https://github.com/authsec-ai/authsec-ai
Identity layer for Agents and Autonomous AI. With OAuth 2.1, CIBA, SPIFFE workload identity (for agent to agent auth), secret vault and MFA.
https://github.com/authsec-ai/authsec-ai
agent-auth agent-authentication agents
Last synced: 3 months ago
JSON representation
Identity layer for Agents and Autonomous AI. With OAuth 2.1, CIBA, SPIFFE workload identity (for agent to agent auth), secret vault and MFA.
- Host: GitHub
- URL: https://github.com/authsec-ai/authsec-ai
- Owner: authsec-ai
- License: other
- Created: 2026-03-17T05:05:31.000Z (4 months ago)
- Default Branch: main
- Last Pushed: 2026-03-24T00:37:25.000Z (4 months ago)
- Last Synced: 2026-04-04T00:52:40.451Z (3 months ago)
- Topics: agent-auth, agent-authentication, agents
- Language: Go
- Homepage: https://authsec.ai
- Size: 3.87 MB
- Stars: 9
- Watchers: 1
- Forks: 6
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Agent-first Open Source Identity layer for Agents and Autonomous AI.
[Website](https://authsec.ai) · [Documentation](https://authsec.ai/docs) · [Blog](https://authsec.ai/blogs)
Agent-first Open Source Identity layer for Agents and Autonomous AI.
It is built for the age of agents and autonomous AI — where agents need to authenticate without browsers, delegate user permissions, talk to each other securely, and plug into MCP servers — while still covering every enterprise IAM need (SSO, RBAC, passkeys, SCIM, and more).
**This repository contains the backend service and deployment scripts.** The UI lives in a separate repository: [authsec-ai/Authsec-ui](https://github.com/authsec-ai/Authsec-ui).
---
## Get Started
### Docker Compose (Recommended)
The fastest way to run the full AuthSec stack locally or on a server.
**Prerequisites:** Docker Engine 24.0+, Docker Compose v2.20+, 4 GB RAM
```bash
git clone https://github.com/authsec-ai/authsec-ai.git
cd authsec-ai/scripts
bash setup.sh
```
Open **** once the script finishes.
#### What does `setup.sh` install?
The script brings up a complete, production-ready stack:
| Service | What it does |
| --- | --- |
| **AuthSec backend** | Go binary — auth flows, RBAC, OIDC, SCIM, CIBA, SPIFFE, MCP, migration |
| **[AuthSec UI](https://github.com/authsec-ai/Authsec-ui)** | React 19 admin and end-user portal (separate repo, image pulled automatically) |
| **Ory Hydra** | Standards-compliant OAuth 2.0 / OIDC / SAML server |
| **PostgreSQL** | Master database + dynamic per-tenant databases |
| **Redis** | Session cache and rate limiting |
| **HashiCorp Vault** | Secrets storage for OIDC provider credentials |
| **Nginx** | Reverse proxy with optional TLS termination |
The script automatically:
1. Checks that Docker and Compose are installed
2. Asks for your deployment type and admin credentials
3. Generates all secrets (JWT keys, encryption keys, Hydra system/cookie secrets)
4. Writes a `.env` file
5. Pulls images and starts all services
6. Runs the master database migration
7. Creates your first admin account
For manual setup, custom domains, TLS, and production hardening — see [scripts/README.md](scripts/README.md).
---
## What AuthSec Solves
### 1. Headless Authentication for Agents (Voice / CIBA)
Modern AI agents can't open a browser login page. AuthSec supports **CIBA (Client Initiated Backchannel Authentication)** — an OAuth 2.0 extension (RFC 9126) that decouples *where* authentication is initiated from *where* the user approves it.
With CIBA:
- An agent initiates an auth request on behalf of a user using a channel for example voice
- The user receives an out-of-band prompt (voice call, push notification, SMS) to approve on a mobile app
- The agent receives tokens once the user approves — no browser redirect, no UI required
This powers voice-activated agents or other form of agents which do not need a web browser to operate: a user speaks a command, the agent triggers CIBA, the user confirms by voice, and the agent gets a scoped access token — all without a browser.
> **Resources:** [Documentation](https://authsec.ai/docs) · Demo Video *(coming soon)* · [Blog](https://authsec.ai/blogs)
---
### 2. Agent-to-Agent Authorization (Machine-to-Machine) via SPIFFE
When one agent needs to call another service or agent, you need a zero-trust, standards-based way to prove identity without managing static credentials.
AuthSec implements **SPIFFE (Secure Production Identity Framework for Everyone)** — each agent or workload gets a cryptographically verifiable **SVID (SPIFFE Verifiable Identity Document)**. Authorization between agents uses these short-lived, automatically rotated identities.
- No API keys or shared secrets between services
- Works across clouds: native federation with AWS IAM, Azure AD, and GCP IAM
- Fine-grained RBAC/ABAC policies on top of workload identity
---
### 3. Autonomous Execution with User Auth Delegation
Agents that act on behalf of users need scoped, time-limited delegated credentials — not the user's full session. AuthSec provides token exchange and delegation flows that let you issue an agent a narrowly scoped JWT derived from the user's authenticated session, so agents can act autonomously without over-privileged access.
---
### 4. MCP Authentication & Authorization
AuthSec provides built-in authentication and authorization for **Model Context Protocol (MCP)** servers. Agents connecting to MCP tools go through AuthSec to get verified, scoped tokens — ensuring every tool call is authenticated, audited, and permission-checked.
