A reference architecture for cross-platform agent identity

A typical enterprise runs agents across AWS, Azure, GCP, and a dozen SaaS tenants. Each platform vendor is happy to identify agents inside their own walls; none can name the human across the boundary. Here's the reference architecture that does.

The five components

Human root. A Manav DID anchored to a hardware-attested device. One per human, signed once, used everywhere. Delegation issuer. A signing service the human controls, on the device or held by Manav as a trustee. Issues scoped, time-bound delegation tokens to agents. Relying-party verifier. A small library or sidecar that every relying party (a database, a SaaS, a payment processor) runs to validate incoming delegations. Audit ledger. An append-only log of every delegation issued and every action taken under it, anchored to the verification chain. Revocation channel. A real-time pub-sub the relying parties subscribe to, so a revocation lands in under 200 ms.

What flows where

The human signs once, on their device. The signature produces a delegation: "Agent X may, until 8pm, take actions in scope Y, with magnitude cap Z, under audit policy P." The agent presents the delegation to a relying party with each request. The relying party verifies the signature against the human's public key, checks scope, decrements the magnitude cap, and writes a structured event to the audit ledger. If at any moment the human revokes, the revocation channel pushes the new state to all relying parties simultaneously.

Why platform-specific designs fail

Microsoft Entra Agent ID assumes the agent and the relying party are both inside Azure. Google's agent identity assumes Workspace and GCP. AWS IAM Roles for Anywhere assumes AWS. Each works inside its boundary; each loses signal at the edge. The same agent that signed into Azure-hosted Stripe-Connect cannot prove the same human authorized its OpenAI call ten seconds later. Cross-platform identity has to live above the cloud, not in it.

Where Manav sits

Manav is the human-rooted layer above all the platform identities. Each cloud and SaaS still operates its own access controls; Manav sits between the human and those controls, providing the cryptographic chain that survives every boundary. Existing IAM stays. The new layer is identity-as-portable-truth.

Defense in depth

Three checks, three independent failure modes. The signature must verify against the human's public key — defeats credential theft. The scope must contain the requested action — defeats over-permissioned agents. The magnitude cap must not be exhausted — defeats a compromised agent burning the entire budget in one minute. Any failure short-circuits the request and lands a structured event in the audit ledger.

What's deployable today

The reference implementation, the verifier libraries (Python, Go, Node, Rust), the revocation listener, and the audit ledger schema are all open-source under the protocol repository. A typical relying party integrates in two days; a typical SDK consumer integrates in twelve lines.

Common objections

Engineers push back on three things. Latency — the cache makes verification 18 µs hot-path, fine for any production system. Vendor lock-in — the protocol is open, the spec is published, the reference implementation is forkable. Adding another auth dance — the integration is twelve lines and middleware, not a new platform to manage.

Frequently asked questions

What is the runtime cost? Single-digit milliseconds per tool call when the verification cache is warm. Cold verification is 1–2 ms. Both numbers are small relative to the LLM round-trip the agent is already paying.

Does it work with our existing agent framework? Yes. The protocol is host-agnostic. SDKs ship for Python, Go, Node, Rust, and TypeScript; integrations exist for LangChain, CrewAI, AutoGen, and the Claude Agent SDK. Anything that calls a tool can present a delegation.

What happens to delegations when an engineer leaves? They die at the human's offboarding. The IdP de-provisions the human; the device key is rotated; every active delegation that human signed is invalidated within 200 ms. No service-account graveyard for the new owner to clean up six months later.

Where to start

Hands-on next: seven layers of trust ships in twelve lines; mcp identity 12 lines adds the operational layer once you have the basics. Both link to working repos; clone, integrate, run the bench.

Why portability beats federation

Federated identity worked for human users moving between platforms — the SAML and OIDC era — and is the wrong answer for agents. Federation requires the platforms to agree on a trust model and federate against each other, which produces n-squared trust relationships and a long political negotiation. Portability does not. A Manav-bound agent identity travels in the user's wallet; the agent identifies itself to the platform, which verifies independently against the substrate, with no federation negotiation required. The platform did not have to agree with any other platform; it had to agree with the substrate. The architectural shift is from horizontal trust agreements to vertical trust attestations, and the dynamics produce dramatically different cost curves. Federation costs grow with the number of platform pairs. Portability costs are fixed at one substrate-to-platform integration. The math favors portability the moment the platform count exceeds three, which is approximately the moment every modern enterprise crosses.

If your identity does not survive the cloud boundary, your audit log does not survive the regulator.