Your serverless agents need credentials that expire. Here's the architecture that makes it work. 
Banner
 

In collaboration with

Amazon Web Services Marketplace
 

You're shipping Node.js agents on AWS Lambda. They call third-party APIs, spawn sub-agents, and handle user data — inside a 15-second invocation window. Hard-coding API keys won't cut it: the service-account model breaks when your principal is autonomous. Credentials need task-scoped lifetimes, not developer-scoped ones.

This workshop covers the identity architecture for AI agents running in serverless environments:

  • AWS STS for time-bounded credential assumption — each Lambda invocation gets a short-lived role session scoped to that specific task and user delegation
  • AWS Secrets Manager for automated rotation — agents pull fresh credentials at invocation time, never from environment variables or committed config files
  • AWS CloudTrail for non-repudiable audit — trace each agent API call back to a specific session, task, and delegation chain
We'll walk through OAuth-based agent identity with Auth0, showing how machine-to-machine tokens and federation policies scope what a serverless agent can access across multi-tenant environments.

 
Register for the workshop ›

August 4, 2026  |  10 AM – 11 AM PT  |  60 min  |  Technical demos