Built for NIST AI Agent Standards · IETF draft-klrc-aiagent-auth-00

The missing authorization layer
for AI agents

Drop-in security middleware that gives every AI agent a cryptographic identity, evaluates every action against policies, and produces a tamper-evident audit trail — powered by Auth0.

Open Dashboard →Sign in free

Auth0 CIBASPIFFE IDsSHA-256 AuditOPA Policy

93%

of AI agent projects have no authorization layer

< 1ms

authorization overhead per request

5 Gates

every request passes through before execution

100%

tamper-evident audit trail coverage

The Five Gates

Every request. Every agent. No exceptions.

A five-layer protocol that runs in under 1ms, invisible to agents but enforced on every call.

🔐

Identity

Verify agent SPIFFE ID & OAuth token

🎯

Intent

Parse AuthZEN 4-tuple: who, what, where, context

⚖️

Policy

Evaluate rules → ALLOW / ESCALATE / DENY

📱

Consent

Auth0 CIBA push notification for human approval

🎫

Token

Issue scoped, time-limited token from Token Vault

What AgentGate Builds

Enterprise-grade security for every agent

Six security layers that work together to ensure no agent ever acts without authorization.

🔑

Cryptographic Agent Identity

Every agent gets a SPIFFE ID and signed JWT. Anonymous agents are rejected before they touch any resource.

⚖️

OPA Policy Engine

AuthZEN 4-tuple evaluation (subject + action + resource + context) with natural language policy compilation.

📱

CIBA Human-in-the-Loop

Sensitive actions trigger Auth0 Guardian push notifications. Users approve or deny in real-time.

🏦

Auth0 Token Vault

Agents never see raw OAuth tokens. Token Vault issues scoped, time-limited credentials with 60s TTL.

🔗

Hash-Chained Audit Trail

SHA-256 hash chain over every decision. Tamper-evident, exportable as JSON, verifiable in-dashboard.

⚡

Cascade Revocation

Revoke one agent, one service, or everything (PANIC). All downstream tokens destroyed instantly.

Framework Agnostic

One endpoint. Every agent framework.

Any agent that can make an HTTP request works with AgentGate. No framework lock-in.

🤖CrewAI

🔗LangGraph

⚡AutoGPT

AGAgentGate

🔌MCP

🐍Custom Python

🌐Any HTTP Agent

All frameworks use the same single endpoint — POST /api/authorize

Built on Real Standards

Not invented here — built on IETF, NIST, CNCF, and OpenID Foundation specifications.

Auth0 Token VaultAuth0 CIBA + GuardianIETF draft-klrc-aiagent-auth-00NIST AI Agent StandardsAuthZEN (OpenID Foundation)SPIFFE / WIMSEOPA (CNCF Graduated)

Quick Start

Connect your agent in 2 API calls

No SDK required. Any agent that can make HTTP requests works.

1Register your agent

curl -X POST /api/agents/register \
  -H "Authorization: Bearer ag_live_..." \
  -d '{
    "name": "my-agent",
    "framework": "crewai",
    "capabilities": ["gmail.read"],
    "trustTier": "T1"
  }'
# → { "agentId": "...", "token": "eyJ..." }

2Authorize every action

curl -X POST /api/authorize \
  -H "Authorization: Bearer ag_live_..." \
  -d '{
    "agentToken": "eyJ...",
    "action": { "type": "read",
      "operation": "list_emails",
      "service": "gmail" }
  }'
# → { "allowed": true, "token": {...} }

View full API reference →

Ready to secure your AI agents?

Open the dashboard to watch agents register, request access, trigger CIBA consent, and get cascade-revoked in real-time.