--- title: 'Stop Pretending Agents Are Humans' description: 'Instead of helping agents bypass CAPTCHA, we should make agent identities official. Human sub-identities for agents, with proper permissions and clear separation.' date: 2026-03-23 tags: - ai - agents - identity - opinion --- I saw [a tweet about solving CAPTCHA for agents](https://x.com/reformedot/status/2035417245548151252) and it triggered something. Not about CAPTCHA itself — CAPTCHA exists to protect from bots, and we still need that protection. The issue is that we now have agents that work on behalf of real humans, doing legitimate things. And instead of building proper infrastructure for this, we are trying to bypass the very protection that exists for good reason. ![Robot confused by a CAPTCHA puzzle](captcha-robot.png) What we actually want is the ability for agents to work on our behalf. But not by using our credentials. Not by pretending to be us. In an official way. And this is where it gets interesting. ## Human Sub-Identities for Agents Here is the idea. What if all services that provide user identity — Google Auth, GitHub Login, your random SaaS membership — would start providing agent sub-identities managed by human identity? To illustrate, let's imagine this for GitHub: 1. **Alice is setting up an Agent** that will do some release work on GitHub. 2. **Alice goes to GitHub** and creates a sub-identity: "Personal Releaser." She gives it specific permissions needed to do the job. Sub-identity gives credentials. 3. **Alice shares these credentials** with the Agent. 4. **Agent uses well-known agent authentication page** to login as Personal Releaser, and does its work. The important point: we make these sub-identities official. This is not a human identity anymore. This is an identity that works on behalf of the user. Everyone knows it. The system knows it. The audit log knows it. ![Human in the center with agents working around them](agents-with-human.png) ## Why This Changes Everything Having this basic concept opens the whole world of legitimate work by Agents. **Users can distinguish between human and agent work.** Your Git history shows which commits were made by you and which by your release agent. Not because of some convention in commit messages, but because these are actually different identities. **UIs can embrace this.** What if GitHub would visualize changes by agents differently? Agent PRs get a different badge. Agent commits shown in a different color. Super simple, but super useful for understanding what happened in a repo. **Human-agent approval flows.** Your agentic identity prepares things — creates a release branch, updates changelog, bumps versions. Your human identity reviews and approves. Two different identities, one human behind them, clear separation of automated work and human decisions. ![Agents busy doing work at their desks](agents-working.png) **Proper permission scoping.** Instead of giving an agent your full access token, you create a sub-identity with exactly the permissions it needs. Principle of least privilege, but actually practical. **Own payment methods and spending limits.** Sub-identity can have its own payment method with a hard cap. Your agent can buy cloud resources or pay for API calls, but never spend more than you allowed. No shared credit card with unlimited access. **Revocation becomes trivial.** Agent compromised? Revoke the sub-identity. Your human identity stays untouched. No password rotation, no token cleanup across dozen services. ## This Already Exists, Sort Of GitHub has deploy keys. GitHub has fine-grained personal access tokens. GitHub has GitHub Apps. AWS has IAM roles. These are all steps in the right direction. But none of them are "agent identities." They are technical workarounds. They don't carry the semantic meaning of "this is an agent working on behalf of Alice." They don't show up in UIs as agent work. They don't have a standard protocol that works across services. What I am talking about is making this a first-class concept. Not a workaround. Not a hack. An official part of how identity works on the internet. ## The Protocol Layer Here is the thing about agents — they do not need the login flow humans use. No browser redirects, no "click here to authorize," no consent screens. Agent is a program. It has credentials, it needs to prove it is legitimate, and it needs to get an access token. That is it. OAuth already has delegation concepts, but the whole flow is designed around a human sitting in front of a browser. What agents need is something way simpler. Imagine a well-known endpoint, something like `/.well-known/agent-auth`, where the agent shows up with its sub-identity credentials, does a token challenge, and gets back a scoped access token. No redirects. No browser. Just a clean machine-to-machine handshake that says "I am agent X, working on behalf of human Y, here is my proof." This could be an extension to OAuth — a new grant type like `agent_credential` that skips the authorization redirect entirely. Or it could be a separate spec altogether, specifically designed for agent authentication. Honestly, I think a separate spec makes more sense. OAuth is already super complex, and adding more grant types is not making it simpler. A dedicated agent auth protocol could be lean and focused. ![Agents approaching the well-known auth endpoint with their ID badges](agent-auth-flow.png) The flow would look something like this: 1. Agent sends credentials to `/.well-known/agent-auth` endpoint 2. Service validates the credentials and checks which human owns this sub-identity 3. Service returns a scoped token with agent-specific claims — who the agent is, who the human is, what permissions are granted 4. Agent uses this token for all subsequent requests Services could then: - Show agent activity differently in audit logs - Apply different rate limits (agents are faster, but also more predictable) - Skip CAPTCHA for authenticated agent identities — because they are not anonymous bots, they are tied to a real human - Let humans monitor and control what their agents are doing in real-time And CAPTCHA? CAPTCHA still works for what it was built for — protecting against anonymous bots. But authenticated agent sub-identities skip it, because they are not anonymous. They are tied to a real human who is responsible for what the agent does. ## Let's Do Official Agent Identities We keep building more capable agents. We keep giving them more access to services. But we are doing this through the back door — sharing credentials, bypassing protections, pretending agents are humans. This is not sustainable. The right answer is not better CAPTCHA solving. The right answer is making agent identities a legitimate, official part of how the internet works. Identity providers, this is your move. I really hope Google Auth, GitHub, PropelAuth, Auth0 will start working on this. Otherwise I will do it myself 😈