A Stytch in time: Connected Apps untangles authorization tie-ups for AI agents

AI agents are set to change ID authorization: As they integrate behind the scenes, they will need to move seamlessly between different apps on our behalf, and not get continually halted by login screens, lest they become cumbersome. 

“Every app, or almost every app, will need to function as its own identity provider in the future,” Reed McGinley-Stempel, CEO of authorization platform Stytch, told VentureBeat. 

This requires a different approach to permissioning, one that supports sophisticated AI workflows while also protecting sensitive proprietary and personal data. Stytch’s new Connected Apps is aimed at this: The platform allows any SaaS company to become its own identity provider (IdP), ultimately enabling AI agents and third-party apps to securely authenticate, access data and take action on behalf of users.

“AI agents are obviously having a moment,” said McGinley-Stempel. “You can delegate a task to an agent, and it can allow those other apps that are connected to this core customer or this primary identity provider to have read and write functionality.” 

Supporting whole-app ecosystems

Since its founding four and a half years ago, Stytch’s main role has been to effectively power “identity handshakes”: The platform enables the “client” side of the handshake with an external identity provider (such as Google or Microsoft) to verify user identity, share information like emails and names and allow for a simple login. 

Now with Connected Apps, Stytch customers can make the data within their apps accessible to other apps (both from a read and a write perspective). Third-party apps and agents can verify user identity, receive information and act on behalf of users in a permissioned way (AI agents), and login states can be shared between apps and systems. 

As McGinley-Stempel put it: “You can support an app ecosystem.” 

He pointed to the rise of “unsanctioned agentic access” — for instance, he personally has connected OpenAI Operator to his Twitter and LinkedIn profiles to occasionally do certain things on his behalf. 

“One of the problems with that is from a security and privacy and consent management level, it’s giving complete, broad-range access to these agents,” he conceded. 

With Connected Apps, the goal is to be more “programmatically secure” so that admins have a control pane and can properly manage permissions and refresh or revoke tokens as needed, he explained. 

“Because even though I want that productivity gain, I also need the ability to revoke access if I don’t think a certain app should be connected,” said McGinley-Stempel. “That’s really important to have these powerful permission and consent modules in the B2B case, which we provide out of the box as a UI.” 

The platform also supports secure session sharing. Cross-domain login capabilities, for instance, allow users to “carry their identity across different domains,” he explained — like when you’re logged into Gmail and navigate to YouTube, which already recognizes you without requiring your credentials. 

“You become an identity provider to allow for a secure session, swapping and sharing across these different sub-domains,” he said. This is particularly useful when enterprises are looking for effective integrations among multiple brands. 

Similarly, Stytch’s Connected Apps allows for cross-device sign-in capabilities — like when you’re logged into Netflix on your TV and are given a QR code to authenticate on your mobile. 

Further, McGinley-Stempel said the platform can support more sophisticated scenarios like app marketplaces and plug-in ecosystems (one-click installs and “sign in with your app flows”).

Providing human oversight (but avoiding push-notification fatigue)

Connected Apps is built on OAuth protocol OpenID Connect (OIDC) and incorporates consent and access management, human-in-the-loop authorization and standards-driven architecture to help protect sensitive B2B data. 

McGinley-Stempel emphasized the importance of human authorization in the agentic AI era. For instance, if a user grants an AI agent access to, say, draft emails around specific topics to specific users, they typically still want final approval. To that end, the platform supports APIs that provide in-app and in-email push notifications before AI takes action on anything. 

At the same time, though, more sophisticated and mature AI agents will eventually be completing multiple chains of events on a user’s behalf. This requires a more nuanced approach so that users don’t get frustrated by “push-notification overload,” McGinley-Stempel noted. Connected Apps allows for batch processing of what could become overly noisy authorization requests — users can review a full chain of thought and approve specific permissions. 

“It’s pretty annoying if it can’t batch those requests for you to review all at once; you’re just in a queue all day,” he pointed out. 

Ultimately, while AI agents are drawing both enthusiasm and skepticism, many enterprises understand they will be everywhere and that they must have an AI strategy in place. “Agents are kind of having that strategic moment,” said McGinley-Stempel. “Now I have to think about both the user experience and agent experience. How do I actually provide for that?”

How Crew Finance is using Stytch Connected Apps

One early adopter benefiting from Connected Apps is Crew Finance. According to Steve Domino, its head of engineering, the FinTech company set out to create the “last banking app a family would ever need,” one that bundles services and features like opening/closing accounts, paying bills, sending money and adding users (without the need for customers to visit physical branches). 

The app also has built-in kids’ banking experiences — accounts, debit cards, allowance payments, “savings pockets” and, soon, smart charge cards and an investment product to help kids start building credit early. 

“As a banking app, providing the ability to link Crew with other financial institutions and apps is critical,” Domino told VentureBeat. But integrating with linking sources like Plaid can be a “non-trivial task to accomplish in a secure and compliant way.” 

Stytch was already Crew’s auth-as-a-service provider; Domino explained that he approached them about a connected apps feature and the Stytch team fast-tracked a testing version for them. 

Crew has also built an AI agent (fittingly called “Penny”) on top of OpenAI’s ChatGPT API. She serves as a “friendly, helpful, personal financial assistant” that generally teaches about investing and debt; provides deep dives on user-specific spending and saving habits; and visualizes personal financial information with charts and graphs. 

In the future, Domino explained, the goal is to use Connected Apps to give Penny the power to act on users’ behalf outside the Crew ecosystem. “Ask her to pay bills for you, cancel subscriptions, sign you up for better insurance — we want every one of our customers to feel like they have a personal financial assistant at their disposal,” he explained. 

Domino emphasized that while AI will be a big part of Crew’s future, the company has to ensure it “don’t go too far too fast, beyond what people are comfortable with.” 

“Having a fully AI-automated bank might be a little intimidating for many people for a while,” he said. “I don’t know if we’ll ever go that far, but it’s certainly an option.” 

Daily insights on business use cases with VB Daily

If you want to impress your boss, VB Daily has you covered. We give you the inside scoop on what companies are doing with generative AI, from regulatory shifts to practical deployments, so you can share insights for maximum ROI.

Read our Privacy Policy

Thanks for subscribing. Check out more VB newsletters here.

An error occured.