_Use case · 01 · The coding agent

The agent that ships to main.

A long-lived GitHub token in an environment variable is a multi-day incident waiting to happen. Threshold mints the credential for one operation, hands it to GitHub, and lets it expire. The agent never sees it.

Capability flow Live

Agent

Code agent

Token store · empty

Threshold

Mint

Destination

GitHub

acme/backend

✓ merge · 15s ✓ deploy · 12s ✓ comment · 8s

Per-call credentials. None live with the agent.

[ Before ]

The agent holds a GitHub token in an environment variable. Long-lived. Broad-scoped. Exposed to everything the agent touches, including content from external sources.

[ With Threshold ]

The agent holds a capability. Threshold mints the credential for one operation, hands it to GitHub, and lets it expire in fifteen seconds. The agent never sees it.

The scenario

Six months in. Trusted to read. Not to ship.

Your team has been running a coding agent for six months. It reads issues, drafts implementations, opens PRs, runs CI, comments on reviews. Every senior engineer has built a workflow around it.

It lives on a side branch with read-only credentials. It can suggest changes. It can run tests. It cannot merge anything, deploy anything, or push directly to a protected branch. The reason isn't capability. The agent could absolutely merge correctly more than 95% of the time. The reason is that nobody has figured out how to give an agent commit-level credentials without losing sleep.

Side branch 01 / 04

Trusted to read. Not to ship.Suggestions flow. Authority waits at the boundary.

The side branch stays useful. Authority waits at the boundary.

Why it's blocked

The blocker is conflation.

The standard answer is to give the agent a long-lived GitHub token with broad scope, sitting in an environment variable somewhere, capable of pushing to any branch in any repo. That token lives for weeks. It's exposed to every action the agent takes, including the ones that read content from external sources.

The deeper problem is conflation. The agent that decides what to commit is the same process that holds the credential to commit it. There's no architectural separation between "the agent wants to do X" and "the agent is authorized to do X right now." Once the agent is running, the credential is exposed to everything it touches.

Credential rotation across a working stack is a multi-day incident response. Nobody wants that fire drill.

Blast radius 02 / 04

One env token. Every lane.Long-lived credentials flatten review and release.

Review lane and ship lane share the same secret.

How Threshold runs it

The agent doesn't have a GitHub token. It has a capability.

A short-lived, single-use, scope-restricted permission to ask Threshold to perform one operation on its behalf. The credential is born in the moment of the action and dies the moment it's done.

[ CAPABILITY FLOW ] · One merge, one credential, fifteen seconds

Step 1 · Tool call

The agent finishes its work and decides to merge. It emits: github.merge(repo=acme/backend, branch=feat-123, target=main).

Step 2 · Identity

Threshold verifies the capability signature. The agent is allowed to merge to main, but only under conditions encoded in your policy: tests pass, PR has an approving review, the diff doesn't touch protected files, and the action happens during business hours.

Step 3 · Mint

Threshold mints a GitHub token scoped to exactly one repository, one merge action, one branch, expiring in fifteen seconds. The token is forwarded to GitHub. The merge happens. The token expires.

Step 4 · Receipt

The merge is recorded in the signed audit chain by Threshold, not by the agent. The receipt names the human steward, the policy that approved this action, the inputs the agent saw, the outputs it produced, and the time-bounded credential it never held.

Step 5 · Halt

If anything looks wrong tomorrow, your security team revokes the agent's parent capability. Every sub-agent, every pending operation, every credential it was about to use. All of it stops in milliseconds.

Capability flow 03 / 04

One operation. Fifteen seconds.Born inside the boundary. Dies on the way back.

Born inside the boundary. Used once. Killed on the way back.

What changed

From long-lived secrets to short-lived capabilities.

The standard pattern stores authority in long-lived secrets. Threshold stores authority in short-lived signed capabilities, derived per-request from a delegation chain that traces back to a real human.

The implication for a coding agent is structural. The credential that made your security team nervous never exists. Each operation gets exactly the permission it needs, exactly when it needs it, and the permission disappears the moment the operation completes.

What this unlocks

Not a coding agent. An engineer who never asks twice.

The coding agent leaves the side branch. It opens PRs, merges to main, deploys to staging, runs the small operational tasks that used to live in your senior engineers' tab clutter. Your security team can read the audit trail and see exactly which human's authority each agent action traced back to.

0

01 · Credentials in env

Long-lived tokens in the agent's environment. Every credential is per-call and expires in seconds.

0s

02 · Credential lifetime

A capability lives for exactly the operation that needed it. Then it disappears.

0%

03 · Actions attributed

Every commit, merge, and deploy chains back to a named human in the signed audit log.

_Book a demo

See your coding agent safe to ship to production.

01 · You are here

The coding agent

02 · Read next

The customer-facing agent