Agents act.
Humans authorize.
We produce the proof.
Every high-stakes agent action carries a cryptographic signature from the specific human authorizing it. The agent has its own identity for routine operations. For anything above threshold, a push lands on the human's enrolled device and a biometric press produces a proof bound to those exact parameters. Actions without a valid human proof do not execute.
How do you authorize AI agent actions?
An agent acts on its own identity for routine operations. For any high-stakes action, the human authorizes it. A request lands on their enrolled device and a biometric press produces an Authoritative-tier proof bound to those exact parameters. No proof, no action. The agent never inherits the human's signing power.
Session trust does not survive autonomy.
Within the next thirty-six months, a material share of economically significant actions will be executed by autonomous agents on behalf of humans. Agents will move money, schedule care, modify infrastructure, negotiate contracts, trigger physical systems, execute trades, file regulatory reports.
The question which human authorized this specific action, at this specific moment, with this specific intent becomes a legal, regulatory, and operational problem of the first order.
Today, agent platforms answer with session-level trust: the human authenticated once, the agent operates inside the session, every downstream action inherits the authorization. This is the same architectural error that produced session-based banking fraud for twenty years. Autonomy magnifies the blast radius.
Four primitives. Built into the SDK.
The primitives below are built into the Android and iOS SDKs and wired into the control plane. The in-person grant path is available now. The cross-device flows, push-to-phone and web-initiated and remote grants, ship behind a per-deployment flag and are off by default until enabled for a deployment.
Time-boxed scoped grants
A grant is the cryptographic shape of a human saying yes, once, to a specific scope, for a specific window. Issued at enrollment or in-session. Expires. Auditable. The agent acts inside the grant and nothing beyond.
Three grant types: in-person device-to-device is available now; web-initiated and remote-via-video ship behind a per-deployment flag. Each carries a scope, an approver identity, a device key hash, and an expiration.
Push-to-phone for high-risk actions
When an agent hits an action above the configured risk threshold, the control plane routes a signed request to the human's enrolled device. The human sees the exact parameters. A biometric press produces an Authoritative-tier proof. Nothing else satisfies the gate.
Native push infrastructure on both Android and iOS, enabled per deployment. Request body is bound to the action parameters. An unbound push cannot approve a different action.
Session handoff
A human starts an interaction in a browser, continues on an enrolled phone, finishes through an agent. The identity binding survives the handoff, but the agent never inherits the human's authorization power for out-of-scope actions.
Linked sessions carry a device-scoped token plus a per-action verification contract. The agent is in the session, not in control of it.
Own identity for the agent
The agent has a keypair, a device identity, a risk profile. It signs its own routine actions. For high-risk actions, it produces a scoped request and obtains a fresh cryptographic act from the human bound to that exact request.
Agents do not share keys with humans. The cryptographic separation is deliberate: every downstream system can tell, without ambiguity, whether the agent or the human produced a given proof.
Execution-time proof. Per action. Per human.
Agent classifies action risk
Below the configured threshold, the agent proceeds on its own authority inside a pre-approved scope. Routine reads, low-value calls, internal operations. No human interruption.
Threshold crossed
Outbound payment above a configured amount. Contract commitment above a defined value. Irreversible physical action. Anything touching regulated data or new counterparties.
Push to human's device
The control plane routes a signed request to the human's enrolled phone. The screen shows the action parameters exactly as the agent will execute them. Any change invalidates the payload hash.
Biometric produces the proof
A press of the biometric sensor unlocks the hardware key and produces an Authoritative-tier cryptographic proof bound to those exact parameters. No press, no proof. No proof, no action.
Agent submits and executes
The agent includes the proof in the downstream call. The verifier, inside your system, confirms the signature against the published public key. The action executes. A receipt lands in the hash-chained ledger.
OAuth delegates. Yuthent authorizes.
OAuth hands the agent a token tied to the user. Once delegated, the agent can do anything the scope permits, indefinitely, without fresh user consent per action. Correct for low-risk reads. Catastrophically wrong for high-risk actions.
Yuthent inverts the shape. The agent holds its own identity and acts on its own authority for routine actions. For high-risk actions, it produces a scoped request and obtains a fresh cryptographic act from the human, bound to that exact request, valid nowhere else.
This composes with OAuth rather than replacing it. The OAuth token identifies the session. The Yuthent proof authorizes the action. Both are checked. Neither is sufficient alone for anything that matters.
Four immediate surfaces.
Agentic finance
A managed-account agent authorized for routine rebalancing inside a grant. Fresh human proof required for transfers above a configured amount, new beneficiaries, venue changes, and any action that would trigger regulatory reporting.
Agentic healthcare
A clinical agent authorized for routine lab orders and template-compliant documentation. Fresh prescriber proof required for controlled substances, high-risk interventions, and record release outside the standing scope.
Agentic infrastructure
An operations agent authorized for routine deploys inside a grant. Fresh human proof required for production database operations, security policy changes, secrets access, and anything reachable from the blast-radius policy.
Agentic enterprise
A workflow agent authorized to draft under template. Fresh signatory proof required for deviations, threshold values, counterparties outside the approved list, and commitments that would bind the company legally.
Building agent infrastructure?
If you are building agent infrastructure, agent products, or agent-integrated enterprise systems, we want to meet. A pilot ships a working integration on one critical flow, with cryptographic evidence auditable on day one.