Agentic SSO

Agentic SSO means users can connect agents without giving them full access.

In Arc, agentic SSO is the consent pattern around agent access: identify the user, identify the agent client, issue a scoped grant, enforce action permissions, and let the user revoke access.

Definition

Agentic SSO is a sign-in and consent flow for AI agents. Instead of sharing a password, session cookie, or broad API key, the user authorizes a specific agent to request specific app actions.

What Arc adds

Agent identity: which client or agent is asking.
Action permissions: what the agent can do.
Approval policy: which actions pause and ask the user.
Audit log: what happened and why it was allowed or blocked.
Revocation: how the user turns access off.

Example

Action	Decision	User meaning
read_email	allow	The agent can summarize inbox context.
send_email	ask	The user approves before anything is sent.
delete_email	block	The agent cannot delete email.

How it differs from normal SSO

Normal SSO signs a human into an app. Agentic SSO grants a non-human client limited authority to perform actions for that human. That authority should be narrower, more inspectable, and easier to revoke.

Start building Arc vs OAuth