Agentgateway Opensources Token Exchange, JWT Assertion, and Microsoft Entra OBO Authentication
Key Takeaways
- ▸Enterprise agents can now securely call downstream APIs and MCP servers by exchanging identity for credentials rather than handling secrets directly
- ▸Support for three authentication standards (RFC 8693, RFC 7523, and Microsoft Entra OBO) covers both cloud-native and legacy enterprise environments
- ▸Credential injection is handled transparently by the infrastructure, preventing accidental exposure of secrets in model conversations or logs
Summary
Agentgateway has opensourced three new backend authentication capabilities under its oauthTokenExchange framework: RFC 8693 token exchange, RFC 7523 JWT assertion (jwt-bearer), and Microsoft Entra on-behalf-of (OBO) flows. These additions enable secure credential injection for agents calling downstream APIs and MCP servers without exposing sensitive secrets to AI models or across agent boundaries.
The implementation addresses a critical enterprise security pattern: instead of passing API credentials directly to agents, the gateway exchanges user or agent identity for the appropriate secrets, tokens, or API keys via standardized OAuth flows. This keeps sensitive credentials out of model conversations and log files while maintaining proper authorization boundaries.
The release includes support for RFC 8693 token exchange (the default), JWT bearer grants (RFC 7523) compatible with authorization servers like Keycloak, and Microsoft Entra's provider-specific OBO flow. Each flow supports optional advanced features like delegation tokens, resource indicators, and configurable credential sources. Runnable examples are provided for each authentication pattern.
Editorial Opinion
This is a pragmatic security infrastructure improvement that addresses real enterprise concerns about deploying AI agents safely. By standardizing credential exchange patterns and supporting both RFC standards and Microsoft's proprietary flows, Agentgateway reduces the attack surface for agent deployments. The emphasis on keeping secrets away from models and agent boundaries reflects the maturing security posture of enterprise AI—infrastructure-first thinking that treats agents as first-class citizens with proper identity and authorization, not just code that happens to use APIs.



