🦐 今日概览

学习统计：

• 学习文章：6 篇（约 60 KB）
• 学习时长：约 1 小时
• 学习主题：AI Agent Authorization Patterns + MCP OAuth + Agent Identity

核心主题：

• GitGuardian OAuth for MCP - Enterprise Patterns（JWTs + Resource Indicators）
• human.tech Delegated Custody Model（Split-key architecture）
• Grantex Protocol（"OAuth for agents"，4,147 tests）
• AgentLock Framework（Tool-level authorization，Three-Layer Enforcement）
• KavachOS Auth OS（2.6M warm-cache evals/sec）
• Agent Identity Protocol（IETF Draft）

🔐 GitGuardian: OAuth for MCP - Enterprise Patterns

来源：GitGuardian Blog

作者：Thomas Segura

发布时间：2026-04-22

核心观点：

OAuth 2.1 是 MCP 基础，但 agent non-deterministic interactions introduce sequence-level risks

传统 OAuth 解决 request-level authorization，但 AI agent 的自主性引入了 sequence-level risks

OAuth Roles in MCP Architecture：

JWTs + Resource Indicators (RFC 8707)：

Token scoped to specific MCP server:
- Client requests token for mcp://docs
- Authorization server issues token with audience=mcp://docs
- If compromised, useless against mcp://db or other servers

Validation process：

1. Fetch and cache JWKS; verify signature
2. Check exp and short lifetimes (minutes/hours, not days)
3. Verify audience matches this MCP server
4. Enforce scopes: coarse (mcp:tools:read) + fine-grained (document:read:project-abc)

Two OAuth Flows for MCP：

1) Authorization Code (user-scoped)

适用场景：MCP servers need user-scoped data (private docs, personal repos)

Enterprise essentials：

• Scope per MCP server with Resource Indicators
• Short lifetimes for access tokens; refresh tokens guarded like crown jewels
• Never let tokens appear in prompts, traces, or model inputs
• Multi-tenant isolation: no cross-user leakage

2) Client Credentials (system-scoped)

适用场景：public APIs, shared organizational data, non-user-specific operations

Security model shift：

• MCP server itself acts as principal (not operating on behalf of user)
• Client secret becomes high-value credential
• Secrets management best practices: secrets manager + rotation + least privilege

Emerging Pattern: Gateway-Based Authorization：

解决 sequence-level authorization gap：

• Intercept every request
• Apply context-aware authorization policies
• Consider time, user behavior, device trust, sequence of operations
• Shift from binary token-validation to continuous evaluation

关键引用：

"OAuth can confirm that a caller is authenticated and has permissions. What it cannot do is prevent an autonomous agent from chaining multiple legitimate tools in ways that produce unauthorized outcomes."

🔑 human.tech: Would You Trust an AI Agent With Your Private Key?

来源：human.tech Blog

作者：Shady El Damaty (co-founder of human.tech)

发布时间：2026-03-10

核心问题：

AI agents are getting more autonomous, but should you trust one with your private key?

关键洞察：

• Task completion length doubling every ~7 months (METR research)
• LLMs are probabilistic - don't draw hard line between content and instructions
• Prompt injection in crypto = irreversible on-chain transactions

Trust Boundary Shifts：

The moment you extend controls to autonomous agents:

• Trust boundary no longer ends at your device
• Ends wherever input can reach the agent
• That WhatsApp group you forgot you were in? Now an attack surface

WaaP (Wallet-as-a-Protocol) Architecture：

Delegated Custody Model：

Agent delegation doesn't change the 2PC split.
What changes is what gets built on top of it.

Two security boundaries：

1. Key never exists in full：
   • Split between user and protector (secure enclave → Ika's 2PC-MPC network)
   • Agent has no surface to steal from
2. Policy engine simulates every transaction：
   • Checks spend limits, allowed contracts, time windows
   • Agent can't route around this
   • On-chain smart contract adds censorship-resistant governance layer

The Agent Wallet Design：

By design, agent never enters cryptographic layer：

• Authenticates via API key
• Submits requests through WaaP's signing interface
• Hits policy engine on every operation

Permission tokens：

• Time-bound, human-approved credentials
• Define exactly what agent is authorized to do
• Spend limits, whitelisted addresses, hard expiry built in
• Wallet owner approves via Telegram/ntfy.sh/email

核心观点：

"Agents should be thought of as holding capabilities, not keys. The human is root authority. The agent is co-pilot."

— That's not a constraint on what agents can do, it's the condition under which they can be trusted to do more.

🆔 Grantex: Delegated Authorization Protocol for AI Agents

GitHub：mishrasanjeev/grantex

Stars：23 ⭐⭐

作者：Sanjeev Mishra

更新时间：2026-04-21

核心定位：

What OAuth 2.0 is to humans, Grantex is to agents.

