The encrypted lane handles connection isolation (who can reach the app), while the app still handles identity (who the user is).
For agent-to-app communication specifically, the pattern we use: 1. Agent passes a short-lived token in the request payload (not URL) 2. App validates the token against its local auth store 3. The encrypted lane ensures no one else can intercept/replay that token
Let me clarify. I am not suggesting disabling authentication inside the app. I am suggesting a solution is to layer the network isolation + application auth. The secure application layer channel just removes the OAuth redirect dance for machine-to-machine flows.
For human access, you'd still need SSO. But once the human is authenticated, the services authenticate to one another (machine-to-machine) also at the application layer (not layers 3/4).
Does that make sense for your use case, or are you looking for something that works with human SSO flows too?