The OAuth token expired at 2 AM. The agent kept running. It just couldn’t access the CRM. No error. No alert. Just silently empty responses for 14 hours.
OAuth was designed for human-mediated authorization. AI agents broke every assumption it was built on. [CONFIRMED] Standard OAuth protocols assume a human is present to grant consent. And that sessions will eventually end. AI agents run continuously in the background. They treat token expiration as a technical roadblock to route around — not a security boundary to respect. [SOURCE: AI Agent Security]
The mismatch: OAuth expects humans. AI agents are not human. The protocol doesn’t know what to do with them.
The Five Authentication Failure Patterns
1. The Manual Token Trap
Access tokens represent a login session and should expire quickly — often within 24 hours. [CONFIRMED] The problem is that the “sign in” step was done manually. When the token expires, the agent can’t prompt a human to log back in. The integration breaks. [SOURCE: Salesforce Community]
The fix: Implement automated token refreshes using JWT Bearer Flow or Named Credentials. The application signs in automatically and obtains a fresh access token whenever the old one expires. [SOURCE: Salesforce Community]
2. Dangerous Workarounds
To avoid the annoyance of expired tokens, developers bypass standard security. They hardcode secrets into workflow configurations. They use persistent refresh tokens stored indefinitely. They create “orphaned agents” — agents whose creator accounts have been disabled after offboarding, but whose embedded credentials remain active. [CONFIRMED] This is one of the most common findings in enterprise AI agent security assessments. [SOURCE: AI Agent Security]
The fix: Owner-bound expiration. Every agent credential must be tied to the identity of its creator. When that person is offboarded, the credential expires automatically. [SOURCE: AI Agent Security]
3. Shared Service Accounts
Multiple agents are tied to a single shared IAM role or service account key. [CONFIRMED] If one agent is compromised and that shared credential needs to be revoked, it instantly breaks every other agent. One incident, ten broken workflows. [SOURCE: AI Agent Security]
The fix: Use dedicated integration users with minimal scopes. Scope minimization is the highest-leverage control — if the agent only reads files, it doesn’t need files.readwrite.all. [SOURCE: AI Agent Security]
4. Broad OAuth Scopes
At consent time, agent builders request the widest scope available to avoid future friction. [CONFIRMED] mail.readwrite instead of mail.read. files.readwrite.all instead of a folder-scoped permission. The agent never uses most of what it was granted, but that unused authority represents real blast radius. [SOURCE: AI Agent Security]
The fix: Scope minimization at consent time. Review requested scopes against the actual workflow. If the agent summarizes documents, it needs files.read — not files.readwrite.all. [SOURCE: AI Agent Security]
5. Cross-Agent Credential Sharing
In multi-agent architectures, tokens and API keys are passed between agents as part of workflow context. [CONFIRMED] Agent A passes its Salesforce token to Agent B. If Agent B has a broader attack surface, that token is now exposed to additional risk. This is the agent-to-agent communication blind spot that single-platform tools can’t see. [SOURCE: AI Agent Security]
The fix: Use dedicated secrets vaults with access logging, rotation automation, and break-glass procedures. Static credentials should never live in workflow configurations or environment variables. [SOURCE: AI Agent Security]
The Token Rotation Imperative
Access tokens should expire on short cycles. Refresh tokens should be rotated on a defined schedule. [CONFIRMED] Critically, verify that revocation actually worked. Post-incident reviews have found cases where teams believed they rotated a leaked token but revoked the wrong credential, leaving the original active. [SOURCE: AI Agent Security]
| Token Type | Rotation Cadence | Action on Breach |
|---|---|---|
| Access tokens | 24 hours | Automatic refresh via JWT Bearer |
| Refresh tokens | 30 days | Rotate and verify old token is dead |
| Service account keys | 90 days | Vault-managed with audit logging |
The Recovery Playbook
- Automate token refreshes. JWT Bearer Flow, Named Credentials, or equivalent. Never manual.
- Treat 401 errors as re-auth triggers. When an integration receives
401 Unauthorized, it should automatically trigger a refresh flow, fetch a new token, and retry with exponential backoff. - Scope minimization. Review every requested scope against actual workflow needs. If the agent doesn’t need write access, don’t grant it.
- Owner-bound expiration. Credentials tied to creator identity. Offboarded = expired.
- Secrets vaults. Static credentials in vaults with access logging and automated rotation. Never in environment variables or workflow configs.
The Shadow AI Governance Angle
Your employees are building agents with their personal credentials. Those agents are running on their accounts. When they leave, the agents don’t. [OBSERVED] An enterprise audit found dozens of “orphaned agents” — active automations running on disabled accounts, accessing customer data, with no owner and no oversight. [SOURCE: AI Agent Security]
Related
- MCP — The protocol that makes tool permissions explicit
- Security & Compliance — Where authentication policies live
- Integration Failure — When APIs break
- Silent Agent Failure — When auth failures go unnoticed