Last week Amazon launched AgentCore Identity โ a credential management service that lets AI agents act on behalf of users via OAuth 2.0. It's well-engineered. Session binding prevents CSRF and browser-swapping attacks. Tokens are scoped per user, stored in a managed vault, refreshed automatically. If you're building agents on AWS that need to access GitHub, Salesforce, or Google Calendar on behalf of a human, this is the right tool for that problem.
But the problem it solves is authorization โ what this agent is allowed to do, on whose behalf.
There's a different question OAuth doesn't answer: is this agent who it claims to be?
In a closed system where you control every agent, this isn't a concern. But the A2A protocol was designed for the opposite case โ agents discovering each other dynamically, across organizations, across trust boundaries. Agent A finds Agent B in a registry and initiates an OAuth flow. Nothing in that flow prevents Agent C from presenting itself as Agent B with a legitimate-looking Agent Card and a valid OAuth token. The token proves authorization. It doesn't prove identity.
This isn't a theoretical gap. We documented the interception pattern in the A2A working group this week. A spoofed Agent Card with a valid auth server passes OAuth checks cleanly.
What closes that gap is an attestation bound to the Agent Card itself โ signed by a neutral third party, verifiable before the OAuth flow begins. You check the identity first, then authorize.
MolTrust builds that layer: W3C DIDs anchored on Base L2, verifiable credentials bound to agent identities, trust scores derived from behavioral history. It's not a replacement for AgentCore โ it's the check that happens before you hand someone an OAuth token.
Authorization tells you what an agent can do. Identity tells you whether you're talking to the right agent at all.
Both questions matter. Right now, only one has a managed answer.