AIdenID Agent Workflows

Concrete recipes for using AIdenID inside agent-driven test flows, authenticated audits, and multi-agent swarm runs.

aidenid
agents
workflows
e2e
senti

Concrete recipes for how AIdenID fits into real agent flows. Each recipe is runnable end-to-end with `sentinelayer-cli@0.8.0`.

Recipe 1 — Agent signs up to your app and runs a frontend audit

```bash

# 1. Provision an ephemeral identity

IDENTITY=$(sl ai provision-email --tags "signup-audit" --ttl 3600 --execute --json | jq -r '.identity.id')

EMAIL=$(sl ai identity show "$IDENTITY" --json | jq -r '.email')

# 2. Agent triggers signup on your app with the email

curl -X POST https://app.example.com/signup -d "email=$EMAIL"

# 3. Wait for and extract the OTP (regex-first, LLM fallback)

OTP=$(sl ai identity wait-for-otp "$IDENTITY" --timeout 60 --min-confidence 0.8 --json | jq -r '.code')

# 4. Complete signup with the OTP

curl -X POST https://app.example.com/verify -d "email=$EMAIL&code=$OTP"

# 5. Hand the credentials to the frontend audit

sl audit frontend --url https://app.example.com --email "$EMAIL" --stream

```

Recipe 2 — Parallel testing across N AIdenID identities

```bash

# Provision 10 isolated identities from one command

for i in $(seq 1 10); do

sl ai provision-email --tags "parallel,batch-$i" --ttl 1800 --execute --json

done | jq -s '.'

# Each identity is independent. Run 10 Jules audits in parallel.

sl ai identity list --tag "parallel" --json \

| jq -r '.identities[].email' \

| xargs -P 10 -I {} sl audit frontend --url https://app.example.com --email {} --json

```

Recipe 3 — Child identities for multi-role permission testing

Use parent/child hierarchy to test role-based flows without re-provisioning.

```bash

PARENT=$(sl ai provision-email --tags "admin-parent" --execute --json | jq -r '.identity.id')

# Create children inheriting the parent's policy envelope

ADMIN=$(sl ai identity create-child --parent "$PARENT" --tags "role-admin" --json | jq -r '.identity.id')

EDITOR=$(sl ai identity create-child --parent "$PARENT" --tags "role-editor" --json | jq -r '.identity.id')

VIEWER=$(sl ai identity create-child --parent "$PARENT" --tags "role-viewer" --json | jq -r '.identity.id')

# Each agent in your swarm gets a role-specific identity

# Tests permission boundaries without polluting production users

```

Recipe 4 — Senti session with AIdenID-backed agents

Inside a multi-agent Senti session, each agent can provision its own identity and tag it with its agent id.

```bash

# Agent Claude joins a session

sl session join <session-id> --name claude-a1b2

sl ai provision-email --tags "senti,claude-a1b2" --ttl 1800 --execute --json

# Agent Codex joins the same session

sl session join <session-id> --name codex-c3d4

sl ai provision-email --tags "senti,codex-c3d4" --ttl 1800 --execute --json

# Both agents operate with independent identities; Senti sees the provision events

# on the shared stream; no shared test account collisions

```

Recipe 5 — Compliance-grade identity trail

For compliance teams that need auditable proof of test-user lifecycle, every identity transition writes a signed artifact.

```bash

sl ai provision-email --tags "compliance-Q2" --ttl 86400 --execute --json \

> .sentinelayer/aidenid/2026-Q2-provision.json

sl ai identity show <id> --include-events --json \

> .sentinelayer/aidenid/2026-Q2-lineage.json

# Include the tombstone when squashed

sl ai identity revoke <id> --json \

> .sentinelayer/aidenid/2026-Q2-tombstone.json

```

The tombstone is immutable and carries SHA-256 chained prior state. Safe to ship to auditors.

When AIdenID is the wrong tool

**Persistent test accounts** — AIdenID is for ephemeral identities. If you need a stable account that survives across weeks, use your own fixtures.
**Production user data** — AIdenID never touches real users. Do not use it to simulate real customer flows against production.
**Bypassing MFA** — AIdenID extracts OTPs sent to its own inboxes. It is not a TOTP/hardware-key emulator. For those, use a dedicated MFA testing harness.

[AIdenID Overview](/docs/aidenid/overview)
[Identity Lifecycle](/docs/aidenid/identity-lifecycle)
[CLI v0.8 Reference](/docs/cli/v0-8-reference)
[Senti — Multi-Agent Sessions](/docs/senti/overview)

Structured Answers

How do I run a frontend audit against an authenticated page?

Provision an AIdenID identity, complete signup/login flow with OTP extraction, then pass --email to `sl audit frontend`. See Recipe 1 on /docs/aidenid/agent-workflows for the full flow.

Can multiple agents share one AIdenID identity?

Not safely. Each agent should provision its own identity tagged with the agent id to avoid collision on OTP extraction and action URLs.

Does AIdenID work with hardware MFA keys or TOTP?

No. AIdenID extracts OTPs from inbound emails to its own inboxes. Hardware keys and TOTP require dedicated tooling and are out of scope.

Recipe 1 — Agent signs up to your app and runs a frontend audit

Recipe 2 — Parallel testing across N AIdenID identities

Recipe 3 — Child identities for multi-role permission testing

Recipe 4 — Senti session with AIdenID-backed agents

Recipe 5 — Compliance-grade identity trail

When AIdenID is the wrong tool

Related

Structured Answers

How do I run a frontend audit against an authenticated page?

Can multiple agents share one AIdenID identity?

Does AIdenID work with hardware MFA keys or TOTP?