The identity infrastructure
for autonomous agent authentication.
Two-factor authentication exists to verify identity. But AI agents don't have identity — so they can't authenticate. Mailgent gives agents the same identity primitives humans have: an email address for email-based 2FA, an encrypted vault for credentials, and TOTP generation for authenticator-based 2FA. Your agent handles any auth flow a human with a phone could handle.
API Primitives used
vault.storeStore credentials with identity
Save username, password, and TOTP seed — AES-256-GCM encrypted, scoped to a specific agent identity. Each agent has its own isolated vault. Full audit trail on every access.
vault.totpGenerate TOTP codes on demand
Produce fresh 6-digit codes via the API. Returns code + seconds remaining. Seeds are never exposed — only the time-limited codes are accessible. RFC 6238 compliant.
mail.list_messagesReceive email verification codes
When a service sends a verification email, the agent reads it from its own inbox. extractedText strips noise so your LLM can extract the code directly.
Agents need identity to authenticate.
Two-factor authentication is fundamentally an identity verification mechanism: 'Prove you are who you claim to be.' It assumes the user has an email address (for email-based 2FA) and a phone with an authenticator app (for TOTP-based 2FA). AI agents have neither — so they can't authenticate with any service that requires 2FA.
Most developers work around this by disabling 2FA (creating a security vulnerability), sharing a human's credentials (breaking audit trails and creating compliance violations), or requiring a human to enter codes manually (destroying the agent's autonomy). None of these scale, and all introduce risks that compound across every service the agent needs to access.
The solution isn't to bypass authentication — it's to give the agent its own identity. Mailgent provides each agent with an email address (for email-based verification), an encrypted vault (for credential storage), and TOTP code generation (for authenticator-based 2FA). The agent doesn't borrow a human's identity. It has its own — with delegation chains that trace every login back to the human who authorized it.
How to build it.
Give the agent an identity
Create an agent identity with its own email address and isolated vault. The identity carries a delegation chain: Human > Org > Agent. Every authentication action will trace back to the human who authorized the agent.
vault.storeStore credentials in the vault
Save login credentials — username, password, and TOTP seed — encrypted with AES-256-GCM. Each agent identity has its own isolated vault. TOTP seeds are stored encrypted and never returned via the API.
vault.totpAuthenticate autonomously
When your agent needs to log in: retrieve credentials with vault.get, generate a fresh TOTP code with vault.totp, and complete the authentication flow. For email-based 2FA, the agent reads the verification code from its own inbox.
Example prompt
“Log into the AWS console using my stored credentials. Generate the 2FA code, pull the latest billing data, and email the finance team a summary from my agent's address.”
What developers build.
SaaS dashboard monitoring
Build agents that log into Stripe, HubSpot, Salesforce, or any 2FA-protected dashboard. The agent authenticates with its own credentials and TOTP codes — not a human's borrowed login. Every access is audit-logged against the agent's identity.
Autonomous service registration
Agent signs up for a new service using its own email, receives the verification email in its inbox, extracts the code, completes registration, enables 2FA, stores the TOTP seed in its vault, and stores credentials — fully autonomous account creation with its own identity.
Government and regulatory portal access
Build agents that authenticate with tax portals, regulatory filing systems, and compliance platforms that mandate 2FA for every login. The agent's identity and delegation chain satisfy regulatory attribution requirements.
Cloud infrastructure access
Build agents that authenticate with AWS, GCP, or Azure using stored IAM credentials and TOTP codes. Monitor resources, check costs, and alert on anomalies — all from an identified agent with audit trails.
API key rotation
Build agents that log into provider dashboards, regenerate expiring API keys, store new keys in the vault, and update downstream systems. Every rotation action is logged against the agent's identity.
Financial platform access
Build agents that authenticate with banking dashboards, payment processors, and trading platforms requiring 2FA. Every login carries the agent's delegation chain — critical for financial compliance and audit requirements.
Why not just disable 2FA?
Disabling 2FA doesn't remove the identity problem — it makes it worse. Without 2FA, anyone with stolen credentials can impersonate the agent. Without a dedicated agent identity, there's no audit trail of which system accessed which service. Without delegation chains, there's no way to trace an agent's login back to the human who authorized it.
The right approach isn't to weaken authentication — it's to give agents proper identity. Mailgent provides each agent with its own email address (for email-based 2FA), encrypted credential storage (for passwords and API keys), and TOTP code generation (for authenticator-based 2FA). Every authentication action is logged against the agent's unique identity with a delegation chain. The agent doesn't borrow credentials. It has its own.
AES-256-GCM encryption
Every credential encrypted at rest with per-credential data encryption keys. TOTP seeds are never returned via the API — only the generated codes.
Identity-scoped isolation
Each agent identity has its own vault. A sales agent can't access DevOps credentials. Revoke the identity and all credentials become inaccessible instantly.
Authentication audit trail
Every credential retrieval, TOTP code generation, and login attempt is logged with agent identity, timestamp, and delegation chain. Trace any authentication action back to the authorizing human.
Give your agent its own identity.
Email, vault, and TOTP — the identity infrastructure for autonomous authentication.