AuthSecAuthSec
Apache V2 License

Agent-first
Open Source Identity layer for Autonomous AI.

The open-source authentication and authorization platform for AI agents, MCP servers, and autonomous workloads — with real-time policy enforcement and full auditability.

How it fits together

One control plane for human and agent (non-human identities)

The same engine that signs a user in with OAuth 2.1 issues a workload an X.509 identity and decides whether an agent may invoke an MCP tool — one policy model, fully audited.

Workforcepeople · SSOAI agentsautonomousWorkloadsmachine · SPIFFEMCP serverstools · contextAPIs & servicesinternal · 3pData & infradb · secretsAuthSeccontrol planeOAuth 2.1 + PKCEPolicy engineVault & PKIImmutable auditIDENTITIESRESOURCESauthenticateauthorize · audit
Unified policy
One engine for people & machines
Short-lived by default
Tokens & certs that expire fast
Verifiable everywhere
Cryptographic identity end-to-end
Audited by design
Every decision is logged
Talk to us

Get in Touch

Have questions about AuthSec? Want to see how it fits your AI infrastructure? We're happy to help.

  • Request a live demo
  • Discuss your use case
  • Get technical guidance

Send us a message

We typically respond within one business day.

Quick Start SDK

Integrate AuthSec in minutes

Official SDKs for Python, Go, and TypeScript — plus native integrations for LangChain, CrewAI, AutoGen, and secret management.

Language SDKs
AI Framework Integrations
# Install the Python SDK
return await db.execute(args["query"])
✓ Agent authenticated → tool access granted
Core Modules

Dual plane for AI agent and user identity

Secure users and autonomous workloads with the same policy engine, observability, and controls. No more parallel auth stacks.

OAuth2.1 for User Authentication

Native OAuth2.1 support with Authorization Code + PKCE. Issue short-lived, user-bound tokens without building custom auth flows.

User-first security · PKCE by default · Risk-based MFA
Client Appclient_id:app_123flow:PKCEchallenge:S256(xyz)AuthSecOAuth 2.1 EnginePKCE VerifierScope CheckConsent LogicAccess Tokensub: user_123scope: openid profile
① Attestation — SPIRE agents prove node & workload identity to the server
Zero-trust runtime

Support non-human identity authorization with SPIFFE.

Agents and MCP servers get cryptographic X.509 identities, exchanged for short-lived, call-specific JWTs to shrink blast radius.

  • Workload identity (SVID)a unique X.509 SPIFFE SVID per agent at startup.
  • Certificate-based authshort-lived X.509 certificates, no long-lived secrets.
  • mTLS with auto-rotationcertificates rotated automatically before expiry.
  • Root CA & Vault-backed PKIissuance from a trusted root via HashiCorp Vault.
Go live faster

Ready to secure your users and MCP servers?

Enterprise-grade security with OAuth 2.1, AI agent authentication, and zero-trust — open source and self-hostable.

OAuth 2.1 & PKCE
MCP server authentication
AI agent workload identity
Zero-trust security posture

Get secure in minutes

No infrastructure setup required.

No spam. Security updates only.

Insights

Featured Posts

Learn about authentication patterns, security best practices, and AI agent identity from our engineering team.

View all posts