AuthSecAuthSec
~/platform

One control plane for human and agent identity.

The same engine that signs a user in with OAuth 2.1 issues a workload an X.509 identity and decides whether an agent may invoke an MCP tool — one policy model, fully audited. Every capability, in depth, below.

10+
capabilities
12+
standards & RFCs
Apache 2.0
open source
IDENTITIESRESOURCES
Workforcepeople · SSO
AI agentsautonomous
WorkloadsSPIFFE
AuthSeccontrol
plane
MCP serverstools · context
APIsinternal · 3p
Data & infradb · secrets
← authenticateauthorize · audit →
01Agents & MCP
MCP security

MCP OAuth 2.1 — identity for AI agents

A fully spec-compliant OAuth 2.1 authorization server purpose-built for the Model Context Protocol. Agents like Claude Code, Cursor, and custom LLM tools register, authenticate, and get scoped access to MCP servers — with no manual API-key management.

Dynamic Client Registration
Any client self-registers via a single API call — no admin portal. Auto-classified as human_app · agent · m2m · cli, with a self-service registration access token.
PKCE-only authorization
All flows require PKCE with S256 — no implicit grants, no plain challenges. Resource indicators bind each token to one MCP server audience, preventing confused-deputy attacks.
Standard discovery
Well-known endpoints so MCP clients auto-configure — authorization server metadata, OIDC configuration, and a public JWKS for token verification.
Lazy binding & cross-workspace
Agents bind to a resource server on first authorize. Cross a workspace boundary and the registration goes to pending_approval until an admin approves.
ENDPOINTSPOST /oauth/registerGET /oauth/authorizePOST /oauth/tokenGET /oauth/jwks/.well-known/oauth-authorization-server
Cross-app agent authorizationFLAGSHIP

XAA & ID-JAG — carry a user across trust boundaries

AI agents don't sit in front of a browser. An agent may call an MCP server on a user's behalf hours later — often in a different org. XAA (Extended Access Attribution) implements the Identity Assertion Authorization Grant so an agent obtains a purpose-built assertion — the ID-JAG — instead of forwarding an audience-bound user token.

STEP 1 · token-exchange
Issue the ID-JAG

AuthSec introspects the user's token, confirms the agent is approved for the target, and mints a short-lived JWT (oauth-id-jag+jwt, 5-min TTL).

POST /oauth/token
grant_type = token-exchange
subject_token = user's token
resource = target RS URI
STEP 2 · jwt-bearer
Redeem at the target AS

The target AS authenticates the agent, validates the assertion, maps the subject to a local user, applies RBAC, and mints a locally-scoped token.

POST /oauth/token
grant_type = jwt-bearer
assertion = the ID-JAG
resource = target RS URI
5-STAGE REDEMPTIONauthenticate agent → validate ID-JAG → map subject → authorize (RBAC) → mint token + replay guard
Trust boundary = resource server
Not the workspace. One deployment brokers agent access across any number of orgs. Only self-delegation is forbidden.
First-contact approval
Unknown RS → access_pending. Admin approves with a role, atomically flipping the registration to approved.
Trusted issuers & JIT
Federate external ASes via JWKS. Optional just-in-time user provisioning; revoke an issuer to block all its ID-JAGs.
Security properties
One-shot redemption
Atomic insert of (iss, jti) into the replay cache — duplicate = abort.
Short-lived assertion
5-minute TTL on the ID-JAG; tokens minted from it get 1 hour.
Audience binding
ID-JAG aud must match the redeeming AS; access-token aud is the RS URI.
Provenance chain
Every token records source_grant_jti + iss — user login to tool call.
Symmetric alg rejection
Rejects none / HS256 / HS384 / HS512 — asymmetric only.
Scope narrowing
Intersection of requested · delegated · RBAC · RS-available scopes.
Machine-to-machine

M2M token issuance

For backend services, CI/CD pipelines, and automated workflows that call MCP servers with no human in the loop. Service accounts authenticate with client-credentials and receive a 1-hour native access token.

Two authentication methods
client_secret_basic — a generated secret shown once, stored as a bcrypt hash. private_key_jwt — the client signs with its own key, verified against registered JWKS.
One-call provisioning
A single call atomically provisions a service account, client credentials, a scoped role binding, and the client registration. Everything commits or rolls back — no stranded credentials.
Native token architecture
M2M tokens are minted by AuthSec's NativeSealer — a dedicated issuer that bypasses Hydra. Signed with rotating RSA keys in Vault, classified by kid prefix so resource servers verify locally, and tracked with full audit metadata.
ENDPOINTSgrant_type=client_credentialsPOST /authsec/applications/:id/machine-access/api-credential
Tool execution

Connector Broker

A server-side proxy for AI agent tool calls. Agents never see raw credentials — AuthSec injects them server-side and returns only the redacted result. Connect a provider once via OAuth; tokens refresh and rotate automatically.

