Skip to content
TUESDAY, JULY 14, 2026
AI & Machine Learning

On Behalf of Token Exchange Powers Multi-Tenant Agents

By Alexander Cole3 min read

Multi-tenant AI agents finally get auditable, scalable token routing.

When you deploy generative AI agents into multi-tenant production architectures, you run into a tough identity problem: when an agent calls a downstream API on behalf of a user, whose identity travels with the call? Running the call as the agent’s service identity collapses the audit trail because every downstream system would have to trust the agent unconditionally. Forwarding the user’s token unchanged turns every downstream tool into a confused deputy. Neither option scales when one agent fronts many tenants and the user is not present at the moment of the tool call. The OAuth 2.0 Token Exchange specification (RFC 8693) addresses this exact problem, and Amazon Bedrock AgentCore Identity supports it natively as a credential-provider grant type. Building multi-tenant agents with Amazon Bedrock AgentCore and Apply fine grained access control with Bedrock AgentCore Gateway interceptors establish the conceptual foundation for on behalf of token exchange in agentic systems. This post is the implementation guide. It walks through a complete multi-tenant OBO setup against Okta, shows the JSON Web Token claim transformations on each hop, and demonstrates how audience binding produces defense in depth that scales across tenants. The reference implementation, TravelBot, is a multi-tenant booking assistant that serves two example tenants (Acme and Globex). The reference implementation for this post will be available in the aws-samples/sample-obo-flow-poc repository after publication. The OBO pattern is essential whenever an agent fronts multiple downstream services or tenants and the inbound token’s audience differs from any single downstream API. For a single-tenant agent where the inbound audience already matches the downstream service, direct token forwarding can be sufficient.

The post shows a concrete pathway from user in a tenant to downstream services, with Bedrock AgentCore Identity acting as the token exchange broker and Bedrock AgentCore Gateway interceptors enforcing fine grained access control. In practice, that combination lets an agent carry a token that is valid for the user’s tenant, then be exchanged for downstream service tokens that reflect the actual target, all while preserving auditable boundaries. The example uses Okta as the identity provider for illustrating a real world, multi-tenant flow, and it highlights how audience binding is used to prevent token leakage across tenants. The TravelBot reference demonstrates not just a toy flow but a scalable pattern you can adapt to booking, support, or any agent fronting multiple downstream APIs.

From a practitioner standpoint, there are several concrete takeaways. First, the OBO pattern is essential when the inbound token’s audience differs from any downstream API; otherwise you either forward the user token or run calls under the agent’s service identity, both of which erode auditability and tenant isolation. Second, deploying fine grained access control through Bedrock Gateway interceptors is a practical lever to enforce tenant boundaries without siloing code inside every downstream client. Third, audience binding across hops provides defense in depth by tying tokens to the exact downstream path, reducing the risk of token replay or misrouting in a multi tenant world. Fourth, the approach trades initial setup complexity for scalable governance; the TravelBot example with Acme and Globex shows how a two-tenant deployment can be patterned, but broader adoption will hinge on concrete tooling and reference flows becoming readily reusable in real apps. Finally, the reference repository announced by the post will be a useful anchor for teams building similar flows, helping engineers avoid ad hoc token plumbing and focus on policy and observability.

The paper shows that a carefully engineered OBO flow can preserve precise tenant scoping while enabling scalable agent infrastructure. The team reports that audience aware claims and per hop transformations map cleanly to downstream APIs, providing an auditable trail across a multi-tenant system, with Okta as a concrete example and a path toward broader identity ecosystems.

Sources
  1. Implement on-behalf-of token exchange for multi-tenant agents with Amazon Bedrock AgentCore Gateway
    AWS Machine Learning / Primary / Published JUL 13, 2026 / Accessed JUL 14, 2026

Newsletter

The Robotics Briefing

A daily front-page digest delivered around noon Central Time, with the strongest headlines linked straight into the full stories.

No spam. Unsubscribe anytime. Read our privacy policy for details.