All Products
Search
Document Center

Agent Identity:Scenarios

Last Updated:Jul 10, 2026

Agent Identity supports a range of integration scenarios. The following case studies show how to connect your applications and agents with Agent Identity.

Scenario one: Unattended corporate automation agent

  • Scenario: A DevOps agent monitors alerts for an online service. When an alert is triggered, it automatically pulls relevant logs from Alibaba Cloud Simple Log Service (SLS) and calls an internal troubleshooting API for analysis.

  • Implementation:

    1. You can create a unique workload identity for the DevOps agent.

    2. You can configure an API key credential provider for the internal troubleshooting API.

    3. You can configure a RAM policy for the workload identity to grant it permissions to access a specific SLS Logstore and call the internal API.

    4. The agent runs with its workload identity. It uses the Agent Identity software development kit (SDK) to securely obtain the internal API key and uses RAM role credentials to access SLS, completing the automated flow. All operations are performed under the agent's own identity, ensuring a clear audit trail.

Scenario two: Agent securely accesses third-party applications on behalf of a user

  • Scenario: An intelligent customer service or personal assistant agent needs to access a user's personal data on their behalf, such as reading DingTalk documents or sending Lark messages. This requires a delegated authorization (OAuth 2.0) flow, which is costly to develop and prone to errors.

  • Implementation:

    1. You can create a workload identity for the agent and configure an OAuth 2.0 credential provider that points to DingTalk or Lark.

    2. When a user asks the agent to manage their DingTalk documents, the agent calls GetWorkloadAccessTokenForJWT using the Agent Identity SDK. This obtains a workload access token that contains the user's identity. This process assumes the user logged in through standard OpenID Connect (OIDC).

    3. The agent runs with its workload identity and uses the Agent Identity SDK to securely execute the OAuth 2.0 authorization code flow. This process obtains an access token for user data and securely returns it to the agent. The agent then uses the access token to access the user's personal data. All operations are performed by the agent on behalf of the user, enabling end-to-end auditing.

  • Core value: Agent Identity greatly simplifies delegated authorization. Developers do not need to manage low-level OAuth 2.0 details. The agent can securely access user data in third-party applications without handling sensitive information such as a Client Secret or Refresh Token.

Scenario three: Agent securely accesses internal corporate services on behalf of a user

  • Scenario: A company has multiple internal business systems, such as an HR system, an OA system, and a knowledge base. The APIs for these systems are exposed through a unified API Gateway. An internal corporate assistant agent needs to act on behalf of an employee to query their attendance records, submit expense reports, or retrieve content from the corporate knowledge base.

  • Implementation:

    1. You can publish the APIs of the internal corporate services to API Gateway and configure API Gateway as a credential provider for Agent Identity.

    2. You can create a workload identity for the corporate assistant agent and configure a credential provider that points to API Gateway.

    3. When an employee asks the agent to query their attendance records, the agent calls GetWorkloadAccessTokenForJWT using the Agent Identity SDK. This obtains a workload access token that contains the employee's identity. This assumes the employee logged in through the corporate single sign-on (SSO) system.

    4. The agent uses the workload access token to call the internal corporate service API on API Gateway. After API Gateway authenticates the token, it forwards the request to the backend service. The backend service then uses the employee identity in the token to return data that the employee is permitted to access.

  • Core value: API Gateway combined with Agent Identity provides unified authentication and fine-grained access control for internal services. The agent does not need to hold credentials for each system. It securely accesses data on an employee's behalf, limited to what the employee has permission to access, with a complete audit trail.