How is Arc different from OAuth?

OAuth grants delegated app access. Arc adds AI agent action permissions, approval flows, audit logs, and revocation for individual agent requests.

Why are API keys unsafe for AI agents?

API keys are often broad, persistent, and hard for users to understand or revoke at an action level. Arc gives agents specific, revocable permissions.

Comparison

OAuth grants access. Arc controls what an AI agent can do with it.

OAuth is useful for sign-in and delegated app access. AI agents also need action-level permission, approval, audit, and revocation.

Short answer

Arc does not replace OAuth everywhere. Arc adds the agent-specific layer that OAuth usually does not provide: allow, ask, or block for individual app actions.

Comparison

Question	OAuth	Arc
Who is it built for?	Users authorizing apps and services.	Users authorizing AI agents to request actions.
Permission shape	Broad scopes or app access.	Specific actions with allow, ask, or block.
Approval moment	Usually at connection time.	At connection time and before sensitive actions.
Audit detail	Depends on the app.	Agent request, action, decision, result, timestamp.
Revocation	Revoke app access.	Revoke agent grants and block future action requests.

Why API keys and broad scopes are risky

An agent with a broad credential can attempt actions beyond the user's intent. Even when the agent is helpful, the app should constrain the available actions and pause before side effects.

Example

A normal scope may say "email access." Arc lets the app say read_email is allowed, draft_reply is allowed, send_email asks the user, and delete_email is blocked.

See permission model Agentic SSO