Current e-commerce websites have no standard way to delegate transactional authority to AI agents with fine-grained control. Kim & Kim extend an open-source authorization toolkit with cryptographic delegation tokens and a three-tier trust system — and open-source the whole implementation.
Session key validity periods from Auth's communication policy table, Kim & Kim (2026). High-trust agents (e.g., a business agent) receive 24-hour keys; low-trust agents get 5-minute windows.
From the authors' prior case study [9]: most existing e-commerce platforms do not support the operational needs of agentic AI.
Imagine you want your AI agent to make a purchase for you. You hand it your account credentials and walk away. The agent now has access to everything — your payment methods, your order history, your personal data — without any mechanism for you to say "only let it buy running shoes under $150, and only for the next two hours." This is the state of most e-commerce platforms today. They were designed for humans, and granting access to an AI agent means granting your full account permissions, indefinitely.
OAuth, the dominant authorization standard, grants broad permissions tied to operators rather than to specific tasks. An OAuth token that allows "shopping" typically allows everything shopping-related: browsing, purchasing, cancelling orders, changing delivery addresses. For human users this is fine. For AI agents executing tasks on your behalf, it creates serious risks: unauthorized purchases, identity exposure, and the inability to scope what the agent can actually do on your behalf. Kim & Kim's prior case study confirmed that most existing e-commerce platforms lack standardized models for delegating transactional authority to agentic AI — missing support for user-defined spending constraints, automated purchase flows, and agent-aware authentication.
The solution has two parts: an extended authorization service and a purpose-built website design. For the authorization layer, the authors extend Auth, a component of the open-source Secure Swarm Toolkit (SST), which acts as a cryptographic key distribution center. They introduce a new database table — the communication policy table — that specifies which entity groups can delegate to which agent trust levels, with what session key validity periods and which cryptographic specifications (AES-128-CBC with SHA-256).
The three-tier trust system works as follows. A user configures her AI agents in advance: a high-trust business agent gets a session key valid for 24 hours absolute and 2 hours per session; a medium-trust personal agent gets 12 hours and 1 hour; a low-trust casual agent gets 6 hours and 5 minutes. When the agent needs to act, the user requests a session key ID from Auth and passes it to the agent. The agent uses that ID — not the key itself — to authenticate with Auth and receive the actual key. Crucially, each key is issued exactly once to one authorized agent; duplicate issuance attempts are rejected. This prevents a compromised session key from being redistributed.
The website side uses React and Flask, with two distinct dashboards: a human user dashboard for configuring agent access scopes, and an AI agent dashboard for executing delegated tasks. The agent logs in using only the session key ID (not the user's password), and the website enforces the fine-grained constraints the user configured — spending limits, allowed product categories, time windows — in the backend before processing any action.
Delegates access to agent. Auth creates session key and returns Session Key ID to user.
Receives Session Key ID from user. Requests actual session key from Auth. Auth verifies agent belongs to expected trust group.
Auth issues key to agent (one time only). Agent presents Session Key ID to website and requests access.
Website verifies with Auth. Auth returns session key. Website grants agent access within delegated scope.
Designed for a business agent trusted with extended autonomous operation. Suitable for end-to-end purchase workflows with pre-approved spending limits.
A personal agent for routine tasks. Shorter per-session window limits exposure if the session is hijacked or the agent acts unexpectedly.
For casual, tightly scoped tasks. Five-minute relative validity means the agent must complete its task quickly — ideal for one-shot actions like price checking.
Kim, S., & Kim, H. (2026). Access controlled website interaction for agentic AI with delegated critical tasks. In Companion Proceedings of the ACM Web Conference 2026 (WWW '26), April 13–17, 2026, Dubai, UAE. ACM. https://arxiv.org/abs/2603.18197 | DOI: 10.1145/3774904.3792864