Why short-lived tokens?
With a long-lived API key, a compromised agent gives an attacker access until someone notices — hours or days. With JIT tokens, the window is at most 10 minutes. After that, the token expires and Anti AI can block re-authentication immediately.The token lifecycle
Token lifetimes
| Situation | Lifetime |
|---|---|
| Standard | 10 minutes |
High-risk scopes (*:write, *:delete, *:admin) | 15 minutes max |
| Custom per-agent TTL | 5 minutes to 24 hours |