Agentgateway adds token exchange, JWT-assertion, and Entra OBO Agentgateway has open-sourced three new token exchange capabilities—RFC 8693 token exchange, RFC 7523 JWT assertion, and Microsoft Entra on-behalf-of—enabling AI agents to call downstream APIs as the user without custom code. The features are part of the upcoming agentgateway release under the backendAuth.oauthTokenExchange configuration block. Agentgateway adds token exchange, jwt-assertion, and Entra OBO Native backend auth for RFC 8693 token exchange, RFC 7523 JWT bearer jwt-assertion , and Microsoft Entra on-behalf-of — so agents can call downstream APIs as the user without hand-rolled ext proc or custom agent code Back to blog /blog/ Shielding AI agents from sensitive MCP / API credentials secrets, API keys, tokens, etc is the prevailing best practice pattern to keep sensitive secrets from leaking into AI model conversations or across AI agent boundaries. OpenClaw, for example, has direct file system access in its most general deployment and can read files/secrets/env variables, etc and could easily send these secrets in any requests. The right way in an enterprise environment: user identity + agent identity tied to an authorization grant, which determines what is allowed to be done. Any calls to MCP servers or APIs have their credentials injected transparently by the infrastructure. The cornerstone of this injection is exchanging an agent or user’s identity for the correct secrets/API keys/tokens. In the upcoming agentgateway release, we have opensourced two new exchange capabilities, including a bonus third exchange opportunity with Microsoft Entra — all under backendAuth.oauthTokenExchange : | Grant | Spec | Subject sent as | Typical IdP | |---|---|---|---| | Token exchange | | subject token RFC 7523 https://datatracker.ietf.org/doc/html/rfc7523 assertion assertion Entra is the important enterprise wrinkle: it does not speak RFC 8693 . Its OBO flow is jwt-bearer with requested token use=on behalf of . Same outcome user-scoped downstream token , different grant shape — so both grants live under one oauthTokenExchange block. RFC 8693 token exchange Default grant. The gateway POSTs the inbound bearer as subject token to your IdP’s token endpoint and attaches the returned access token upstream. backendAuth: oauthTokenExchange: host: idp.example.com:443 tokenEndpointPath: /oauth2/default/v1/token clientAuth: clientId: gateway-client clientSecret: $OAUTH CLIENT SECRET method: clientSecretBasic audiences: - upstream-api scopes: - read What the gateway sends conceptually : grant type=urn:ietf:params:oauth:grant-type:token-exchange subject token=