We built the authorization layer we needed in 2023 and couldn't find anywhere.
In early 2023, Srikar was running a multi-agent research pipeline at his previous company. After a security audit, they discovered their agents had silently accumulated 847 active OAuth tokens across 12 providers. Some tokens were six months old. A third had broader scopes than the tasks that created them required. None had an expiration date.
They spent three weeks manually auditing and revoking tokens. Two agents broke because they depended on specific token configurations that no one had documented. There was no tool that could have caught this earlier — not HashiCorp Vault (built for static secrets), not OAuth providers themselves (they don't manage your agents), not CASB solutions (too focused on human user sessions).
Alter started as an internal tool. The first version was 400 lines of Python and a cron job. By the time the company had 30 agents in production, it had become the single most security-critical piece of infrastructure they ran. We spun it out in late 2023 because every engineer we talked to at other companies had a version of the same story.
Today, Alter handles credential management for AI agents at companies across financial services, healthcare, and SaaS infrastructure. The core problem hasn't changed: OAuth was built for humans. Agents broke it.
Fortify Fund led Alter's $4.8M Seed Round in 2024. Fortify backs early-stage founders disrupting the status quo — teams with a direct, personal reason to solve a hard problem rather than a market thesis built from a slide deck. They've invested in 22 security infrastructure companies since 2019.
The funding is being used to expand our connector library (targeting 100 OAuth providers by end of 2025), build out our on-prem deployment option, and grow the engineering team from 6 to 14.
It's faster to skip the log entry. We never do. Every token event is written before the token is returned to the caller.
New agents start with no scopes. You grant explicitly. Nothing is inherited. We made this the default because "deny by default" is the only model that holds under pressure.
Alter speaks standard OAuth so you can exit without rewriting agents. We'd rather earn your renewal than make leaving impossible.
Alter is configured in YAML, queried via API, and deployed from the CLI. We do not add dashboard steps to tasks that belong in code.
Six engineers who have each dealt with the credential sprawl problem firsthand.
Meet the Team Get in Touch