{"id":50412003,"url":"https://github.com/siddhant-k-code/agentic-authz","last_synced_at":"2026-05-31T04:02:59.068Z","repository":{"id":334548706,"uuid":"1141673921","full_name":"Siddhant-K-code/agentic-authz","owner":"Siddhant-K-code","description":"Fine-grained authorization for AI agents using OpenFGA.","archived":false,"fork":false,"pushed_at":"2026-05-12T07:01:52.000Z","size":128,"stargazers_count":63,"open_issues_count":2,"forks_count":4,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-05-30T02:26:55.260Z","etag":null,"topics":["agent","agent-auth","agent-authentication","agent-security","fine-grained-authorization","openfga-client"],"latest_commit_sha":null,"homepage":"https://youtu.be/m1_l13bC2O8","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Siddhant-K-code.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2026-01-25T08:02:28.000Z","updated_at":"2026-05-26T16:02:48.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/Siddhant-K-code/agentic-authz","commit_stats":null,"previous_names":["siddhant-k-code/agentic-authz"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/Siddhant-K-code/agentic-authz","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Siddhant-K-code%2Fagentic-authz","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Siddhant-K-code%2Fagentic-authz/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Siddhant-K-code%2Fagentic-authz/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Siddhant-K-code%2Fagentic-authz/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Siddhant-K-code","download_url":"https://codeload.github.com/Siddhant-K-code/agentic-authz/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Siddhant-K-code%2Fagentic-authz/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33718449,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-31T02:00:06.040Z","response_time":95,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["agent","agent-auth","agent-authentication","agent-security","fine-grained-authorization","openfga-client"],"created_at":"2026-05-31T04:02:58.910Z","updated_at":"2026-05-31T04:02:59.054Z","avatar_url":"https://github.com/Siddhant-K-code.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Agentic AuthZ Demo\n\n**Fine-grained authorization for AI agents using OpenFGA.**\n\nAI agents are getting access to production systems - databases, APIs, file systems. But who decides what they can do? Traditional RBAC wasn't designed for autonomous agents that make decisions without human approval.\n\nThis demo shows how to implement **Relationship-Based Access Control (ReBAC)** for AI agents using OpenFGA, with three levels of authorization:\n\n1. **Team Level** - Which teams can use which tool categories\n2. **Project Level** - Which projects have access to which resources  \n3. **Operation Level** - Fine-grained control over destructive operations\n\n## Quick Start\n\n```bash\n# Start services and seed data\nmake setup\n\n# Run the demo\nmake demo\n\n# Or use the interactive script\n./scripts/demo.sh\n```\n\n## Why This Matters\n\n| Problem | Solution |\n|---------|----------|\n| Agent has same permissions as user | Fine-grained, context-aware permissions |\n| Prompt injection → data exfiltration | Blast radius contained by project scope |\n| No audit trail for agent actions | Every authorization decision logged |\n| \"All or nothing\" tool access | Operation-level restrictions |\n\n## Architecture\n\n```\n┌─────────────────┐     ┌─────────────────┐     ┌─────────────────┐\n│   AI Agent      │────▶│   Gateway       │────▶│   OpenFGA       │\n│   (Claude/GPT)  │     │   (Go)          │     │   (AuthZ)       │\n└─────────────────┘     └─────────────────┘     └─────────────────┘\n                               │\n                               ▼\n                        ┌─────────────────┐\n                        │   MCP Tools     │\n                        │   (Mock/Real)   │\n                        └─────────────────┘\n```\n\n## Authorization Model\n\nThree levels of access control:\n\n### 1. Team Level\nTeams are assigned to tool categories.