Dear Auth0: a love letter from the agent era

Dear Auth0, you taught a generation of developers that login was a solved problem. Then your customers' agents started signing into things twelve thousand times a day, and the problem is no longer login. We bear no grudge. We are writing because we both inherited the next twenty years.

You were right about the 2010s

You bet that login should not be a Friday-night problem for every startup CTO, and you won. The "Universal Login" page rendered the OAuth dance into a checkbox. We installed the SDK in fifteen minutes. We outgrew the free tier and stayed out of resentment. The hold over a generation of B2B identity was earned.

The agent did not RTFM

Then the agent showed up. The agent signs in once, then keeps a refresh token forever. The agent makes 12,000 API calls a day under a human's name. The agent's user-agent string lies because the developer wanted observability without rate-limit drama. The agent gets a "machine-to-machine" client credential because nobody knew where else to put it. The agent goes off-tenant, into customer data, into Stripe, into Workday — under credentials that say "the human signed in once on Tuesday."

What we are doing about it

We — Manav — are building a separate layer that sits next to Auth0, not over it. Your tenant still owns the human's session. Our tenant signs the human's delegation to the agent, scoped, time-bound, magnitude-capped. Auth0 logs the human in. Manav signs for everything the agent does next. We are not your replacement; we are the part of the picture you do not draw.

What we'd love from you

Three things. An "agent_did" claim in the access token — a place for the agent's identity to ride alongside the human's. A delegated-token endpoint — a place for the human to mint scoped, time-bound delegations from your IdP without a custom flow. An "agent_actions" log — a structured audit of every action a refresh token did since the human last signed in. None of these require Auth0 to ship a new product. They require Auth0 to acknowledge a category we both know is real.

Why this is not a vs. piece

It easily could be. We chose not to. Auth0's installed base is the most efficient distribution path for any human-agent identity layer; we would rather ride your rails than route around them. The customers benefit. The category grows. The agent era — which neither of us can credibly handle alone — gets handled together.

Common objections

The strongest counter-arguments we have heard. The incumbent will catch up — possibly inside their boundary; the cross-platform shape is architecturally hard for them. The category is too narrow — we believe it broadens as agent autonomy compounds; we may be wrong; the data over the next year will tell.

Frequently asked questions

What are the strongest counter-arguments? The two we hear most: (1) the incumbent will eventually ship this, and (2) the category is too narrow to support a category-defining company. We address both head-on; we believe the incumbent's architecture cannot ship this without a rebuild, and we believe the category broadens as agent autonomy compounds.

Are we ignoring legitimate criticism? We try not to. The honest criticisms — slow adoption, immature SDKs in some languages, unclear regulator response — are documented openly. We answer with progress, not with marketing.

What would make us change our mind? Three signals. A major incumbent shipping a comparable cross-platform delegation primitive. A regulator explicitly preempting the category with a different spec. A customer cohort showing they prefer the platform-bound alternative even when the audit trail is broken. None of those have appeared.

Where to start

For the steel-manned counter-position, read manav vs auth0. For the alternative we agree could win, see oauth to agentauth. We do not need to be right for the category to be real.

The acquisition that does not happen

The most common question we get from investors is whether Auth0 acquires Manav. The answer is structural: probably not, and not for the reasons most analysts cite. Auth0's data model is built around the session — a human authenticates, gets a token, makes requests within the token's scope. The Manav data model is built around the action — a human delegates, an agent acts, the action is independently signed and verified. Bolting the second model into the first requires re-architecting the core data layer, which Auth0 cannot do without breaking enterprise contracts. The cleaner outcome is partnership: Auth0 owns the human session, Manav owns the agent delegation, the two products talk through a clean interface. We have prototyped that interface. Auth0 has read the docs. The customers who would benefit are watching to see whether the partnership ships before the next major regulator deadline, which is when the procurement question becomes a procurement decision.

The login was easy. The trip the agent takes after the login is the next twenty years of identity.