Agent Auth Proxy

A unified auth layer for multi-agent systems. Human-initiated and autonomous calls flow through the same three-step proxy: RBAC, grant check, execute.

Role-Based Access Scoped Grants User + Headless Interactive Consent

The Problem

Calls come from two worlds: a user in a chat session, or an autonomous agent running a plan at 3 AM. Traditional auth assumes a user is always present.

The Insight

Two orthogonal checks: a role ceiling (what the role allows) and a grant (explicit allow/deny). No user? Skip roles, require a pre-authorized grant.

Scoped Grants

Short-lived grants (once, turn, session) are user-scoped. Long-lived grants (task, always) are workspace-scoped — any caller matches, including headless agents.

Interactive Consent

No grant + user present? Prompt in real-time via chat. The response becomes a stored grant. No user? Deny and escalate.

Architecture & Simulator

Architecture

Simulator

Has User

Chat session, user-initiated call

No User

Orchestrator, scheduled task, agent-to-agent

↓ CallerIdentity(userId?, workspaceId) + ExecutionContext(sessionId?, taskId?)

Auth Proxy (shared library)

1. RBAC

Has user? Check role.
No user? Skip.

→

2. Grant

Has grant? Apply it.
No grant + user? Prompt.
No grant + no user? Deny.

→

3. Execute

Allowed → run the call.

Policy Engine (RBAC)

Role → permitted actions

Grant Store

Allow/deny decisions at scoped granularity

↓ downstream services

Resource API

Workspace API

Storage API

Review API

No user? RBAC is skipped. Only a pre-authorized workspace-scoped grant (TASK or ALWAYS) can allow the call. Otherwise → denied, must escalate.

Scope determines the key


                                    User-scoped: ONCE | TURN | SESSION

                                    Key: workspaceId + grantedBy + action


                                    Workspace-scoped: TASK | ALWAYS

                                    Key: workspaceId + action

Request

Has user?

Yes RBAC applies, can prompt

Role

Action

Proxy Flow

RBAC Check

Role permits this action? Skipped if no user.

Grant Check

Existing allow or deny for this action?

Agent wants to:

Allow (user-scoped):

Allow (workspace-scoped):

Deny:

Execute

Both checks passed. Call the service.

Policy Engine (RBAC)

Role → permitted actions. Only when there's a user.

Role	Read	Update	Create	Upload	Approve	Delete

Grant Store

User-scoped or workspace-scoped grants.

Action	Decision	Scope	Type	By	Status

No grants yet.

Audit Log

The Three-Step Flow

RBAC

Check the user's role against the policy engine. This is the ceiling — no grant can exceed it.

Grant

Look up existing grants. None found + user present? Prompt. None + no user? Deny.

Execute

Both passed. Forward the call downstream with the caller's identity.