Python SDK for the Grantex delegated authorization protocol — OAuth 2.0 for AI agents
Project description
grantex
Python SDK for the Grantex delegated authorization protocol — OAuth 2.0 for AI agents.
Grantex lets humans authorize AI agents with verifiable, revocable, audited grants built on JWT and the OAuth 2.0 model. This SDK provides a complete client for the Grantex API.
Install
pip install grantex
Quick start
from grantex import Grantex, ExchangeTokenParams, verify_grant_token, VerifyGrantTokenOptions
client = Grantex(api_key="YOUR_API_KEY")
# 1. Start the authorization flow
request = client.authorize(
agent_id="ag_01HXYZ...",
user_id="usr_01HXYZ...",
scopes=["files:read", "email:send"],
)
# Redirect the user to the consent page — they approve in plain language
print(request.consent_url)
# 2. Exchange the authorization code for a grant token
# (your redirect callback receives the `code` after user approves)
token = client.tokens.exchange(ExchangeTokenParams(code=code, agent_id="ag_01HXYZ..."))
print(token.grant_token) # RS256-signed JWT
print(token.scopes) # ('files:read', 'email:send')
# 3. Verify the grant token offline (no network call)
grant = verify_grant_token(
token=token.grant_token,
options=VerifyGrantTokenOptions(
jwks_uri="https://api.grantex.dev/.well-known/jwks.json",
),
)
print(grant.principal_id) # 'usr_01HXYZ...'
# 4. Revoke when done
client.tokens.revoke(grant.token_id)
Offline verification
Verify grant tokens without a network call using the public JWKS:
from grantex import verify_grant_token
verified = verify_grant_token(
token="eyJhbGciOiJSUzI1NiIs...",
jwks_url="https://api.grantex.dev/.well-known/jwks.json",
)
print(verified.scopes) # ['files:read', 'email:send']
print(verified.principal_id) # 'usr_01HXYZ...'
print(verified.agent_did) # 'did:web:...'
Features
| Feature | Description |
|---|---|
| Authorization flow | client.authorize() — initiate consent, get grant tokens |
| Token exchange | client.tokens.exchange() — exchange an authorization code for a grant token |
| Token management | client.tokens.verify(), .revoke() — online verification and revocation |
| Offline verification | verify_grant_token() — RS256 signature check against JWKS |
| Agent management | client.agents.create(), .get(), .list(), .update(), .delete() |
| Grant management | client.grants.list(), .get(), .revoke() |
| Multi-agent delegation | client.grants.delegate() — scoped sub-grants with cascade revocation |
| Audit trail | client.audit.log(), .list(), .get() — tamper-evident hash-chained log |
| Policy engine | client.policies.create(), .list(), .update(), .delete() |
| Anomaly detection | client.anomalies.list(), .detect() |
| Compliance | client.compliance.summary(), .export_audit(), .export_grants(), .evidence_pack() |
| Webhooks | client.webhooks.create(), .list(), .delete() + verify_webhook_signature() |
| Billing | client.billing.status(), .checkout(), .portal() |
| SCIM 2.0 | client.scim.create_user(), .list_users(), .get_user(), .update_user(), .delete_user() |
| OIDC SSO | client.sso.create_config(), .get_config(), .login(), .callback() |
Configuration
from grantex import Grantex
# Explicit API key
client = Grantex(api_key="gx_live_...")
# Or via environment variable
# export GRANTEX_API_KEY=gx_live_...
client = Grantex()
# Custom base URL (self-hosted)
client = Grantex(
api_key="gx_live_...",
base_url="https://auth.your-company.com",
)
# Custom timeout (seconds)
client = Grantex(api_key="gx_live_...", timeout=60.0)
The client also works as a context manager:
with Grantex(api_key="gx_live_...") as client:
agents = client.agents.list()
Error handling
from grantex import Grantex, GrantexApiError, GrantexAuthError, GrantexNetworkError
client = Grantex(api_key="gx_live_...")
try:
client.agents.get("ag_invalid")
except GrantexAuthError:
# 401 — invalid or expired API key
pass
except GrantexApiError as e:
# Any other API error (4xx/5xx)
print(e.status_code, e.code, e.message)
except GrantexNetworkError:
# Connection failure, timeout, DNS error
pass
Requirements
- Python 3.9+
- httpx (sync HTTP client)
- PyJWT + cryptography (for offline token verification)
Links
License
Apache 2.0
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
grantex-0.1.2.tar.gz
(24.7 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
grantex-0.1.2-py3-none-any.whl
(22.3 kB
view details)
File details
Details for the file grantex-0.1.2.tar.gz.
File metadata
- Download URL: grantex-0.1.2.tar.gz
- Upload date:
- Size: 24.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.1
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
3d8238e5ca3d1616c3c3828fc1738e6579efc009fade64b7c3d5c07272423829
|
|
| MD5 |
ec2fd07b37a63a31abef14ee32e0d622
|
|
| BLAKE2b-256 |
c1bfbea6f624b8ca3d59cd4689b654931f1be895cd1bbbcd829ca052e798dbfc
|
File details
Details for the file grantex-0.1.2-py3-none-any.whl.
File metadata
- Download URL: grantex-0.1.2-py3-none-any.whl
- Upload date:
- Size: 22.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.1
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
02ba8346cb05e1543adb5f22498c652cc8c46afbdcfe2ef64cf3f02ec73cd179
|
|
| MD5 |
4414c641fdc4e9a96a762197dbbf0830
|
|
| BLAKE2b-256 |
40eec7ce572befe83339a7cc00f9575ac22e700f9186a43c15a85ffcf5f03daa
|
