Python SDK for the Agentic Power of Attorney (APOA) standard
Project description
APOA Python SDK
Python SDK for the Agentic Power of Attorney (APOA) standard -- authorization infrastructure for AI agents.
Install
pip install apoa
Quick Start
from apoa import (
APOADefinition, Agent, BrowserSessionConfig, Principal,
Rule, ServiceAuthorization, SigningOptions,
create_client, generate_key_pair,
)
# Generate keys and create a client
private_key, public_key = generate_key_pair()
client = create_client(default_private_key=private_key)
# Create a signed authorization token
token = client.create_token(APOADefinition(
principal=Principal(id="did:apoa:you"),
agent=Agent(id="did:apoa:your-agent", name="HomeBot Pro"),
services=[ServiceAuthorization(
service="nationwidemortgage.com",
scopes=["rate_lock:read", "documents:read"],
constraints={"signing": False},
access_mode="browser",
browser_config=BrowserSessionConfig(
allowed_urls=["https://portal.nationwidemortgage.com/*"],
credential_vault_ref="1password://vault/mortgage-portal",
),
)],
rules=[Rule(id="no-signing", description="Never sign anything", enforcement="hard")],
expires="2026-09-01",
))
# Authorize actions
result = client.authorize(token, "nationwidemortgage.com", "rate_lock:read")
print(result.authorized) # True
result = client.authorize(token, "nationwidemortgage.com", "documents:sign")
print(result.authorized) # False
Features
- Token lifecycle: create, sign (Ed25519/ES256), validate, parse
- Scope matching: hierarchical pattern matching (
appointments:*matchesappointments:read) - Constraint enforcement: boolean denial at the SDK level, rich constraints at the protocol level
- Authorization: revocation + scope + constraints + hard/soft rules in one call
- Delegation chains: parent-to-child with cryptographically enforced attenuation
- Cascade revocation: revoke parent, kill all children instantly
- Audit trail: append-only action log per token
- Cross-SDK compatibility: tokens created by the TypeScript SDK validate in Python and vice versa
Cross-SDK Compatibility
Tokens are JWTs. A token signed by @apoa/core (TypeScript) validates in apoa (Python) and vice versa. The serialization layer handles camelCase (JWT payload) to snake_case (Python) mapping automatically.
API
Two usage styles:
# Style 1: Client instance (recommended)
client = create_client(default_private_key=key)
client.authorize(token, "service.com", "action:read")
# Style 2: Standalone imports
from apoa import authorize, check_scope
check_scope(token, "service.com", "action:read")
See the full spec and TypeScript SDK for more.
License
Apache 2.0
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file apoa-0.1.0.tar.gz.
File metadata
- Download URL: apoa-0.1.0.tar.gz
- Upload date:
- Size: 26.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
12b4f78ad78d7df61a555b69b2c999f316138f7ad8578f26da709fae4551cb86
|
|
| MD5 |
d3ab9d9eb549d0492c27ae2091f07178
|
|
| BLAKE2b-256 |
20bbf9f5a915d8aca24d62e30eee8b0d4efdf446fbed01bf1f4102dff15350b8
|
File details
Details for the file apoa-0.1.0-py3-none-any.whl.
File metadata
- Download URL: apoa-0.1.0-py3-none-any.whl
- Upload date:
- Size: 22.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
78ba4a68cbca5545a179aa379c89c195657336d01b55f8f52587e6e4e663a416
|
|
| MD5 |
4c10b200e600236931bc9b06cd724dbc
|
|
| BLAKE2b-256 |
4eaa30980aa4392289671e3ecb6280e92de696218c788fad70da617433dcdf31
|
