AgentOAuth

Verifiable consent for AI agents

OAuth proves access.
AgentOAuth proves intent.

AgentOAuth is an open protocol for verifiable consent between AI agents and the systems they act on. Each action carries a signed Consent Token that encodes who acted, what they did, and under which limits.

“The economy runs on trust. Take away trust, and it doesn’t work — not even for a day.” Charlie Munger

★ View on GitHub Try verifier.agentoauth.org

Open protocol · MIT licensed • Built for agentic systems

The Problem

Agents get broad permissions. Systems get no proof.

OAuth was built for human clicks and long-lived app permissions. As AI agents start reading email, paying invoices, and booking travel, there’s no portable way to prove who did what, under which limits.

Broad, opaque scopes

“This app can read, send, and delete your email.” Great for apps, dangerous for agents. There’s no way to narrow consent to “just my receipts” or “only this week.”

No verifiable intent

Systems see a request and an access token. They don’t see whether the user actually authorized this action, for this amount, in this time window.

Hard to audit & share

Consent lives in logs and UI screens, not in portable, signed artifacts. It’s hard to answer “who approved this?” after the fact.

The Protocol

AgentOAuth in one idea: every action carries a signed policy.

Instead of trusting an agent blindly, the system checks a signed Consent Token: “User X allowed Agent Y to do Action Z under Policy P.”

1. Define a policy

Policies capture who may act, on which resources, with what limits (amount, frequency, time windows).

Actor & Agent Resource Amount / Limits Expiry

              
{
  "actor": { "user_id": "user_123", "agent_id": "agent_demo" },
  "action": "pay",
  "resource": "merchant.example",
  "limit": { "amount": 200, "period": "week" },
  "time": { "expires_at": "2025-12-31T23:59:59Z" }
}
              
            

2. Issue a Consent Token

The agent attaches a signed Consent Token to each sensitive request. Receivers don’t need to trust the agent — they can verify the token independently.

              
const policy = buildPolicy({...});
const token  = await issueConsent({ policy, privateKey });
const result = await verifyWithHostedVerifier(token);

Tokens are JWT/JWS-based, designed to be easy to inspect and debug.

Hello World

Try the “agent pays a merchant” demo.

A tiny example that shows what AgentOAuth does: enforce a scoped policy and return a clear allow/deny decision with a signed receipt.

Run it locally

Clone the repo and run the demo with one command:

              
git clone https://github.com/agentoauth/agentoauth
cd agentoauth
pnpm install
pnpm demo

You’ll see:
• Policy: pay up to $200/week to merchant.example
• Attempt #1: $150 → ALLOW
• Attempt #2: $500 → DENY (EXCEEDS_POLICY_LIMIT)

Or call the hosted verifier

Use the hosted service at verifier.agentoauth.org to validate Consent Tokens from any agent/runtime.

              
POST https://verifier.agentoauth.org/verify
Content-Type: application/json

{
  "token": "<agent_oauth_consent_token>"
}

The response includes:
• decision: ALLOW / DENY
• reason: e.g. EXCEEDS_POLICY_LIMIT
• receipt: signed record of what was verified

For Builders

What you can build with AgentOAuth today.

AgentOAuth is designed to be a small, composable brick in your stack — not a platform. You can drop it into existing agents, backends, or workflows.

Scoped email agents

Let an agent read only receipts or invoices from Gmail, with explicit time windows and resource filters — instead of full inbox access.

Guardrails for payments

Wrap Stripe/AP2/x402 calls with enforced limits: specific merchants, amounts, or policies that must be satisfied before money moves.

Audit-ready automation

Every approved action yields a signed receipt. Later you can answer “who authorized this, under which policy?” without trawling logs.