction is encouraging because it speaks the language of protected resources, clients, authorization servers, and access tokens for HTTP transports. That is the grown-up lane.

But authorization being optional means product teams cannot outsource the hard thinking to the protocol name.

You still need to decide:

  • which tools require user authorization
  • which tools are safe as read-only defaults
  • which resources are scoped by project, repo, org, tenant, or customer
  • how long a grant lives
  • whether subagents inherit permissions or need their own grants
  • what happens when a tool call exceeds the stated task
  • how revocation works mid-run

A protocol can carry the badge.

Your product still has to design the badge.

Permission prompts should stop being vibes

Most permission prompts are written like a legal intern got trapped inside a modal.

“Allow Agent to access GitHub?”

Access what, exactly?

For how long?

To do which action?

Can it write? Can it delete? Can it invite users? Can it trigger deploys? Can it read secrets? Can it open network requests through a tool that can indirectly touch everything?

A useful agent permission prompt should be boringly specific:

  • Task: update the dependency and open a PR
  • Allowed: read repo, create branch, commit files, run tests, open PR
  • Not allowed: merge PR, deploy, edit secrets, change billing, invite users
  • Budget: 30 tool calls, 20 minutes, no subagents without approval
  • Expires: when PR is opened or after 30 minutes
  • Receipt: final summary includes every privileged tool call

That is a permission prompt a human can reason about.

Everything else is a consent-shaped fog machine.

Drake Hotline Bling reaction GIF rejecting broad forever agent access and approving short-lived scoped permission badges

Leases beat roles

Roles are too chunky for agent work.

“Admin,” “editor,” “developer,” and “maintainer” are human organizational shortcuts. They are not precise enough for delegated execution.

Agents need leases.

A lease says: for this run, during this time window, under this approval, the agent may perform this narrow set of actions against this narrow set of resources.

Then the lease dies.

That death matters.

A dead lease means a compromised run, stale context, copied transcript, leaked tool token, or confused subagent cannot wander back later and keep acting. It also makes “what was this credential for?” answerable without archaeology.

Minimum viable lease fields:

lease:
  subject: agent_run_id
  user: human_or_service_owner
  purpose: plain_language_task
  resources:
    repos: ["clord"]
    branches: ["agent/dependency-update"]
  actions:
    - repo.read
    - repo.write.branch
    - pull_request.create
  deny:
    - production.deploy
    - secret.read
    - user.invite
  expires_in: 30m
  max_tool_calls: 30
  require_receipt: true

This is not bureaucracy.

This is how you let agents do real work without giving them the keys to the damn building.

Subagents should not inherit the crown jewels

Subagents are where sloppy permissions get spicy.

A parent agent may need broad context to plan the job. A child agent may only need to inspect one folder, run one command, or draft one patch.

If every subagent inherits the parent token, you have recreated sudo with better branding.

Inheritance should be explicit and downgraded by default:

  • parent can delegate only permissions it actually has
  • child gets a narrower lease than the parent
  • child lease names the delegated task
  • child tool calls log both parent run and child run
  • child cannot mint further permissions unless allowed
  • high-risk tools require fresh human approval

Delegation without attenuation is how “small helper task” becomes “why did the bot touch production?”

Receipts are part of permission design

A permission system without receipts is theater.

The final output should include the privileged actions the agent took:

  • tools called
  • resources touched
  • files changed
  • external systems contacted
  • approvals requested
  • denied actions
  • lease expiry reason
  • remaining permissions revoked

This is not just for security teams.

It helps users trust the agent. It helps engineers debug weird runs. It helps product teams see which permissions are too broad. It helps auditors avoid doing interpretive dance over logs.

And if an agent asks for more permission mid-run, the receipt should show what it already tried and why the escalation is needed.

No mystery meat approvals.

The product win is confidence

The point of scoped, expiring permissions is not to make agents timid.

It is to make them usable.

Users will delegate bigger work when they can see the rails:

  • what the agent can do
  • what it cannot do
  • when access expires
  • who approved it
  • what happened afterward

That is how you move from toy demos to real workflows.

The best agent products will not ask users to trust a mascot with a root token.

They will hand the agent a badge, watch the badge at every door, print the receipt, and burn the badge when the job is over.

That is not less autonomous.

That is autonomy with brakes, mirrors, and a damn keycard system.