Authenticating AI agents via CLI: How Crossmint uses Stytch Connected Apps

Crossmint is developer-first infrastructure for crypto and payments — powering apps where both humans and AI agents interact with blockchains and digital assets.

As their developer audience grew, Crossmint needed a way to automate project setup and credential provisioning — without relying on UI workflows.

They turned to Stytch's Connected Apps to build a CLI- native authentication flow — no dashboards, no manual steps, just secure automation.

Why Stytch

Crossmint had already adopted Stytch as an identity platform — but Connected Apps unlocked a new model that went beyond dashboards and logins. They chose to double down on Stytch for a few key reasons:

• Auth without a UI – Most auth providers assume an auth workflow that includes a screen. Stytch infrastructure is more flexible, making it easy to embed auth flows into the CLI.
• Fast to implement – From first commit to authenticating agents in under 15 days.
• Designed for authorizing agents – Designed for short-lived, scoped access — ideal for autonomous agents and LLM-native workflows.
• Future-ready - A platform that evolves and improves over time to address rapidly changing AI agent standards and best practices—all without distracting Crossmint’s engineering team.

The challenge: Make auth invisible (but secure)

Crossmint’s dashboard already allowed developers to create projects and generate API keys.

However, AI agents weren’t able to log into dashboards, click buttons, check emails, or manually copy API keys into .env files. Their requirements included:

• A UI-less auth flow (CLI or API only)

• Scoped, short-lived access — no .env files or credential sprawl

• Auditability — every key and action traceable
• A setup that’s scalable and automated

The question became: How do you entirely provision new projects without a human in the loop– while keeping full control of identity, access, and risk?

The solution: CLI-integrated OAuth with Stytch Connected Apps

By integrating the Stytch Node SDK into their CLI tool, whenever a developer or agent runs crossmint init, the following flows occur

1. OAuth device code flow initiates: Running crossmint login triggers a Stytch auth flow where the developer signs in via browser. Once verified, the agent is authenticated on their behalf.
2. Stytch issues a scoped token: With a short lived token, tied to a specific user account, there is no need to copy or paste long-lived secrets
3. Autonomous agents can then provision Crossmint projects and resources: The access token returned by Stytch is persisted on disk. A human or agent operator can then use it with Crossmint’s backend to create and configure everything needed– including billing, keys, etc.

This workflow supports any kind of project, including those that power AI-native applications.

The results: Frictionless, secure automation—no UI required

Two weeks after launch:

• Setup time dropped from ~5 minutes to under 60 seconds
• 0 leaked secrets — Stytch’s token-based model eliminated .env risk

Looking ahead: Standardizing agent auth with MCP

With the CLI infrastructure in place, Crossmint is now exploring how AI agents can interact with it autonomously. Specifically, the Model Context Protocol (MCP) — an open standard for interfacing with LLMs, alongside Stytch Connected Apps.

This unlocks new use cases where:

• LLMs guide developers in using the CLI to spin up secure infrastructure
• AI agents self-register as Connected Apps via MCP servers.
• Agent-triggered project creation happens securely, without relying on human intervention.

With MCP + Stytch, agents can connect, authenticate, and act on Crossmint – all with predictable, scoped access and full auditability.