The Future of Identity: How Ory and Cockroach Labs Are Building Infrastructure for Agentic AI

Bots now dominate the internet. In 2024, automated programs (bots) made up 51% of all web traffic, while humans accounted for only 49%. Most of these bots are helpful, like search engines and AI tools, but about 14% are malicious.

For the first time, there's more automated activity online than human activity. While the gap between good and bad bots has remained relatively steady, the overall volume of bot traffic continues to surge year over year, according to Imperva's 2025 Bad Bot Report.

And here's the kicker: every major enterprise is racing to deploy AI agents right now. The companies that get their identity infrastructure right will enable innovation at machine speed. Those that don't will watch their AI initiatives grind to a halt under the weight of security incidents, compliance failures, and unauthorized access.

This fundamental shift demands a completely new approach to identity and access management — one that can handle the scale, complexity, and dynamic nature of both human and machine identities. Today, we're excited to share how our expanded partnership with Cockroach Labs is helping organizations build the infrastructure foundation for this AI-powered future.

Building for Unprecedented Scale: The Ory and Cockroach Labs Partnership

Our partnership with Cockroach Labs creates the foundation for modern identity and access management (IAM) that operates across geographically distributed environments with the resilience and flexibility that today's enterprises demand.

CockroachDB serves as the distributed backbone for The Ory Network, our global identity service built to deliver compliance, resilience, and global scale. This isn't theoretical infrastructure — it's powering some of the most demanding identity workloads in the world.

Real-World Proof: The OpenAI Success Story

The power of this combination was recently highlighted in an OpenAI case study that showcases exactly what's possible when you pair Ory's modular identity architecture with CockroachDB's distributed database capabilities. Together, we power login for ChatGPT for more than 800 million weekly active users while giving OpenAI the control and flexibility they require to own their code and have visibility into their user's login journeys.

The same infrastructure that handles auth for ChatGPT.com, the fifth most visited website in the world according to Wikipedia, is exactly what's needed to tackle the next big challenge in identity management: AI agents operating at unprecedented scale.

The Agentic Wild West: Power Without Boundaries

The agentic AI landscape is the wild west right now. These systems are incredibly powerful. They can browse the web, make API calls ( even phone calls), process payments, and interact with countless services on your behalf.

But here's the uncomfortable truth: people are concerned, and rightfully so. Imagine this: Your AI sales agent, with access to your CRM and payment systems, starts offering 90% discounts to every customer due to a prompt injection attack. Without proper OAuth controls and instant revocation, it could process thousands of transactions before anyone notices. It’s not science fiction — it can happen today with improperly secured AI agents.

This is why OpenAI chose Ory. When you're building the infrastructure that powers some of the world's most sophisticated AI systems, you need proven identity and access management with the industry-leading OAuth server.

The Protocol Revolution: OAuth at Machine Scale

The emergence of the Model Context Protocol (MCP) and Google's Agent-to-Agent (A2A) protocol represents a fundamental shift in identity and access management. These protocols are creating an entirely new authentication paradigm where thousands of autonomous agents generate OAuth flows at rates that would overwhelm traditional identity infrastructure.

Consider the numbers: a single AI workflow might spawn dozens of specialized agents, each requiring distinct authentication tokens with granular permissions. These agents burst into existence, authenticate against multiple services simultaneously, exchange tokens at microsecond intervals, and terminate just as quickly. MCP standardizes how these agents prove their identity to external services, while A2A enables secure agent-to-agent delegation without human intervention.

Not all OAuth solutions are created equal. While legacy OAuth providers are retrofitting their human-centric systems for AI, Ory Hydra was architected from day one for machine-scale authentication. Ory Hydra’s OAuth solution combines token validation, distributed “kill switches”, and native MCP integration.

Crucially, this new paradigm demands robust kill switch mechanisms, achieved through token introspection and token revocation in real-time. When an AI agent goes rogue or exhibits anomalous behavior, you need the ability to instantly revoke not just a single token, but entire delegation chains across all dependent agents. Modern OAuth implementations for AI must support token revocation to prevent a compromised agent from causing cascading damage across your infrastructure.

Securing the AI-Powered Future

The partnership between Ory and Cockroach Labs represents more than infrastructure — it's the foundation for an entirely new digital economy where AI agents become trusted economic actors. We're building the trust layer that will enable AI agents to conduct business, make decisions, and manage resources on behalf of the people and organizations they represent.

In the near future, your AI agent will do more than schedule meetings. It will negotiate contracts, execute trades, manage supply chains, and orchestrate complex multi-party transactions. Each action requires authentication plus a complete chain of accountability that traces back to the human or enterprise principle. When an AI agent commits to a million-dollar purchase order, the counterparty needs cryptographic proof of authorization, audit trails for compliance, and instant revocation capabilities if something goes wrong.

The real paradigm shift is moving from "AI as a tool" to "AI as a trusted representative" or “AI as a digital emissary”. OAuth2 integrated with MCP servers goes beyond access control. It creates legally binding digital signatures for AI actions, establishes clear delegation boundaries that courts can interpret, and builds tamper-proof audit logs that can reconstruct the decision chain when disputes arise.

We may see the emergence of new patterns:

• Time-boxed authorizations where AI agents receive temporary elevated privileges for specific transactions
• Multi-party authorization flows where high-stakes decisions require consensus from multiple human stakeholders
• Reputation systems where an AI agent's past behavior influences its future authorization scope

These are the scenarios that enterprises are preparing for — a world where AI agents are first-class economic participants.

Why Ory is the Industry-Leading Choice for Agentic AI Security

Here's the reality: Ory is already the leading solution for securing agentic identity. Our OAuth server, Ory Hydra, delivers robust authentication and authorization for AI agents at enterprise scale with:

• Proven scale: Supporting OpenAI's 800M+ weekly active users
• Machine-speed performance: thousands of token validations per second
• Real-time token revocation: Revoke entire agent delegation chains instantly
• Native MCP support: Purpose-built for the AI agent ecosystem
• Zero vendor lock-in: Open standards and modular architecture

The good news? Ory is simple to implement. You can start securing your AI agents today using proven OAuth2 standards and scale up as your agentic workloads grow.

Ready to Build? Start with Ory Hydra for MCP OAuth2

If you're excited about the possibilities of AI agents and want to start building secure, scalable identity solutions for your own MCP servers, we've got you covered. We've just published a comprehensive guide on integrating OAuth2 with MCP that walks you through everything you need to know to get started.

Ready to join us in building the future? Learn how to integrate OAuth2 for your MCP servers

For a technical deep dive into the joint OpenAI ChatGPT case study, exploring how Ory Hydra and CockroachDB power its identity and access management, check out the official Cockroach Labs blog: Inside OpenAI’s Always-On IAM Stack with Ory and CockroachDB

The future of identity is modular, distributed, and AI-ready. With partners like Cockroach Labs and proven success stories like OpenAI, we're not just preparing for the AI agent economy — we're building it.