Grantex lets humans authorize AI agents with verifiable, revocable, audited grants — an open protocol built on JWT and the OAuth 2.0 model.
Today's AI frameworks offer no standard way to authorize, audit, or revoke what agents do on behalf of humans.
Agents invoke APIs, read files, and send emails — with no verifiable proof that a human consented. If something goes wrong, there's no audit trail to follow.
Once an agent has a credential, revoking it requires hunting down every token manually. There's no standard for instant, cascading invalidation across sub-delegations.
Compliance requires knowing exactly what each agent did, when, and under whose authority. Without a tamper-evident audit trail, you're flying blind.
Agents use shared secrets with no identity, no scoping, and no revocation. The numbers from 2025 speak for themselves.
Shai-Hulud worm — 500+ npm packages, 2.6B weekly downloads. Stole all cloud credentials from CI runners.
SANDWORM_MODE — 19 malicious npm packages installed rogue MCP servers in Claude Code, Cursor, and Windsurf. Targeted API keys from 9 LLM providers.
OpenClaw — 21,639 exposed instances publicly leaking OAuth tokens and plaintext credentials.
CVE-2026-21852 — Simply opening a crafted repo in Claude Code was enough to exfiltrate the developer's active Anthropic API key.
Read the full analysis: 4 Agent Security Breaches That Should Change How You Think About API Keys
Your agent reads an internal doc via MCP, is prompt-injected, and forwards confidential customer PII to an external endpoint. API key used: yours. Action log: empty. Authorization record: none.
No consent record exists. The agent used your master key. You own the liability.
Grantex fixes this →Full key = full access. No scope means no blast radius boundary.
Grantex fixes this →No audit trail, no scoped token, no revocation log. The compliance gap is total.
Grantex fixes this →Grantex is not a replacement for Vault or Secrets Manager — it is the missing agent identity layer that works alongside them.
| Tool | Secrets | Agent ID | Scoped | Revoke | Audit |
|---|---|---|---|---|---|
| HashiCorp VaultSecret storage & rotation | ✓ | ✕ | ✕ | ✕ | ✕ |
| AWS Secrets MgrEncrypted secret storage | ✓ | ✕ | ✕ | ✕ | ~ |
| GitGuardianDetects leaked secrets | ~ | ✕ | ✕ | ✕ | ✕ |
| Snyk / SocketDependency vuln scanning | ✕ | ✕ | ✕ | ✕ | ✕ |
| DopplerSecrets injection at deploy | ✓ | ✕ | ✕ | ✕ | ✕ |
| GrantexAgent authorization protocol | ✓ | ✓ | ✓ | ✓ | ✓ |
OWASP, EU AI Act, and NIST now require agent-level identity, scoping, revocation, and audit trails. Grantex covers every requirement.
ASI-01: Goal hijacking · ASI-03: Identity abuse · ASI-05: Privilege escalation · ASI-10: Rogue agents. Grantex addresses all four with scoped grants, per-agent DIDs, delegation invariants, and instant revocation.
Art. 9: Risk management · Art. 13: Transparency · Art. 14: Human oversight. Grantex provides consent flows, Verifiable Credentials, event streaming, and one-click revocation.
Govern 1.1: Accountability · Map 5.1: Attribution · Measure 2.5: Audit trails. Every grant token traces to a human principal. Every action is hash-chained and exportable.
Full mapping: Compliance Matrix · OWASP deep-dive blog post
Five steps from consent to revocation, all enforced by cryptography.
Your app calls POST /v1/authorize
with the agent ID, user ID, and requested scopes. Grantex returns
a consent URL — redirect the user there.
The user sees exactly what the agent wants to do, described in plain English. One click — approved. Your redirect callback receives an authorization code.
Call grantex.tokens.exchange({ code, agentId })
to swap the authorization code for a signed RS256 JWT grant token
(JTI-tracked, scoped, time-limited).
Present the token to any microservice. It verifies the RS256 signature
against the public JWKS without a network round-trip, or calls
POST /v1/tokens/verify for
real-time revocation status.
Call POST /v1/tokens/revoke.
