Agent-specific identity and access management for AI agents
Project description
theaios-agent-auth
Agent-specific identity and access management for AI agents.
What does it do?
When AI agents operate in your enterprise, the authorization question changes from "Can this user do X?" to:
"Can this agent, acting on behalf of this user, do X, right now, on this resource?"
agent-auth answers that question. It is a lightweight, YAML-driven authorization engine purpose-built for AI agent systems. No cloud dependency. No vendor lock-in. Just a Python library and a CLI.
Features
- Roles with inheritance — define hierarchical permission sets via
extends - Agent profiles — assign roles, allow/deny specific actions, scope to resource patterns
- Three-tier approval — autonomous / soft / strong
- Sessions — time-limited, scope-bound authorization contexts (UUID4 IDs)
- Delegation — temporary permission grants from users to agents
- Agent-to-agent (A2A) — control which agents can invoke which
- Audit logging — every decision recorded in JSONL
- Safe expression language — custom DSL for policy conditions (no
eval()) - CLI — validate, check, manage sessions and delegations from the terminal
Quick Start
Install
pip install theaios-agent-auth
Define your policy (agent_auth.yaml)
version: "1.0"
roles:
viewer:
actions: [read]
editor:
extends: viewer
actions: [write]
profiles:
assistant:
role: editor
scopes: []
approval_policies:
- name: destructive
condition: 'action == "delete"'
tier: strong
Use in Python
from theaios.agent_auth.config import load_config
from theaios.agent_auth.engine import AuthEngine
from theaios.agent_auth.types import AuthRequest
config = load_config("agent_auth.yaml")
engine = AuthEngine(config)
decision = engine.authorize(AuthRequest(
agent="assistant",
user="alice",
action="read",
))
print(decision.allowed) # True
print(decision.is_autonomous) # True
print(decision.is_denied) # False
Use the CLI
# Validate your config
agent-auth -c agent_auth.yaml validate
# Check a permission
agent-auth -c agent_auth.yaml check --agent assistant --user alice --action read
# Create a session
agent-auth -c agent_auth.yaml sessions --create --agent assistant --user alice --scope "project:*"
# Delegate permissions
agent-auth -c agent_auth.yaml delegate --from-user alice --to-agent assistant --actions deploy --duration 3600
Why this library?
| Approach | Limitation |
|---|---|
| Okta / Azure AD | Built for human users, not AI agents. No concept of approval tiers, agent scopes, or A2A authorization. |
| OPA / Cedar | General-purpose policy engines. Powerful but require significant effort to model agent-specific patterns (sessions, delegation, A2A). |
| Custom code | Every team reinvents the same patterns. No standard, no audit trail, no CLI tooling. |
agent-auth |
Purpose-built for AI agents. YAML config, three-tier approval, sessions, delegation, A2A, audit — all out of the box. Safe expression language — no eval(). |
Documentation
Full documentation: cohorte-ai.github.io/agent-auth
| Topic | Link |
|---|---|
| Concepts | concepts |
| Config syntax | config-syntax |
| CLI reference | cli |
| API reference | api-reference |
| Integration | integration |
Ecosystem
agent-auth is part of the theaios platform — modular tech bricks for enterprise AI systems:
| Package | Purpose |
|---|---|
| theaios-guardrails | Input/output guardrails (TrustGate) |
| theaios-context-router | Intelligent context routing |
| theaios-agent-monitor | Runtime observability |
| theaios-agent-auth | Identity and access management |
License
Apache 2.0 — see LICENSE.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file theaios_agent_auth-0.1.0.tar.gz.
File metadata
- Download URL: theaios_agent_auth-0.1.0.tar.gz
- Upload date:
- Size: 61.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.1
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
09cf45d39bae774f59e29314c25066e8cae80be9479bd5d1bf0ec19e5b86b99e
|
|
| MD5 |
d081d14fd57263a5a3cc546080a4a826
|
|
| BLAKE2b-256 |
0010cab4e3bf91765246cdfe3c9c4ce47435712b45823d2ab1744727e40e0c23
|
File details
Details for the file theaios_agent_auth-0.1.0-py3-none-any.whl.
File metadata
- Download URL: theaios_agent_auth-0.1.0-py3-none-any.whl
- Upload date:
- Size: 40.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.1
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
f6e92e626ebf9c47d8323e9d76cde472b11e39698fd15bbd7e53da5eadaac1f1
|
|
| MD5 |
eaf7b30ba0b31d8ae97459f6592deaac
|
|
| BLAKE2b-256 |
c9d424ee772060ae43634187cf17badb7c0d9e59a91973a64fe96667733c0c04
|
