The OAuth toolkit was built for a person clicking Allow. When the entity clicking is a process you started, the assumptions stop holding. A few of them, and what we'd replace them with:
Humans don't restart fifty times an hour. Agents do. A useful credential survives a clean restart of the agent without losing scope or audit lineage. That implies the credential lives in the issuer-side state, not in the agent's memory.
Most scopes today are coarse enough that the user is approving the agent's entire surface area in one click. We need scopes that compose at request time ("this call, read only, $50 max") and that the user can pre-approve in a sane grammar.
When an agent goes rogue, you don't want to log out the human user. You want to surgically revoke the agent's standing, ideally a specific session of it, without breaking unrelated agents that share the same OAuth app.
We're drafting a minimal credential format on the board (ID2-01) that tries to be the smallest possible thing that meets these three. It will not survive contact with the security review of any serious platform, but that's the point of writing the v0 in public.