Add AI agents manually

When you register the AI agent, provide the following details:

• Owners: The admins who are responsible for the AI agent's governance and lifecycle management. Okta recommends that you assign at least two owners to an AI agent to ensure that it always has an owner.
• Credentials: Okta uses a public key to verify that the AI agent is authorized to access your resources and to validate the digital signatures of its requests.
• User sign-on: When an AI agent is linked to an app, it can only access resources or perform actions on behalf of a user who is currently signed in to that app.
• Delegations (Early Access): The users, apps, and other AI agents that can authorize the AI agent to act on their behalf. When you delegate an AI agent to an app, it can only act on a user's behalf if the user is signed in to the app. When you delegate an AI agent to a non-human identity (like an app or another AI agent), it can act on behalf of the AI agent without a user. See Agent-to-agent connections.
  Note:

  When you delegate an AI agent to another AI agent, Okta automatically creates a resource connection between the two AI agents. For all other delegation types, you need to configure AI agent resource connections separately.

Before you begin

• You have the super admin role.
• If you want to link an AI agent to an OIDC app, integrate that app in your org. See Add existing app integrations.
• If you want to link an AI agent to a non-human identity, you've created a custom authorization server. See Create an authorization server. This is required to register the AI agent as a resource that other AI agents and services can call.
• You have a public JSON Web Key (JWK) for authentication with Okta. If you don't have one already, you can generate one when you register the AI agent.

Register an AI agent

1. In the Admin Console, go to Directory > AI Agents.

2. Click Register AI agent > Register manually.
3. Enter a Name and Description.
4. Optional. Select an app from the Application list and click Link.
5. Click Register.

Assign owners

1. Optional. On the Owners tab, assign one or more owners to the AI agent.
   • Assign individual owners: Select up to five users.
   • Assign a group owner: Select a group that has at least two members.
2. If you didn't assign owners in the previous step, click Skip for now. Otherwise, Click Save.

Add credentials

After you register the AI agent, you must add a public key. This key is required for the agent to authenticate with Okta.

1. On the AI agents page, select an AI agent.
2. Go to the Credentials tab.
3. Click Add public key.
4. Enter your public key, or click Generate new key. Okta creates a public key that's associated with a private key that you can view in JSON or PEM.
5. Click Copy to clipboard and store the private key safely.
6. Click Done. The public key appears on the Credentials tab with the INACTIVE status.
7. Click the vertical ellipses that's next to the public key and select Activate.
8. To deactivate the public key, click the vertical ellipses and select Deactivate. To remove it, click the vertical ellipses again and select Delete.

Add delegations

Early Access release. See Enable self-service features.

1. On the AI agent page, select the Delegations tab.
2. To allow users who are signed in to an app to delegate their identity to the AI agent, click Add caller next to User sign-on.
   1. Select an app from the Application dropdown list. The Confirm authorization server section appears with the Okta Org Authorization Server selected by default.
   2. Optional. If you don't want to use the default authorization server, select a custom authorization server from the Authorization server list.
   3. Click Add caller.
   4. Repeat these steps for each user sign-on app that you want to add.
3. To delegate the AI agent to a non-human identity, you need configure a custom authorization server. This is a one-time task - if you've already completed it, skip to step d. Otherwise, click Configure in the Non-human identity section (Early Access).
   1. Select an Authorization server from the dropdown list.
   2. Enter the Audience/resource URL that's configured for the authorization server.
      Note:

      The audience URL is the identifier that callers use to request tokens from the AI agent. You can't edit this value later.

   3. Click Save.
   4. Click Add caller.
   5. To delegate the AI agent to another AI agent, click AI agent and select an AI agent from the dropdown list.
      1. Select Allow all to grant all available OAuth scopes to the AI agent. Or, select Only allow or Disallow and select the scopes that you want to grant or deny the AI agent.
      2. Click Add caller.
      3. The Delegation added dialog displays the delegation and resource connection details. Click Add another AI agent or Done. The AI agent that you just configured appears on the Resource connections tab for AI agent delegation.
   6. To delegate the AI agent to an app or service, click Application or service.
      1. Select an app or service from the dropdown list.
      2. Click Add caller.
      3. Repeat these steps for each app or service that you want to add.

Activate an AI agent

You can only activate AI agents that have assigned owners.

1. On the AI agent page, select Actions > Activate.
2. Click Confirm.
3. To deactivate the agent, select Actions > Deactivate

Next step

Connect AI agents to resources