---
### 5. SSO — SAML 2.0 & OIDC Federation
Full enterprise SSO for your users and workforce:
- **SAML 2.0** identity provider and service provider flows (via Ory Hydra)
- **OIDC** federation — connect Google, GitHub, Microsoft, Okta, and any standards-compliant IdP
- **AD / Microsoft Entra ID** sync (LDAP + SCIM 2.0)
- Multi-tenant: each tenant gets isolated identity databases and configurable IdPs
---
## Run Individual Components instead of a single script
If you want to develop or run only specific parts of the stack:
**Backend only** (Go 1.25+, PostgreSQL 14+):
```bash
cd authsec
cp .env.example .env
# Edit .env — set DB_* credentials and required secrets
go build -o authsec ./cmd/
./authsec
# API at http://localhost:7468
```
**Frontend only** (Node.js >= 20, npm >= 10) — the UI is in a [separate repository](https://github.com/authsec-ai/Authsec-ui):
```bash
git clone https://github.com/authsec-ai/Authsec-ui.git
cd Authsec-ui
npm install
npm run build
export VITE_API_URL=http://localhost:7468
node server.js
# UI at http://localhost:3000
```
Detailed setup instructions, environment variable references, and API docs:
- [authsec/README.md](authsec/README.md) — Backend
- [Authsec-ui README](https://github.com/authsec-ai/Authsec-ui#readme) — Frontend (separate repo)
- [scripts/README.md](scripts/README.md) — Deployment
- [scripts/TROUBLESHOOTING.md](scripts/TROUBLESHOOTING.md) — Common issues
---
## How Do I
### Enable Voice Auth for an Agent
Voice auth uses the CIBA flow. Once AuthSec is running:
1. Register your agent as an OAuth2 client with `urn:openid:params:grant-type:ciba` grant type enabled
2. Configure your Twilio credentials in `.env` (`TWILIO_ACCOUNT_SID`, `TWILIO_AUTH_TOKEN`, `TWILIO_FROM_NUMBER`)
3. The agent calls `POST /authsec/uflow/ciba/initiate` with the user's identifier
4. AuthSec places a voice call to the user for approval
5. Poll `POST /oauth2/token` with `grant_type=urn:openid:params:grant-type:ciba` until approved
6. Use the returned access token for subsequent API calls
> See the [CIBA API reference](authsec/README.md) for full request/response examples.
---
### Set Up Agent-to-Agent (M2M) Auth
AuthSec issues SPIFFE SVIDs to workloads so agents can call each other without static secrets.
1. Enable the SPIRE module — set `ICP_SERVICE_URL` in `.env`
2. Register each agent/service as a workload entry via `POST /authsec/spire/workloads`
3. Each workload fetches its SVID from the SPIFFE Workload API
4. Services validate incoming requests by verifying the SVID against the trust domain
5. Apply RBAC/ABAC policies on workload identity via `POST /authsec/spire/policies`
For cloud-native workloads, configure AWS/Azure/GCP federation so cloud-issued identities map to SPIFFE SVIDs automatically.
> See the [SPIRE module docs](authsec/README.md) for workload registration and policy setup.
---
### Configure SSO (SAML 2.0 / OIDC)
1. Open the AuthSec admin UI at `http://localhost`
2. Navigate to **Identity Providers** → **Add Provider**
3. Choose SAML 2.0 or OIDC and fill in the provider metadata
4. For OIDC providers: set `GOOGLE_CLIENT_SECRET`, `GITHUB_CLIENT_SECRET`, or `MICROSOFT_CLIENT_SECRET` in `.env` for social login
5. For SAML: upload the IdP metadata XML and download the AuthSec SP metadata to register with your IdP
6. For AD / Entra ID sync: configure LDAP host or SCIM endpoint and set `SYNC_CONFIG_ENCRYPTION_KEY`
> See [authsec/README.md](authsec/README.md) for OIDC config manager and SCIM 2.0 API details.
---
### Enable MCP Authentication
1. Register your MCP server as an OAuth2 client: `POST /authsec/clientms/clients` with appropriate scopes
2. Set `ICP_SERVICE_URL` in `.env` to point to your MCP coordinator
3. Use the SDK manager endpoints (`/authsec/sdkmgr/`) to create agent entries and issue scoped tokens
4. Agents authenticate to MCP via `POST /authsec/sdkmgr/agents/token` and present the JWT to your MCP server
5. MCP server validates tokens via `GET /authsec/authmgr/token/verify` or the JWKS endpoint at `/.well-known/jwks.json`
> See the [SDK Manager docs](authsec/README.md) for agent registration and token flows.
---
## Community
Join the conversation, ask questions, and share what you're building:
**Discord** *(invite link coming soon)*
---
## Contributing
We welcome contributions of all kinds — bug fixes, features, docs, and examples.
1. Fork the relevant repository and create a branch from `main`
2. For backend changes: fork [authsec-ai/authsec-ai](https://github.com/authsec-ai/authsec-ai) and work in [authsec/](authsec/) — follow existing Go conventions
3. For frontend changes: fork [authsec-ai/Authsec-ui](https://github.com/authsec-ai/Authsec-ui) — run `npm run lint` and `npm run type-check` before submitting
4. For deployment changes: work in [scripts/](scripts/)
5. Add or update tests for your changes
6. Open a pull request with a clear description of what and why
Bug reports and feature requests:
- Backend / deployment: [authsec-ai/authsec-ai Issues](https://github.com/authsec-ai/authsec-ai/issues)
- Frontend: [authsec-ai/Authsec-ui Issues](https://github.com/authsec-ai/Authsec-ui/issues)
---
## License
AuthSec is licensed under the [Apache 2.0 License](authsec/LICENSE).