The JTI is blocklisted in Redis immediately. All sub-delegated tokens
derived from this grant are invalidated in the same operation.
Install the SDK and authorize your first agent in under 10 lines.
npm install @grantex/sdk
Copy
pip install grantex
Copy
npm install -g @grantex/cli
Copy
// npm install @grantex/sdk import { Grantex, verifyGrantToken } from '@grantex/sdk'; const grantex = new Grantex({ apiKey: 'YOUR_API_KEY' }); // 1. Request authorization — redirect user to consentUrl const { consentUrl } = await grantex.authorize({ agentId: 'ag_01J...', userId: 'usr_01J...', scopes: ['calendar:read', 'email:send'], }); // 2. Exchange the authorization code for a grant token const token = await grantex.tokens.exchange({ code, agentId: 'ag_01J...' }); // 3. Verify offline — no network call needed const grant = await verifyGrantToken(token.grantToken, { jwksUri: 'https://api.grantex.dev/.well-known/jwks.json', }); console.log(grant.scopes); // ['calendar:read', 'email:send']
# pip install grantex from grantex import Grantex, ExchangeTokenParams client = Grantex(api_key="YOUR_API_KEY") # 1. Request authorization — redirect user to consent_url auth = client.authorize( agent_id="ag_01J...", user_id="usr_01J...", scopes=["calendar:read", "email:send"], ) # 2. Exchange the authorization code for a grant token token = client.tokens.exchange(ExchangeTokenParams(code=code, agent_id="ag_01J...")) # 3. Use the token — scopes, grantId, and JWT are all available print(token.scopes) # ('calendar:read', 'email:send') print(token.grant_token) # RS256-signed JWT
# npm install -g @grantex/cli # All commands support --json for AI agent / script use # 1. Request authorization (sandbox auto-approves) grantex authorize --agent ag_01J... --principal user@example.com \ --scopes calendar:read,email:send # 2. Exchange the code for a grant token grantex tokens exchange --code <code> --agent-id ag_01J... # 3. Verify the token grantex tokens verify <jwt> # Machine-readable output grantex --json grants list | jq '.[0].grantId'
MPP defines how agents pay for services. Grantex adds the missing identity layer — so merchants know exactly who authorized every payment.
W3C VC 2.0 binding agent identity, human delegation, spending limits, and 9 MPP categories into one credential.
Merchants verify via cached JWKS — signature, expiry, category, and amount in a single call. No API roundtrip.
Look up any org by DID — DNS-TXT, SOC 2, or manual verification. Public endpoint, no auth required.
import { requireAgentPassport } from '@grantex/mpp'; // One line to protect any route app.use('/api/inference', requireAgentPassport({ requiredCategories: ['inference'], maxAmount: 10, })); // req.agentPassport is populated: // humanDID: did:grantex:user_alice // orgDID: did:web:acme.com // categories: [inference, compute] // maxAmount: 50 USDC // depth: 0 (direct grant)
const passport = await grantex.passports.issue({ agentId: 'ag_01HXYZ...', grantId: 'grnt_01HXYZ...', allowedMPPCategories: ['inference', 'compute'], maxTransactionAmount: { amount: 50, currency: 'USDC' }, }); const mw = createMppPassportMiddleware({ passport });
npm install @grantex/mpp
Copy
x402 lets agents pay for APIs with USDC on Base L2. Grantex adds the missing layer — proving the agent was authorized to spend before any payment goes through.
x402 proves payment was made, but not that the agent was authorized. A compromised agent can drain a wallet with no scope, no limit, and no kill switch.
A GDT (Grantex Delegation Token) is a W3C Verifiable Credential that encodes who authorized the spend, what scope, how much, and when it expires.
Every issuance, verification, and revocation is logged. Instant revocation for compromised agents. Compliance-ready export.
import { generateKeyPair, issueGDT } from '@grantex/x402'; const principal = generateKeyPair(); const agent = generateKeyPair(); const gdt = await issueGDT({ agentDID: agent.did, scope: ['weather:read'], spendLimit: { amount: 10, currency: 'USDC', period: '24h' }, expiry: '24h', signingKey: principal.privateKey, });
import { x402Middleware } from '@grantex/x402'; app.use('/api/weather', x402Middleware({ requiredScopes: ['weather:read'], currency: 'USDC', })); // req.gdt is populated: // agentDID: did:key:z6Mk... // principalDID: did:key:z6Mk... // remainingLimit: 9.999 // scopes: [weather:read]
npm install @grantex/x402
Copy
Drop Grantex into any AI framework or language runtime.
