Skip to content

rogerchucker/agent-idp-ory

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
agent_idp_service
agent_idp_service
 
 
examples/incident_manager_demo
examples/incident_manager_demo
 
 
login_consent_app
login_consent_app
 
 
scripts
scripts
 
 
sdk/python/agent-idp-sdk
sdk/python/agent-idp-sdk
 
 
.env.hydra.example
.env.hydra.example
 
 
.gitignore
.gitignore
 
 
.hydra-client.env.example
.hydra-client.env.example
 
 
AGENTS.md
AGENTS.md
 
 
CLAUDE.md
CLAUDE.md
 
 
CODE_OF_CONDUCT.md
CODE_OF_CONDUCT.md
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
FEATURES.md
FEATURES.md
 
 
JWT.md
JWT.md
 
 
LICENSE
LICENSE
 
 
PLAN.md
PLAN.md
 
 
README-local.md
README-local.md
 
 
README.md
README.md
 
 
SECURITY.md
SECURITY.md
 
 
agent-identity-platform-comparison.docx
agent-identity-platform-comparison.docx
 
 
agent-identity.md
agent-identity.md
 
 
docker-compose.yml
docker-compose.yml
 
 

Repository files navigation

Agent IdP (Ory + Capability Tokens)

Agent IdP is an open-source reference implementation for running AI agents with workload identity, delegated authorization, short-lived capability tokens, and auditable tool execution.

What this repo contains

  1. agent_idp_service: Agent identity plane
  • Agent registry
  • Runtime attestation exchange
  • Delegation/grants
  • Capability JWT minting
  • Tool gateway enforcement (scope checks, replay defense)
  • Audit event APIs
  1. login_consent_app: Tiny Hydra login/consent app
  • Local auth + consent handling for OAuth/OIDC testing
  1. Hydra local stack and bootstrap scripts
  • docker-compose.yml
  • scripts/

Architecture

This project follows a layered model:

  1. Human auth/approval via Ory/Hydra
  2. Agent authentication via runtime attestation
  3. Delegation grants from approved incident/operations context
  4. Capability token minting for precise action/resource scope
  5. Gateway policy enforcement and full audit trail

Quick start

Agent IdP service (dev)

cd agent_idp_service
uv sync --extra dev
uv run uvicorn app.main:app --host 0.0.0.0 --port 7001 --reload

Run tests

cd agent_idp_service
uv run --extra dev pytest

Production baseline deployment

cd agent_idp_service
cp .env.production.example .env.production
# fill required values
docker compose -f docker-compose.prod.yml --env-file .env.production up -d --build

Security model

  • Capability JWTs are Ed25519-signed and short-lived.
  • Admin and internal APIs support key-gated access in production.
  • Gateway execution enforces action/resource scope and presenter binding.
  • JTI replay protection and revocation are enforced.

Documentation

  • Local Hydra setup: README-local.md
  • Token claim structure: JWT.md
  • Design requirements: PLAN.md

License

This project is licensed under the GNU Affero General Public License v3.0. See LICENSE.

Incident Manager Demo

A framework-comparison registration demo is included at: /Users/raj/ai/agents/agent-idp/examples/incident_manager_demo

It registers framework-specific RCA agent identities into the IdP using POST /agents (OpenAI Agents SDK, LangGraph, Claude Agent SDK, plus Google ADK and CrewAI adapter shapes).

Agent IdP SDK (Python)

A standalone framework-agnostic SDK package is included at: /Users/raj/ai/agents/agent-idp/sdk/python/agent-idp-sdk

It provides a shared IdP client and framework adapters so agents built on different SDKs can use the same Agent IdP integration path.

About

Open-source Agent Identity Plane on top of Ory/Hydra with capability tokens and gateway enforcement

Resources

Readme

License

AGPL-3.0 license

Code of conduct

Code of conduct

Contributing

Contributing

Security policy

Security policy
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages