This is the same dumb problem as always. Are you who you say you are and are you allowed to do such and such action?

There’s existing solutions but everything is its own special snowflake. Oauth is a lie, sso sometimes works. But sso doesn’t provide a differentiation between my employee and their broken script.