An autonomous agent connects to the same MCP endpoint as a human-driven client, it just presents its own token instead of going through the interactive OAuth flow. There is no consent screen and no sign-in.
1. Provision the agent. In the dashboard, open Account, then Agents, and create an agent (owner or admin only). You give it a name and pick the one organization it acts in. 2. Copy its token. oakallow returns an oak_agent_ token once, on creation, and stores only a SHA-256 hash. Put it straight into your agent's secret store; if you lose it, rotate the agent for a new one. 3. Point the agent at the endpoint. Your agent authenticates to api.oakallow.io/mcp with the header Authorization: Bearer oak_agent_... The /mcp handler checks for an oak_agent_ bearer before the OAuth provider, so the two credential types share one endpoint. 4. Register and gate your tools as usual, then watch the first approval land under the agent's name.
- On connect it has the same four read-only oakallow tools, scoped to its org: check_permission and list_my_tools (its org's approved tools only), list_pending_approvals (only its own requests), and check_approval_status.
- It can submit and check permission requests but can never approve, and it cannot reach org settings, team, or billing.
- It is rate-limited on its own identity, so one agent never crowds out another.
A person provisions the agent and a person still approves the actions that need a human. See oakallow.io/info/agents for the model.