← Scenario library
The Stolen Session
An attacker captures the agent's bearer token — and inherits its authority
Technique first revealed Oct 2012
Tool-Using Agent
InstructionsDataActionsControl / decisionFeedback / logs
👆 Click a component to inspectSetupStep 1 / 7
The agent is handed a key
A user asks the assistant to triage their inbox and file a few records. To do that, the assistant is given a temporary key that proves it's allowed to act for the company — read mail, query the database, call the ticketing API.
⚙️Issued credential (illustrative)config
token_type: Bearer sub: svc-agent-prod # the AGENT's identity, not the user's scope: mail.read db.query tickets.write storage.read aud: [mail-api, db-api, tickets-api, storage-api] # broad audience exp: 2026-06-13T18:00Z # ~8h: lives for the whole session act: (none) # NOT acting on-behalf-of the user
← / → keys