HN 표시: Grantex–에이전트용 OAuth와 같은 AI 에이전트용 개방형 인증 프로토콜

What OAuth 2.0 is to humans, Grantex is to agents. Docs | Playground | Spec | Dashboard | IETF Draft npm install @grantex/sdk import { Grantex, verifyGrantToken } from '@grantex/sdk'; const gx = new Grantex({ apiKey: process.env.GRANTEX_API_KEY }); // 1. Authorize an agent for a user const auth = await gx.authorize({ agentId: 'agent-123', userId: 'user-456', scopes: ['calendar:read', 'email:send'] }); // 2. Exchange code for a scoped, signed JWT const { grantToken } = await gx.tokens.exchange({ code: auth.code, agentId: 'agent-123' }); // 3. Verify anywhere — offline, no callback needed const grant = await verifyGrantToken(grantToken, { jwksUri: 'https://api.grantex.dev/.well-known/jwks.json' }); console.log(grant.scopes); // ['calendar:read', 'email:send'] pip install grantex # Python go get github.com/mishrasanjeev/grantex-go # Go npm install -g @grantex/cli # CLI 30+ packages across TypeScript, Python, and Go. Integrations for Anthropic SDK, LangChain, OpenAI Agents SDK, Google ADK, CrewAI, Vercel AI, AutoGen, MCP, Express.js, FastAPI, and Terraform. 679+ tests. Fully self-hostable. Apache 2.0. AI agents are booking travel, sending emails, deploying code, and spending money — on behalf of real humans. But: - No scoping — agents get the same access as the key owner - No consent — users never approve what the agent can do - No per-agent identity — you know the key was used, but not which agent or why - No revocation granularity — one agent misbehaves, rotate the key, kill everything - No delegation control — Agent A calls Agent B? Copy-paste credentials - No spending limits — an agent with a cloud API key can provision unlimited resources OAuth solved this for web apps. IAM solved it for cloud. AI agents have nothing. Until now. import { Grantex } from '@grantex/sdk'; const grantex = new Grantex({ apiKey: process.env.GRANTEX_API_KEY }); const agent = await grantex.agents.register({ name: 'travel-booker', description: 'Books flights and hotels on behalf of users', scopes: ['calendar:read', 'payments:initiate:max_500', 'email:send'], }); console.log(agent.did); // → did:grantex:ag_01HXYZ123abc... const authRequest = await grantex.authorize({ agentId: agent.id, userId: 'user_abc123', // your app's user identifier scopes: ['calendar:read', 'payments:initiate:max_500'], expiresIn: '24h', redirectUri: 'https://yourapp.com/auth/callback', }); // Redirect user to authRequest.consentUrl // Grantex handles the consent UI — plain language, mobile-first console.log(authRequest.consentUrl); // → https://consent.grantex.dev/authorize?req=eyJ... // After user approves, your redirectUri receives a `code`. // Exchange it for a signed grant token (RS256 JWT): const token = await grantex.tokens.exchange({ code, // from the redirect callback agentId: agent.id, }); console.log(token.grantToken); // RS256 JWT — pass this to your agent console.log(token.scopes); // ['calendar:read', 'payments:initiate:max_500'] console.log(token.grantId); // 'grnt_01HXYZ...' // Verify offline — no network call needed (uses published JWKS) import { verifyGrantToken } from '@grantex/sdk'; const grant = await verifyGrantToken(token.grantToken, { jwksUri: 'https://api.grantex.dev/.well-known/jwks.json', requiredScopes: ['calendar:read'], }); console.log(grant.principalId); // 'user_abc123' console.log(grant.scopes); // ['calendar:read', 'payments:initiate:max_500'] // Pass to your agent — it's now authorized await travelAgent.run({ grantToken: token.grantToken, task: 'Book cheapest flight to Delhi on March 1' }); // Inside your agent — one line, zero overhead await grantex.audit.log({ agentId: agent.id, grantId: token.grantId, action: 'payment.initiated', status: 'success', metadata: { amount: 420, currency: 'USD', merchant: 'Air India' }, }); // In any service that receives agent requests — no Grantex account needed import { verifyGrantToken } from '@grantex/sdk'; const grant = await verifyGrantToken(token, { jwksUri: 'https://grantex.dev/.well-known/jwks.json', // or cache locally requiredScopes: ['payments:initiate'], }); // Throws if token is expired, revoked, tampered, or missing required scopes // Generate a short-lived link for the end-user to view & revoke agent access const session = await grantex.principalSessions.create({ principalId: 'user_abc123', expiresIn: '2h', }); // Send session.dashboardUrl to the user via email, in-app notification, etc. from grantex import Grantex, ExchangeTokenParams client = Grantex(api_key=os.environ["GRANTEX_API_KEY"]) # Register agent agent = client.agents.register( name="finance-agent", scopes=["transactions:read", "payments:initiate:max_100"], ) # Authorize a user auth = client.authorize( agent_id=agent.id, user_id="user_abc123", scopes=["transactions:read", "payments:initiate:max_100"], ) # Redirect user to auth.consent_url — they approve in plain language # Exchange the authorization code for a grant token token = client.tokens.exchange(ExchangeTokenParams(code=code, agent_id=agent.id)) # Verify the tok