Runtime authorization
for AI agents

AI agents execute many actions per minute, delegate tasks to each other, and require instant revocation when something goes wrong. AgentTrust ID™ issues opaque runtime tokens and evaluates actions routed through its SDK, MCP proxy, A2A adapter, and API session checks. Built for how agents actually work — across MCP, A2A, and direct API integrations.

Per-action authorization, bound to session Instant revocation Open source · Apache 2.0
3
Protocols Unified
4
Effect Categories
3
Guardian Tiers
5
SDK Languages
9
Services
How It Works

Routed actions. Classified. Evaluated. Decided.

AgentTrust ID authorizes actions that are routed through its SDKs, protocol adapters, or gateway checks. Here's the exact flow, step by step — from the actual code.

Classify the effect

Pattern-match the action name against 34 keywords across four risk tiers. delete_file → destructive. web_search → read. Unknown actions default to mutating — the safe default that routes through higher scrutiny.

Check session state

Verify action is within the session's immutable scope ceiling. Confirm the session mode (read-only blocks writes unless elevated). Validate agent ownership. Every session protected by HMAC-SHA256 integrity signatures.

Analyze behavior

After five calls, the checker examines denial rate and write ratio. If the session is probing unauthorized actions (30%+ denials) or making an unusual burst of writes (80%+), the action is escalated to a higher risk tier automatically.

Route through Guardian

Read actions → Fast Guard only. Mutating → Fast + Spot. Destructive and admin → Fast + Spot + Deep (Claude-backed review). Destructive actions fail closed if any Guardian tier is unreachable. There is no bypass path.

Decide and audit

Return allow or deny with reasoning, confidence score, and guard tier. Extend the SHA-256-chained decision log. Update session metrics atomically via Redis Lua scripts. External services can verify the live session record and chain head through the accountability API.

Capabilities

Built for the agentic era

Protocol convergence, behavioral analytics, and Deep Guard review — all in one platform. Every capability below is implemented with tests.

Cross-Protocol Authorization

The MCP proxy, A2A adapter, and API session paths translate actions into the same unified check. One policy model can apply across supported integrations.

Dynamic Effect Classification

Routed actions are classified at runtime by matching against 34 keywords across four tiers. Operators can override classification per-tool when needed.

Session-Based Privileges

Sessions start in read-only mode. Elevation requires human approval, is time-boxed to five minutes, and scoped to specific actions. Admin actions can never be elevated — a hard safety boundary.

Behavioral Anomaly Detection

Monitors denial rates and write ratios per session. Anomaly signals can raise scrutiny by escalating effect classification when behavior moves into riskier patterns.

Delegation Chain Verification

A2A delegations verified for chain continuity, scope narrowing (privileges only shrink), maximum depth of five hops, self-delegation prohibition, and expiration at every link.

MCP Sampling Guard

When MCP servers request LLM inference, AgentTrust ID intercepts: rate-limits to ten requests per five-minute window, scans prompts for dangerous patterns, and routes through the full Guardian pipeline.

Decision Integrity

AgentTrust ID records authorization decisions and audit events with chain-continuity checks. The accountability API verifies live session integrity for active sessions; it is not presented as a full historical replay proof.

Cross-Org Federation

Agents from different organizations interact via opaque federation tokens. Server-side introspection verifies active tokens and revocation state before bridging them into local AgentTrust ID sessions. No PKI infrastructure required.

Guardian Pipeline

Three tiers. Routed by risk.

Supported SDK and protocol-adapter checks route through Fast Guard first. Higher-risk actions can escalate to Spot and Deep tiers, and production Guardian JWT verification fails closed when key material is missing.

Tier 1

Fast Guard

Rule-based evaluation for routed checks. Checks capabilities, blocklists, and scope with a low-latency prefilter.

Tier 2

Spot Guard

Policy engine. Risk scoring, cumulative analysis, credential age, action history. Evaluates mutating and higher.

Tier 3

Deep Guard

AI reasoning via Claude. Context-aware evaluation with confidence scores. Destructive and admin actions only.

