Use Case

As autonomous agents gain capabilities, they increasingly need to communicate securely with other agents—whether to delegate tasks, call APIs, or share user-specific information. This challenge focuses on designing and implementing the trust and authorization layer that enables these agent-to-agent interactions.

In your system:

Agent A performs a user-facing task (e.g., collecting input, initiating a workflow)
Agent B provides a tool or service (e.g., verification, scheduling, messaging)
Agent A calls Agent B’s API using a secure, scoped access token issued by Descope

Descope acts as your OAuth provider, issuing access tokens via Inbound Apps to protect each agent's API. These tokens must include:

Agent identity (e.g., via sub, azp, or iss claims)
Scopes that define what actions Agent B is authorized to perform
Delegated user consent if Agent A is acting on behalf of a user

Focus Areas

Use the following scenarios for inspiration, or create your own secure multi-agent system. Each should demonstrate agent-to-agent communication, Descope-based authentication, scope enforcement, and—if applicable—user-level consent.

1. Document Verification Flow

A two-agent workflow for validating official documents provided by a user.

Agent A gathers documents from the user (e.g., PDFs, IDs).
Agent B verifies authenticity or checks for required clauses/signatures.
Security Notes:

Agent B accepts only scoped tokens (e.g., document.verify).
Returns a signed result for auditability.

2. Scheduling and Notification Flow

A planning system where one agent creates calendar events and another sends time-based reminders.

Planner Agent creates calendar events from extracted tasks.
Notifier Agent sends reminders via Slack, SMS, or email.
Security Notes:

Agents have separate, scoped tokens (calendar.write, messaging.send).
Optional: Include expiration or time-bound scopes.

3. Email Summarization + Calendar Action

An agent summarizes email threads and another takes calendar-based follow-up actions.

Agent A summarizes recent emails and extracts action items.
Agent B creates corresponding events on the user’s calendar.
Security Notes:

Agent B must receive a delegated token from Agent A.
Requires user consent to modify calendar data.

4. Contract Approval Workflow

A multi-agent flow for reviewing and approving legal documents step by step.

Agent A uploads a contract from the user.
Agent B parses and verifies key clauses.
Agent C provides final approval (e.g., “sign” or “reject”).
Security Notes:

Tokens for B and C must enforce least privilege (contract.read:clauses, contract.sign).
All steps should be tied to the user session or delegated authority chain.

5. Fitness Insights + Personalized Messaging

An agent system that provides health tips based on user fitness data and sends them via messaging platforms.

Agent A retrieves daily fitness data from wearable APIs.
Agent B sends custom health tips or motivational messages.
Security Notes:

Tokens scoped to specific actions (fitness.read, message.send).
Consent must be obtained to send outbound communication.

These examples can be implemented using any tech stack—but must demonstrate secure communication via Descope-issued tokens, enforced scopes, and proper delegation of access rights.

Tech Stack

You may choose your preferred languages and runtimes. Here are some suggested technologies:

Authentication and Authorization: Descope Inbound Apps
Agent Frameworks: Azure AI Foundry, LangGraph, Vertex AI Agent Builder, etc.

Guidelines

Make sure your project meets these minimum expectations:

Include at least two agents with clearly defined roles, interacting over secure APIs
Use Descope for all token generation, validation, and delegation
Enforce scope restrictions on all protected endpoints
Demonstrate delegation, especially if an agent is acting on behalf of another entity
Implement Descope Flows if user-facing consent is required

Global MCP Hackathon

Theme 3

Global MCP Hackathon

Theme 3

Social Share