End-to-end examples for every SDK and framework integration. Clone the repo, start the local stack, and run.
Core authorization lifecycle — register agent, authorize, exchange code, verify token offline, log audit entry, revoke.
Same core flow in Python — register, authorize, exchange, verify offline, audit, and revoke using the Python SDK.
Scoped tools with automatic audit callbacks. Create tools via
createGrantexTool,
attach audit handler, invoke.
Vercel AI SDK tools with Zod schemas, scope enforcement, and
withAuditLogging
wrapper. Works with generateText.
CrewAI tools with offline scope enforcement and audit logging. Demonstrates PermissionError on unauthorized scopes.
OpenAI Agents SDK tools with Grantex scope enforcement.
Uses @function_tool
decorator pattern with offline JWT scope checks.
Google Agent Development Kit tools with Grantex scope enforcement. Plain functions with docstrings — no decorator needed.
Security audited, standards-track, open source.
External security review found no critical or high severity findings. Full report available to enterprise customers under NDA.
Controls for Security, Availability, and Confidentiality trust service criteria reviewed and attested by an independent CPA firm.
The Grantex wire protocol is an open IETF Internet-Draft
(draft-mishra-oauth-agent-grants-00),
built on the OAuth 2.0 framework.
Connect with developers building the trust layer for AI agents.
Ask questions, share what you're building, and get help from the community and maintainers.
Propose RFCs, ask design questions, and participate in protocol discussions.
Grantex is Apache 2.0 licensed. Star the repo to follow releases and show your support.
Define fine-grained scope restrictions, rate limits, and time-bound grants per agent or team.
Sync agents and principals from your identity provider automatically.
Multi-IdP connections, domain-based routing, JIT provisioning, group-to-scope mapping, LDAP directory authentication, and SSO enforcement. Supports Okta, Azure AD, Google Workspace, PingFederate, OpenLDAP, Active Directory, FreeIPA, and any OIDC, SAML 2.0, or LDAP-compliant provider.
Pattern-based detection of unusual grant activity with real-time alerting.
SOC 2 and GDPR-ready audit log exports in standard formats.
Self-host the entire stack with our production Docker Compose configuration.
Encrypted per-user credential store. Agents exchange grant tokens for upstream service credentials.
Drop-in OAuth 2.1 + PKCE authorization for any MCP server with dynamic client registration.
Real-time SSE and WebSocket streams with Datadog, Splunk, S3, BigQuery, and Kafka destinations.
Per-grant spending limits with atomic debit, threshold alerts, and JWT budget claims.
Prometheus metrics, OpenTelemetry tracing, and Grafana dashboard templates out of the box.
Manage agents, policies, webhooks, and budgets as infrastructure with the official Terraform provider.
Pluggable policy engines — delegate authorization to Open Policy Agent or AWS Cedar.
Manage policies in Git with versioned bundles and automatic sync via webhooks.
Grantex grant tokens inside Google A2A agent-to-agent communication. TypeScript and Python.
Real-time API usage tracking with Redis counters, daily rollup, and per-plan rate limits.
Use your own domain for API endpoints with DNS TXT record verification.
Cryptographic human presence verification via passkeys. Biometric, security key, or platform authenticator — embedded as evidence in Verifiable Credentials.
Portable, tamper-proof authorization proof in W3C VC-JWT format. Any verifier can validate using the published DID document — no Grantex account needed.
Privacy-preserving credential presentation. Holders choose exactly which claims to reveal — minimum disclosure for each verifier.
W3C DID document at did:web:grantex.dev with RS256 and Ed25519 public keys for offline credential and token verification.
We work directly with engineering and security teams to design the right integration. Volume pricing and custom SLAs available.