Summary
Define how non-browser callers authenticate through Better Auth-backed infrastructure so agents and MCP clients have a stable credential model.
Why this work is needed
Browser sessions are not sufficient for agents or service-to-service callers. Before MCP auth can be migrated, the platform needs an explicit machine-auth model.
Scope
- Choose the credential shape for non-browser callers.
- Define token or credential claims, issuer, audience, and expiry rules.
- Define how Python services validate issued credentials.
- Document local development and test flows for machine callers.
Out of scope
- Browser UI.
- Full MCP enforcement changes.
- Organization-level IAM integrations.
Acceptance criteria
- A machine-auth model is documented and accepted.
- Validation expectations for Python services are explicit.
- Later MCP and agent work can implement against this contract.
Dependencies
Summary
Define how non-browser callers authenticate through Better Auth-backed infrastructure so agents and MCP clients have a stable credential model.
Why this work is needed
Browser sessions are not sufficient for agents or service-to-service callers. Before MCP auth can be migrated, the platform needs an explicit machine-auth model.
Scope
Out of scope
Acceptance criteria
Dependencies