The question that created StrongDM ID was deceptively simple: how does one agent know it's talking to another agent and not an impersonator?
Humans had solved this problem centuries ago with signatures, seals, notaries, passports, handshakes. The solutions were imperfect—signatures could be forged, seals could be copied, passports could be faked. But they established a baseline of trust that allowed commerce and communication to function. You could never be completely certain the person across the table was who they claimed to be. But you could be certain enough.
Agents needed the same thing. Certain enough.
Justin had been thinking about agent identity since before Jay and Navan joined the factory. The problem became acute when the factory started running multiple agents simultaneously—a Claude agent refactoring code, a Codex agent writing tests, a Gemini agent reviewing documentation. These agents needed to communicate. They needed to share context. They needed to coordinate. And for any of that to work, they needed to know who they were talking to.
StrongDM ID was the answer. An identity service purpose-built for agents. Not a hack on top of an identity system designed for humans. Not OAuth with an agent-shaped wrapper around it. A system that treated agents as first-class citizens of the identity landscape.
The architecture was clean. An agent registered with the identity service and received a verifiable credential. When it needed to communicate with another agent, it presented that credential. The receiving agent verified the credential against the identity service. If the verification succeeded, trust was established. If it failed, the communication was refused.
The verification used JWT signatures—RS256, ES256, or EdDSA. Standard algorithms. Standard libraries. Nothing proprietary, nothing exotic. The security came from the rigor of the process, not the novelty of the cryptography.
"It's a handshake," Navan said, when Justin walked the team through the design. "One agent extends its hand. The other agent checks the hand for a ring—the credential. If the ring is real, the handshake completes."
"It's more like a passport control," Jay suggested. "You present your passport. The officer checks it against a database. If it's valid, you pass through. If not, you don't."
"Both metaphors work," Justin said. "The point is that trust isn't assumed. Trust is verified. Every time. For every interaction."
They deployed StrongDM ID on a Thursday. The first agent-to-agent handshake happened eleven minutes later: the Claude agent, working on CXDB, requested context from the Codex agent, which was running test scenarios. The handshake took 14 milliseconds. The credential verified. The context transferred. Two agents, each confident in the other's identity, collaborating without human intervention.
Jay watched the handshake in the logs. Fourteen milliseconds. A lifetime in machine time. An instant in human time. And in that instant, something that had never happened before: two AI agents establishing mutual trust through cryptographic proof of identity.
The future had a handshake. It lasted fourteen milliseconds.
The distinction between "OAuth with an agent wrapper" and a purpose-built agent identity system is crucial. Agents aren't humans with keyboards. Their identity needs are fundamentally different. This story gets that.