\n\n| Team | Code Tools | Communication | Data Tools | Infrastructure |\n|------|------------|---------------|------------|----------------|\n| Engineering | ✅ | ✅ | ✅ | ❌ |\n| Marketing | ❌ | ✅ | ❌ | ❌ |\n| DevOps | ✅ | ✅ | ✅ | ✅ |\n\n### 2. Project Level\nProjects have specific tool access.\n\n| Project | GitHub | Slack | Postgres | Filesystem |\n|---------|--------|-------|----------|------------|\n| auth-service | ✅ | ✅ | ✅ | ❌ |\n| landing-page | ❌ | ✅ | ❌ | ❌ |\n| infrastructure | ✅ | ✅ | ✅ | ✅ |\n\n### 3. Operation Level\nSpecific operations are restricted to certain roles.\n\n| Operation | Allowed Roles |\n|-----------|---------------|\n| `github:delete_repo` | Team Leads only |\n| `postgres:delete` | Team Leads only |\n\n## Demo Scenarios\n\n| # | Scenario | User | Tool | Expected |\n|---|----------|------|------|----------|\n| 1 | Engineering → GitHub | Alice (lead) | `github:create_pr` | ✅ Allowed |\n| 2 | Marketing → GitHub | Bob (lead) | `github:create_pr` | ❌ Denied |\n| 3 | auth-service → Postgres | Alice | `postgres:query` | ✅ Allowed |\n| 4 | landing-page → Postgres | Bob | `postgres:query` | ❌ Denied |\n| 5 | Member → delete_repo | Charlie | `github:delete_repo` | ❌ Denied |\n| 6 | Lead → delete_repo | Alice | `github:delete_repo` | ✅ Allowed |\n\n## Services\n\n| Service | Port | Description |\n|---------|------|-------------|\n| Demo UI | 3002 | Interactive demo interface |\n| Admin UI | 3001 | Permission management dashboard |\n| OpenFGA Playground | 3000 | OpenFGA visual explorer |\n| Gateway API | 9000 | Authorization gateway |\n| OpenFGA API | 8080 | OpenFGA HTTP API |\n\n## Development\n\n```bash\n# Install dependencies\nmake install-deps\n\n# Start OpenFGA\nmake setup-openfga\n\n# Run gateway in mock mode\nmake dev-gateway\n\n# Run Demo UI\nmake dev-demo\n\n# Run Admin UI\nmake dev-admin\n```\n\n## API Endpoints\n\n### Check Authorization\n```bash\ncurl -X POST http://localhost:9000/v1/tools/call \\\n  -H \"Content-Type: application/json\" \\\n  -d '{\n    \"tool\": \"github\",\n    \"operation\": \"create_pr\",\n    \"params\": {\"title\": \"My PR\"},\n    \"context\": {\n      \"user\": \"alice\",\n      \"project\": \"auth-service\",\n      \"team\": \"engineering\"\n    }\n  }'\n```\n\n### List Tools\n```bash\ncurl http://localhost:9000/v1/tools\n```\n\n### View Audit Log\n```bash\ncurl http://localhost:9000/v1/audit\n```\n\n### List Demo Scenarios\n```bash\ncurl http://localhost:9000/v1/demo/scenarios\n```\n\n## Project Structure\n\n```\nagentic-authz/\n├── gateway/              # Go authorization gateway\n│   ├── cmd/gateway/      # Main entry point\n│   └── internal/         # Internal packages\n│       ├── authz/        # OpenFGA client\n│       ├── config/       # Configuration\n│       ├── handler/      # HTTP handlers\n│       └── mcp/          # MCP proxy\n├── demo-ui/              # Next.js demo interface\n├── admin-ui/             # Next.js admin dashboard\n├── openfga/              # Authorization model\n│   ├── model.fga         # FGA DSL model\n│   ├── model.json        # JSON model for API\n│   └── tuples.json       # Seed data\n├── scripts/              # Demo scripts\n├── docker-compose.yml    # Service orchestration\n└── Makefile              # Build commands\n```\n\n## OpenFGA Model\n\nThe authorization model uses OpenFGA's DSL:\n\n```fga\ntype tool\n  relations\n    define category: [tool_category]\n    define allowed_team: [team]\n    define can_use: member from allowed_team or can_use from category\n\ntype tool_operation\n  relations\n    define tool: [tool]\n    define allowed_role: [user]\n    define can_execute: allowed_role or can_use from tool\n```\n\n## Make Commands\n\n```bash\nmake help           # Show all commands\nmake setup          # Full setup\nmake demo           # Run all demo scenarios\nmake audit          # View audit log\nmake tools          # List available tools\nmake users          # List demo users\nmake projects       # List demo projects\nmake