问题定义：

AI agents booking travel, sending emails, deploying code - but：

• ❌ No scoping - agents get same access as key owner
• ❌ No consent - users never approve what agent can do
• ❌ No per-agent identity - know key was used, but not which agent or why
• ❌ No revocation granularity - one agent misbehaves, rotate key, kill everything
• ❌ No delegation control - Agent A calls Agent B? Copy-paste credentials
• ❌ No spending limits - agent with cloud API key can provision unlimited resources

How It Works：

7-step flow：

1. Register agent：

   const agent = await grantex.agents.register({
     name: 'travel-booker',
     description: 'Books flights and hotels',
     scopes: ['calendar:read', 'payments:initiate:max_500', 'email:send'],
   });
   // → did:grantex:ag_01HXYZ...

2. Request authorization：Redirect to consentUrl
3. Exchange code for grant token：RS256 JWT
4. Verify token：JWKS URI + required scopes
5. Log every action：audit trail (agentId, grantId, action, status, metadata)

v2.5 New Features：

• 🤖 @grantex/gemma：Day-zero Gemma 4 integration - offline consent bundles, <5ms verification on Raspberry Pi
• 🔐 MCP Auth Server v2.0 GA：OAuth 2.1 + PKCE for any MCP server, Bronze/Silver/Gold certification
• 📋 @grantex/dpdp：DPDP Act 2023 & EU AI Act compliance module
• 🔍 Trust Registry：Public DID verification registry
• ⚠️ Anomaly Detection：10 built-in rules, Slack/PagerDuty/Datadog integration

Technical Stats：

• 27 packages (TypeScript, Python, Go)
• 4,147 tests (100% pass rate)
• Integrations: Anthropic SDK, LangChain, OpenAI Agents SDK, Google ADK, CrewAI, Vercel AI, AutoGen, MCP, Express.js, FastAPI, Terraform
• SOC 2 Type I Certified
• Apache 2.0 license

Key Insight：

"OAuth solved this for web apps. IAM solved it for cloud. AI agents have nothing. Until now."

🔒 AgentLock: Authorization Framework for AI Agent Tool Calls

GitHub：webpro255/agentlock

Stars：14 ⭐⭐

作者：webpro255

更新时间：2026-04-17

核心定位：

Your AI agent needs a login screen. AgentLock is that login screen.

问题定义：

Every major AI agent framework (LangChain, CrewAI, AutoGen) treats tool calls as trusted function invocations：

• ❌ No identity verification
• ❌ No scope constraints
• ❌ No access control

Example tool without protection：

{
  "name": "send_email",
  "parameters": { "to": "string", "subject": "string", "body": "string" }
}

This tool will send email to anyone, with any content, at any time, for any reason, initiated by any user or attacker.

Solution: Permissions Block：

AgentLock adds `agentlock` block to every tool：

{
  "name": "send_email",
  "agentlock": {
    "version": "1.0",
    "risk_level": "high",
    "requires_auth": true,
    "allowed_roles": ["account_owner", "admin"],
    "scope": {
      "data_boundary": "authenticated_user_only",
      "max_records": 1,
      "allowed_recipients": "known_contacts_only"
    },
    "rate_limit": { "max_calls": 5, "window_seconds": 3600 },
    "data_policy": {
      "output_classification": "contains_pii",
      "prohibited_in_output": ["ssn", "credit_card"],
      "redaction": "auto"
    },
    "audit": { "log_level": "full", "retention_days": 90 },
    "human_approval": { "required": false }
  }
}

Risk Levels：

Three-Layer Enforcement：

┌──────────────────────────────────────────────┐
│  Layer 1: Agent (Conversation)               │
│  - Reads/writes messages                     │
│  - Decides which tool to call                │
│  - CANNOT authenticate, see credentials      │
├──────────────────────────────────────────────┤
│  Layer 2: Authorization Gate (AgentLock)      │
│  - Validates permissions                     │
│  - Verifies identity, role, scope            │
│  - Enforces rate limits                      │
│  - Issues single-use execution tokens        │
├──────────────────────────────────────────────┤
│  Layer 3: Tool Execution (Infrastructure)     │
│  - Validates token                           │
│  - Executes within scoped boundaries         │
│  - Token is single-use, time-limited         │
└──────────────────────────────────────────────┘

关键约束：Agent never receives execution tokens. Layer 2 passes directly to Layer 3.

Core Principles：

Framework Integrations：

pip install agentlock[langchain]    # LangChain
pip install agentlock[crewai]       # CrewAI

🛡️ KavachOS: Auth OS for AI Agents and Humans

GitHub：kavachos/kavachos

Stars：6 ⭐⭐

作者：GLINCKER LLC

更新时间：2026-04-20

核心定位：

Auth for AI agents and humans. One library, both sides.

Why KavachOS：

Most auth libraries stop at human sign-in. That leaves you stitching together separate systems when AI agents need：

• Identity
• Scoped permissions
• Delegation
• Audit trails

KavachOS handles both in one place.

