Open source · works with any agent

Give AI agents a pass,
not your master key.

Agents read your email, call your APIs, even spend your money. Hand each one a limited pass instead: only what you allow, gone in minutes, revoked in a click.

Works with ChatGPT·Claude·Gemini·MCP servers·any agent you build
How it works

A grant in, a pass out, revoke whenever.

STEP 01

You choose what it can do

Pick exact permissions, like read my inbox but never send.

STEP 02

It gets a short-lived pass

A signed token carrying only those permissions, good for 15 minutes.

STEP 03

You cut it off anytime

Revoke one agent, or all of them. Access stops instantly.

Why not just an API key

One of these you can take back.

API key What agents get today

  • Full access to everything
  • Never expires
  • Can't be taken back
  • No record of what it did

AgentAuth pass What you give instead

  • Only the permissions you pick
  • Expires in minutes
  • Revoke instantly
  • Every action logged
What is AgentAuth?

AgentAuth is open-source, OAuth-style authorization for AI agents and MCP servers. It issues scoped, short-lived, revocable tokens so an agent can act on a user’s behalf without a full-access API key.

How is AgentAuth different from an API key?

An API key grants full access, never expires, and can’t be taken back. An AgentAuth token is limited to the exact scopes you approve, expires in minutes, can be revoked instantly, and every use is logged.

Does AgentAuth work with MCP servers?

Yes. AgentAuth issues and verifies scoped tokens for MCP servers and agent tools, matching the MCP OAuth-style authorization model where each call is checked against the permissions the user granted.

What are scoped, short-lived tokens?

A scoped token carries only the permissions you grant, such as email:read but not email:send. Short-lived means it expires fast (15 minutes by default), so a leaked token is worthless within minutes.

How do you revoke an AI agent’s access?

Call revoke() by token, by agent, or by user. The next request that agent makes is rejected instantly, so you can disconnect a misbehaving agent in one line.

Is AgentAuth free and open source?

Yes. AgentAuth is MIT licensed and free to use. The core has a single dependency (jose) and runs anywhere Node.js does.

See the gate in action.

A real demo: connect an agent, watch it get allowed and blocked by what you granted, then revoke it.