SlackGitHubGoogleHubSpotNotionJira+ pluggable adapters
5-layer authorization chain · every tool call
01
Token verification
Native token, audience-bound to the broker.
02
RBAC
Must hold connector:execute scope.
03
Connector gate
Enabled & agent-accessible.
04
Assignment allowlist
This client, this connector, these actions.
05
Credential injection
Fetch from Vault, refresh, inject.
02Workload identity
Zero-trust runtime

SPIFFE & workload identity

A built-in SPIRE-compatible control plane issuing X.509 and JWT workload identities — with multi-tenant isolation out of the box. Agents get cryptographic identities exchanged for short-lived, call-specific credentials.

Node attestation
Nodes prove identity before requesting certs — Kubernetes (TokenReview), Unix (PID/UID), Docker (image). Issues spiffe://{workspace}/agent/{node}.
X.509 SVIDs
Selector-based matching with wildcards and a best-match scoring algorithm. Certs issued via Vault PKI with the SPIFFE ID as URI SAN. Default 1-hour TTL.
JWT-SVIDs & delegation
Service-to-service auth without mTLS, with custom claims. Users delegate identity to agents via JWT-SVID — TTL from 60s to 8h.
Federated trust (BYO-SPIRE)
Register external SPIFFE IDs from your own trust domain. AuthSec exposes OIDC discovery + JWKS; each tenant gets a dedicated Vault PKI mount.
ENDPOINTSPOST /spire/v1/node/attestPOST /spire/v1/workload/attestPOST /spire/v1/jwt/issuePOST /authsec/uflow/auth/enduser/delegate-svid
03Enterprise authentication
Social & enterprise login

OIDC Federation

External OIDC providers — Google, GitHub, Microsoft, and custom — for both platform- and workspace-level authentication. A three-step flow with HMAC-signed state binds workspace + application to prevent cross-tenant escalation.

Signed-state login flow
Initiate → callback → exchange. State signature re-checks the workspace IDP gate on return.
App-level IDP policies
Control which providers appear per application. Default-allow until policies are configured.
Identity linking
Link multiple OIDC identities to one account; unlink any time.
Enterprise SSO

SAML 2.0

Full SP-initiated SAML 2.0 for enterprise IdPs — Okta, Azure AD, Auth0. AuthSec builds the AuthnRequest, validates the XML signature and assertion conditions, extracts attributes, and completes login.

Auto-generated SP metadata
Each workspace gets a metadata endpoint IdP admins import directly.
Certificate management
Per-workspace SP certs (RSA 2048, 1-year), private keys encrypted via Vault transit.
Passwordless

WebAuthn / Passkeys

FIDO2/WebAuthn for passwordless login and MFA — hardware keys (YubiKey), platform authenticators (Touch ID, Windows Hello), and cross-device passkeys via QR.

Origin allowlist validationSign-count clone detectionUSB · NFC · BLE · platform · hybridBackup-eligible key detectionPer-workspace credential isolation
04Access & governance
Access control

Access control & governance

RBAC with principals, roles, permissions (resource:action pairs), and role bindings scoped to workspaces and resource servers — plus the approval and delegation machinery that makes agent access safe.

Access request & approval
First contact creates a pending request; admin approves with a role, atomically binding and approving. Public status-poll endpoint for agents.
Delegation & A2A brokering
Which roles may delegate to which agent types, with max TTL. Explicit permit/deny rules for XAA — deny always wins.
Provisioning

Directory sync — SCIM, AD & Entra ID

SCIM 2.0
Bearer-token connections (shown once, bcrypt-hashed), token rotation with a 5-min grace window, full user & group provisioning.
Active Directory
LDAP sync with configurable base DN, filters, SSL & cert verification. Test, dry-run, execute modes with sync metadata.
Entra ID (Azure AD)
Microsoft Graph sync with tenant ID, client ID & encrypted secret. Same test/dry-run/execute workflow as AD.
Compliance

Audit logging

Three distinct log streams, all queryable via paginated APIs. Each event records actor, action, resource, method, path, status code, old/new values, and timestamp.

Stream
Captures
Endpoint
Auth Logs
Login attempts, token issuances, OIDC callbacks
/logs/auth/paginated
Admin Audit
Every admin mutation with before/after snapshots
/logs/audit/paginated
M2M Logs
Machine token issuances with client & scope
/logs/m2m/paginated

SPIRE operations have a separate audit trail in spire_audit_logs.

05Standards & RFCs
Compliance

Standards & RFCs

OAuth 2.1
MCP client authorization
RFC 7591 / 7592
Dynamic client registration
RFC 8414
AS metadata
RFC 8707
Resource indicators
RFC 9700 · ID-JAG
XAA grant
OIDC Core & Discovery
ID tokens · auto-config
SAML 2.0
SP-initiated SSO
FIDO2 / WebAuthn
Passwordless auth
SPIFFE / SPIRE
X.509 + JWT SVIDs
SCIM 2.0
Directory provisioning
client_credentials
M2M issuance
jwt-bearer · token-exchange
XAA redemption & issuance

Secure your users, agents, and workloads.

One policy engine. Short-lived by default. Verifiable everywhere. Audited by design — and open source under Apache 2.0.