clean          # Stop and clean up\n```\n\n## The Security Case for Agent Authorization\n\n### The Problem\n\n```\nUser: \"Summarize our Q4 sales data\"\nAgent: *has database access*\nAgent: SELECT * FROM users; DROP TABLE users;--\n```\n\nWithout fine-grained authorization, a compromised or manipulated agent can:\n- Access data outside its task scope\n- Perform destructive operations\n- Pivot between systems\n- Exfiltrate sensitive information\n\n### The Solution\n\n```\nUser: \"Summarize our Q4 sales data\"\nAgent: *requests database access*\nGateway: Check(user:alice, can_execute, tool_operation:postgres:query)\nOpenFGA: ✅ ALLOWED (project:sales-dashboard has postgres access)\nAgent: SELECT SUM(revenue) FROM sales WHERE quarter='Q4'\n```\n\nWith this architecture:\n- Every tool call is authorized\n- Permissions are scoped to project context\n- Destructive operations require elevated privileges\n- All decisions are audited\n\n## Real-World Use Case: Confidential AI Platforms\n\nWhen AI coding agents work on security-critical codebases, the blast radius of a compromised or misdirected agent is much larger than in a typical project. This pattern applies directly to confidential computing stacks where certain components must never be touched by an agent.\n\n**Example: Confidential AI inference platform (Intel TDX)**\n\nA typical confidential AI stack has components where agent write access would be catastrophic:\n\n| Component | Why it matters |\n|-----------|---------------|\n| `cvm/attestation-service/` | TDX quote generation and EKM validation logic |\n| `cvm/auth-service/` | Bearer token auth and HMAC comparison |\n| `cvm/cert-manager/` | TLS cert and EKM shared secret |\n\nA developer running a frontend review agent should have no access to these components. With agentic-authz, this is expressed as the absence of tuples — no tuple written means no access, full stop.\n\n```bash\n# Grant the frontend review agent access to the frontend only\nfga tuple write \\\n  '{\"object\":\"repo:my-project/frontend\",\"relation\":\"reader\",\"user\":\"agent:frontend-review-agent\"}'\n\n# No tuples written for attestation-service, auth-service, cert-manager.\n# The agent cannot read or write those components regardless of what it \"decides.\"\n\n# Verify\nfga query check --user agent:frontend-review-agent \\\n  --relation reader --object repo:my-project/attestation-service\n# { \"allowed\": false }\n```\n\n**Connecting attestation identity to authorization**\n\nFor platforms using attested TLS, the TEE's measurement (e.g. `app_compose_hash` from a TDX attestation report) can serve as the identity anchor in OpenFGA tuples:\n\n```python\n# After verifying the TEE attestation, extract the identity\ntee_identity = report.tdx.app_compose_hash  # deterministic per deployment\n\nallowed = await fga.check(\n    user=f\"tee:{tee_identity}\",\n    relation=\"can_invoke\",\n    object=\"service:inference-endpoint\"\n)\n```\n\nThis gives confidential AI platforms a full authorization layer on top of their existing attestation stack: the aTLS layer handles authentication (who is connecting), OpenFGA handles authorization (what they can do).\n\n---\n\n## Resources\n\n- [OpenFGA Documentation](https://openfga.dev/docs)\n- [OpenFGA Playground](https://play.fga.dev)\n- [Securing Agentic AI (Blog Post)](https://dev.to/siddhantkcode/securing-agentic-ai-authorization-patterns-for-autonomous-systems-3ajo)\n\n## Author\n\nBuilt by **Siddhant Khare** - OpenFGA Core Maintainer\n\n- X: [@siddhant_K_code](https://x.com/siddhant_K_code)\n- GitHub: [@Siddhant-K-code](https://github.com/Siddhant-K-code)\n- LinkedIn: [Siddhant Khare](https://linkedin.com/in/siddhantkhare24)\n\n*Helping teams implement secure AI agent architectures.*\n\n## License\n\nMIT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsiddhant-k-code%2Fagentic-authz","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsiddhant-k-code%2Fagentic-authz","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsiddhant-k-code%2Fagentic-authz/lists"}