How each effect tier routes through the Guardian pipeline
Effect Keywords Pipeline If Guardian Down
read get, list, read, describe, search, view, fetch, query, head Fast Guard only N/A (Fast Guard only)
mutating write, update, create, execute, invoke, modify, send, put, post, commit, push, deploy Fast + Spot Falls back to Fast Guard
destructive delete, drop, destroy, purge, terminate, remove, truncate Fast + Spot + Deep Fail-closed (denied)
admin admin, transfer_ownership, revoke, escalate, grant, impersonate Fast + Spot + Deep Fail-closed (denied)
Architecture

9 services. One authorization layer.

Core services are Go binaries. Redis backs session, revocation, cache, and rate-limit state; Postgres stores identity, policy, and audit data. Internal auth is implemented, and TLS/mTLS support is configurable per deployment path.

AgentTrust ID architecture diagram A layered architecture showing the Gateway at the top, three protocol adapters (MCP, A2A, API) in the second layer, the Unified Checker in the center with Effect Classification, Session Management, Anomaly Detection, and Approval Gate, direct Fast Guard checks in auth-service, Guardian Router routing for Spot and Deep, and supporting services (Identity, Audit, Revocation) at the bottom. Gateway :8080 · GraphQL + REST MCP Proxy Tool calls · Sampling guard A2A Server Task dispatch · JSON-RPC API Adapter JWT → sessions Unified Checker internal/agenttrust/check.go · Effect Classification · Session + Scope Validation · Anomaly Detection · Approval Gate Guardian Router Spot/Deep routing · :8085 Auth / Fast Guard Rule-based · :8082 Spot Guard Policy engine · :8086 Deep Guard Claude reasoning · :8087 Identity Agent registry · :8081 Audit Event log + SIEM · :8084 Revocation Instant revoke · :8083
SDKs

Five languages. Same pattern.

Check before execute. Report after. Elevation handled automatically. Every SDK includes Sessions, Approvals, Guard, and Actions APIs.

# Python SDK — pip install agenttrustid, available June 1, 2026
from agenttrustid import AgentTrustClient, AgentTrustGuard

client = AgentTrustClient(
    base_url="https://your-agenttrust-endpoint.example",  # configure your endpoint
    api_key="sk_live_...",
)

# Guard pattern: check → execute → report
guard = AgentTrustGuard(client, agent_id=agent_id)

if guard.check("web_search", input_summary="..."):
    result = perform_search(query)
    guard.report("web_search", success=True, duration_ms=42)

# Or inspect the decision directly — .allowed / .elevation_required / .approval_id
decision = client.actions.check(agent_id=agent_id, tool_name="web_search", session_id=session_id)
if decision.elevation_required:
    request_human_approval(decision.approval_id)

Open source under the Apache License 2.0. Source on GitHub from June 1, 2026.

PythonFull Coverage GitHub ↗
TypeScriptFull Coverage GitHub ↗
GoFull Coverage GitHub ↗
JavaCore Flows GitHub ↗
RustCore Flows GitHub ↗
Clarity

What AgentTrust ID is not

We do one thing and do it well. These are complementary layers handled by other tools in your stack.

Not a certificate authority. No X.509, no PKI, no certificate lifecycle management. Pair with Let's Encrypt, HashiCorp Vault, or your certificate authority for TLS.
Not an identity provider. No SSO, no password management, no human user authentication. Pair with Okta, Auth0, or Microsoft Entra.
Not a credential vault. No API key storage, no secrets management. Pair with 1Password, HashiCorp Vault, or AWS Secrets Manager.
Not monitoring-only. We authorize actions before they execute — not just observe after the fact.
Not framework-specific. Works at the protocol layer. Any agent framework (LangChain, CrewAI, AutoGen, bespoke) can use AgentTrust ID.
Not pre-deployment scanning. We authorize routed agent actions at runtime — not once before deployment.
Request a Demo

See AgentTrust ID in action

Tell us what you are building and we will be in touch.

Prefer email? contact@agenttrust.id