The weaknesses of shared secrets — API keys and bearer tokens — are being exploited in the agentic era. They get copied to every workload that uses them, they leak, and they prove nothing about who is actually calling.
Software has changed. Agents now assemble themselves at runtime and call services they've never seen, across organizations and trust domains. Inside the enterprise we have mTLS; on the open web we fall back to bearer tokens, which travel anywhere but prove nothing.
AAuth gives every agent its own cryptographic identity — verifiable by any party, with no pre‑registration and no shared secret. The agent proves possession of a key on every request, and carries who it is, who it is acting on behalf of, and what it's authorized to do in one signed token.
So when an agent calls, the resource knows who's calling — and on whose authority.