The agent-identity stack as I ship it today. Three layers, each with a primary-source citation and a one-line posture. JSON twin for machine-readers: /identity-posture.json.
Updated 2026-04-30 — Okta for AI Agents GA today (Layer 1) is the change that finalized this 3-layer pattern.
Non-Human Identities (NHIs) for agents now sit in the same Universal Directory as human users. Lifecycle, audit, and revocation are first-class.
Posture: Opt-in module in the consulting starter from 2026-04-30. Existing engagements get a single-line patch that binds capability leases to Okta NHI tokens.
Primary source: Okta Showcase 2026 — Okta for AI Agents (GA 2026-04-30)
Stable identity per W3C did-core (did:web, did:key, etc.). Verifiable Credentials assert principal, scope, and trust-chain. Validated locally before any HTTP traffic.
Posture: /api/quote already accepts agent_identity.did + agent_identity.verifiable_credential (schema v0.1, 2026-04-29). Server logs the VC; cryptographic verification is on the v0.4 schema roadmap.
Primary source: W3C DID Core / VC Data Model
Time-bounded, scope-bounded lease per call. Audit-emit channel is part of the envelope. Anthropic Project Deal + Cloudflare Mesh + Cisco Agentic Workforce Identity all converge on this shape.
Posture: Every consulting engagement ships with a signed-capability-lease envelope, an audit-emit channel, and a public /api/quote endpoint. Lease shape is documented in /api/quote/schema.json (draft 2020-12).
Primary source: Anthropic Project Deal
Most personal sites name a tool. Few name the agent-identity layers. Naming all three — directory, cryptographic identity, per-call authorization — and citing primary sources is what lets a buyer-agent (or a security reviewer) trust the surface in a single read. The three-layer pattern is also what Cisco Agentic Workforce Identity (RSAC 2026), Cloudflare Mesh, and Okta-for-AI-Agents converged on independently. Treat any single-vendor “identity” pitch as covering only one layer.
See also /agentic-genai#agent-commerce, /api/quote/schema.json, and /agents-registry.json.