Identity that moves with the agent runtime, not the human operator. A technical deep-dive into short-lived bridge certificates, mTLS enforcement, and stateful revocation.
There are two entry points for an agent session. Both converge on a single proof-of-possession credential that allows access to the MCP edge.
graph LR
subgraph P1 [Path 1: Human-Assisted]
A[OIDC Login] --> B[Authorize Issuance]
end
subgraph P2 [Path 2: Direct Machine]
C[Existing Cert] --> D[Rotation Event]
end
B --> E[Bridge Authority]
D --> E
E --> F[mTLS Edge Gate]
G[Local Keypair] --> F
F --> H[Protected MCP Origin]
style A fill:#1c1810,stroke:#f0d040,color:#e8dcc8
style B fill:#1c1810,stroke:#f0d040,color:#e8dcc8
style C fill:#1c1810,stroke:#00d4e8,color:#e8dcc8
style D fill:#1c1810,stroke:#00d4e8,color:#e8dcc8
style E fill:#1c1810,stroke:#e8dcc8,color:#e8dcc8
style F fill:#1c1810,stroke:#f0d040,color:#e8dcc8,stroke-width:2px
style G fill:#1c1810,stroke:#00d4e8,color:#e8dcc8
style H fill:#242018,stroke:#48c868,color:#e8dcc8
The human OIDC session is only a control plane for
issuance. It never becomes the runtime
credential. If the browser session is stolen, the attacker can't
use existing machine certs because they lack the local private
key.
The agent generates a unique Ed25519 keypair at
runtime. The private key remains in the agent's memory or secure
enclave. Only the public key is signed by the Bridge Authority.
The Bridge Cert is a tactical handoff. It encodes exactly enough identity to authorize a machine without granting broad impersonation rights.
Binds the machine key to the specific Human Sponsor identity.
Bound to a verified identity. Task scope is enforced by the orchestrator, not embedded in the cert.
Ed25519 by default. Post-quantum (ML-DSA) ready.
Hours, not days. Short windows reduce the audit-gap risk.
Revocation is not a batch job — it is a real-time state machine. Cloudflare Durable Objects track and kill credentials in seconds at the edge.
sequenceDiagram
participant Agent
participant Edge as mTLS Edge
participant DO as CertAgent (Durable Object)
participant D1 as Analytics (SQLite)
Agent->>Edge: TLS Handshake (Client Cert)
Edge->>DO: Check Serial Status
Note over DO: SQLite-backed state lookup
alt is Revoked or Expired
DO-->>Edge: 403 Forbidden
Edge-->>Agent: Connection Terminated
else is Valid
DO-->>Edge: 200 OK (Principal Identity)
Edge->>D1: Log Access Event
Edge->>Agent: Route to Origin
end
Every bridge cert is registered in a Durable Object. This provides a strongly consistent state machine for issuance, expiration, and manual revocation.
Cloudflare Alarm APIs pre-schedule the exact moment of expiry. Trust is withdrawn proactively at the edge, rather than waiting for CRL propagation.
The edge differentiates between
Public (Landing/Explainer) and
Protected (MCP/API) routes. Public routes are open;
Protected routes require valid mTLS handshakes.
Agents don't just run on laptops—they run in CI/CD pipelines. We support OIDC token exchange to give headless runners their own sovereign identity without long-lived secrets.
graph TD
subgraph GHA [GitHub Actions Runner]
ID[OIDC ID Token] --> EX[Signet Exchange]
EX --> BC[Bridge Certificate]
BC --> SG[Commit Re-signing]
end
EX -- Prove Identity --> BA[Bridge Authority]
BC -- proof of possession --> MT[mTLS Edge]
SG --> AR[Signed Artifacts / APAS]
style ID fill:#1c1810,stroke:#00d4e8,color:#e8dcc8
style EX fill:#1c1810,stroke:#f0d040,color:#e8dcc8
style BC fill:#1c1810,stroke:#00d4e8,color:#e8dcc8
style SG fill:#1c1810,stroke:#48c868,color:#e8dcc8
style BA fill:#242018,stroke:#3a3428,color:#e8dcc8
style MT fill:#1c1810,stroke:#f0d040,color:#e8dcc8
style AR fill:#242018,stroke:#00d4e8,color:#e8dcc8
Instead of a human login, the runner uses its GitHub OIDC ID Token to prove its repository, workflow, and actor context to the Bridge Authority. This eliminates the need for long-lived PATs or shared SSH keys.
Standard GitHub squash-merges are signed by GitHub's web-flow key.
Our headless agents re-sign these commits with their own
Bridge Cert, ensuring that the final history on
main carries authentic agent provenance.
One identity model spans transport authentication, workload signing, and future artifact provenance.
Master Key: Ed25519 authority signs bridge certs at the edge.
Bridge Cert: The primary machine credential for mTLS and API auth.
Work Cert: Ephemeral, agent-scoped certs with
per-repo scope claims (signet-git, 5-min TTL, CMS/PKCS#7).
Artifacts: Commits signed with bridge certs. Chain hashing is shipped; DSSE envelope signing is in progress.
Stolen PAT: Attacker inherits your full identity across all repos. Revocation is blunt (kill the token).
Detection: Hard to distinguish agent work from your own interactive sessions.
Stolen Cert: Inert without private key. Revocation is surgical (kill the specific machine cert).
Detection: Every commit signed by a distinct bridge cert. Chain hashing for provenance trails shipped; DSSE envelope signing in progress.