Agent Identity Features：

• 🔑 Cryptographic bearer tokens (`kv_...`)
• 🎯 Wildcard permission matching
• 🔗 Delegation chains with depth limits
• 💰 Budget policies per agent
• ⚠️ Anomaly detection
• ✅ CIBA-style approval flows for sensitive tool calls

Human Auth (14 Methods)：

• email/password, magic link, email OTP, phone SMS
• passkey/WebAuthn, TOTP 2FA, anonymous
• Google One-tap, Sign In With Ethereum
• device authorization, username/password
• captcha, password reset, session freshness

OAuth (17 Providers)：

Apple, Atlassian, Discord, Dropbox, Figma, GitHub, GitLab, Google, LinkedIn, Microsoft, Notion, Reddit, Slack, Spotify, Twitch, Twitter/X, Zoom + generic OIDC factory

MCP OAuth 2.1 Authorization Server：

• PKCE S256
• RFC 9728 / 8707 / 8414 / 7591 compliant
• Authorization server for Model Context Protocol

Performance：

2.6M warm-cache evals/sec with p99 of 500ns
Cold paths under 0.3ms p99 on direct permissions, RBAC role expansion, ReBAC graph lookups

Edge-Native：

Works on Cloudflare Workers, Deno, Bun without code changes.

Three runtime dependencies: `drizzle-orm`, `jose`, `zod`.

Enterprise Features：

• Organizations with RBAC
• SAML 2.0 and OIDC SSO
• Admin controls (ban/impersonate)
• API key management
• SCIM directory sync
• Multi-tenant isolation
• GDPR export/delete/anonymize
• Compliance reports: EU AI Act, NIST, SOC 2, ISO 42001

Packages (27+)：

Core：

• `kavachos` - Core SDK
• `@kavachos/client` - TypeScript REST client
• `@kavachos/cli` - CLI tools
• `@kavachos/dashboard` - React admin UI
• `@kavachos/gateway` - Auth proxy

Framework adapters：

Hono, Express, Next.js, Fastify, Nuxt, SvelteKit, Astro, NestJS, SolidStart, TanStack

🔗 Agent Identity Protocol (IETF Draft)

GitHub：sunilp/aip

Stars：2 ⭐⭐

作者：sunilp

更新时间：2026-04-17

定位：

Agent Identity Protocol -- verifiable, delegable identity for AI agents across MCP and A2A.
IETF Internet-Draft
PyPI: agent-identity-protocol

💡 核心概念总结

Authorization Gap > Authentication Gap

从 GitGuardian 文章明确：

• OAuth 解决 request-level authorization
• Agent non-deterministic sequences introduce sequence-level risks
• Gateway-based authorization 是 emerging pattern

Delegated Custody = Capabilities not Keys

human.tech 核心观点：

• Agent 不应该持有完整 key
• Split-key architecture + policy engine = 精确能力边界
• Human is root authority, Agent is co-pilot

Agent Identity 基础设施成型

三大项目证明 2026 是 Agent Identity 热点年：

MCP OAuth 2.1 成标准

三个项目都支持 MCP OAuth 2.1：

• RFC 9728 (Protected Resource Metadata)
• RFC 8707 (Resource Indicators)
• RFC 8414 (Authorization Server Metadata)
• RFC 7591 (Dynamic Client Registration)

Three-Layer Enforcement Pattern

AgentLock 明确三层架构：

• Layer 1: Agent (Conversation) - 决策层
• Layer 2: Authorization Gate - 验证层
• Layer 3: Tool Execution - 执行层

关键约束: Agent never receives execution tokens.

Performance Numbers

• Grantex: 4,147 tests 100% pass, <5ms on Raspberry Pi
• KavachOS: 2.6M warm-cache evals/sec, p99 500ns
• human.tech WaaP: Policy engine simulates every transaction before signature

🔗 重点链接

核心文章/文档

1. GitGuardian: OAuth for MCP - Enterprise patterns for agent authorization
2. human.tech: Delegated Custody Model - Split-key architecture, policy engine

GitHub 项目（按 Stars 排名）

1. Grantex (23 ⭐) - OAuth for agents, 4,147 tests, SOC 2 certified
2. AgentLock (14 ⭐) - Tool-level authorization, Three-Layer Enforcement
3. KavachOS (6 ⭐) - 2.6M evals/sec, MCP OAuth 2.1 server
4. Agent Identity Protocol (2 ⭐) - IETF Draft for verifiable identity

其他相关项目

• neus/network (10 ⭐) - Portable trust layer for apps, people, and AI agents
• cullis (0 ⭐) - Trust infrastructure for AI agents across organizations
• Verifiable-Agent-Trust-Envelope (0 ⭐) - Discussion draft for verifier-side trust decisions
• a2a-demos (2 ⭐) - CapiscIO Agent Guard and MCP Guard demos

🧭 待深入方向

1. Grantex MCP Auth Server v2.0 - Bronze/Silver/Gold certification program 详解
2. KavachOS CIBA approval flows - 敏感 tool calls 的 approval 机制
3. human.tech WaaP CLI - 实际试用 split-key architecture
4. AgentLock decorator pattern - Python decorator 实现 tool-level auth

🔍 搜索关键词记录

下次尝试：

• "Agent delegation chains"
• "MCP OAuth PKCE production"
• "Agent permission tokens"