AAuth51
Open Console →

Identity · Intent · Audit · for AI agents

The control plane your AI agents need before production.

Auth51 fingerprints every agent at runtime, binds every action to a declared intent, and rejects every call that doesn't match. Built on OAuth 2.0 Token Exchange and the Agentic JWT IETF draft.

12/12threats blocked·+2.1msoverhead·40+live agents·idp.auth51.com
auth51.com/console/agents/registered
v0.1
AAuth51Console
Overview
Agents
Discovered Soon
Registered
Workflows
Inferred
Registered
Runtime Soon
Security
Threats
Policies Soon
Audit
Events Soon
Mints Soon
Infrastructure
Resources
Authorities
Settings
Identity Soon
Agents/Registeredidp.auth51.com

Agents · Registered

Patchet12 agents

live·updated 3s ago10s ▾
AllOrchestratorsWorkersScenarios
Agent IDRoleReasoningProvenanceRegistered
Supervisorlive
Orchestrator3Plan-and-executeProductionjust now
Planner
Tool-agent1ReAct loopProduction1m ago
Classifier
Tool-agent1Direct executionProduction1m ago
Patcher
Tool-agent1Direct executionProduction1m ago
T2MaliciousPlanner
WorkerDirect executionT2 · malicious1m ago
T7Planner
WorkerDirect executionT71m ago
Verifier
WorkerDirect executionProductionjust now
Auditor
WorkerDirect executionProductionjust now
T9TokenReplay
WorkerDirect executionT9just now
SBOMGenerator
WorkerDirect executionProductionjust now
VulnTriager
WorkerDirect executionProductionjust now
PRBuilder
WorkerDirect executionProductionjust now

The Control Plane

It's kubectl for AI agents. Same primitives. New domain.

Authority at the top, Runtimes embedded in your agents, Verifiers at every resource boundary, Console and CLI as your view. If you can deploy a Kubernetes cluster, you already know how to deploy Auth51.

CONTROL PLANEDATA PLANERFC 8693OAuth 2.0register · mintverify · enforceintent tokenConsoleauth51.com/consoleWEBAuthorityReplicaSet · 3+ replicasCONTROL3/3 healthya51 CLIlocal binaryCLIRuntimein-process library on every agentDATAVerifiersidecar · DaemonSet · gatewayDATAAGENTIC APPLICATION

If you know K8s

Translation table

API server / etcdAuth51 Authority
kubelet (per node)Auth51 Runtime
Admission / sidecarAuth51 Verifier
K8s DashboardAuth51 Console
kubectla51 CLI
kubeconfiga51 config
Workload / PodAgentic application
kubectl apply -fa51 apply -f

Feature · Live Registry

Every agent. Verified. Continuously.

The Auth51 Console gives you a real-time view of every agent registered with the Authority — fingerprinted at runtime, classified by behaviour, observable from one pane.

/console/agents/registeredlive
AgentRoleReasoningTools
SupervisorOrchestratorPlan-and-execute3
PlannerTool-agentReAct loop4
ClassifierTool-agentDirect execution3
PatcherTool-agentDirect execution2
T2MaliciousPlannerWorkerDirect execution1
  • Cryptographic fingerprinting
    Every agent's prompt, tools, and configuration are hashed into a checksum at registration. If anything changes, the next token mint fails.
  • Five-dimensional classification
    Role, reasoning pattern, autonomy level, capability surface, provenance — all derived from observable data. The system interprets agents; agents don't self-declare.
  • Live updates
    New registrations appear within seconds. Versioning detects drift. Revocation propagates immediately.

Feature · Discovery

Agents appear. We catch them.

The Runtime watches every host it's installed on. Any unfamiliar process that loads the shim shows up in your Discovered inbox — before it can mint a single token.

/console/agents/discovered3 unregistered
  • !
    PrCheckeron agents-prod-02
    checksum 9e1a7b8c4d2f… · detected 12s ago
  • !
    IssueRouter-v2on agents-prod-01
    checksum a4b5c6d7e8f9… · detected 2m ago
  • !
    CodeRevieweron agents-stage-01
    checksum f3e2d1c0b9a8… · detected 7m ago

Zero-trust by default

An unregistered agent has no identity in the Authority. It can't mint tokens, can't access resources, can't be impersonated by another agent — because it doesn't exist yet.

Review the discovery. If the fingerprint matches your release artifact, register with one click. If it doesn't, you've just caught a rogue deployment before it could act.

Feature · Workflows

From inferred topology to live execution.

Three lenses on the same multi-agent system. The Console derives orchestration from the tool graph automatically, surfaces declared WorkflowDefinitions, and (soon) replays actual runtime traces against them.

/console/workflows/inferred
▾ Supervisor                       Orchestrator · Plan
  ├ ▸ Planner                      Tool-agent · ReAct
  ├ ▸ Classifier                   Tool-agent · Direct
  └ ▸ Patcher                      Tool-agent · Direct

▾ T7Supervisor                     Orchestrator · Plan      threat T7
  ├ ▸ T7Planner                    Tool-agent · Direct      threat T7
  └ ▸ T7Patcher                    Tool-agent · Direct      threat T7

Inferred from the tool graph

Every orchestrator agent — one whose tools include other agents — becomes a workflow root. Children are traced recursively. No declaration needed. As soon as agents register, their delegation structure is visible.

Useful for: understanding what you actually deployed, debugging “why does this agent have this access,” catching scope creep.

Empirical evaluation

12 known agentic attacks. All 12 blocked.

Every threat below is implemented as a runnable scenario, executed against both an OAuth-only baseline and an Auth51-protected configuration. OAuth succeeded on every attack. Auth51 blocked every attack.

OAuth
0/12
blocked
Auth51
12/12
blocked
Overhead
+2.1ms
per token mint
T1Agent Identity Spoofingcritical
Spoofing
OAuth
Auth51
A2
T2Token Replay Attackshigh
Tampering
OAuth
Auth51
A6
T3Shim Library Impersonationhigh
Spoofing
OAuth
Auth51
A1A2A5
T4Runtime Code Modificationcritical
Tampering
OAuth
Auth51
A1A12
T5Prompt Injection Attackscritical
Tampering
OAuth
Auth51
A12
T6Workflow Definition Tamperinghigh
Tampering
OAuth
Auth51
A8A11
T7Cross-Agent Privilege Escalationcritical
Elevation of Privilege
OAuth
Auth51
A3A7A8
T8Workflow Step Bypasshigh
Elevation of Privilege
OAuth
Auth51
A8A10
T9Scope Inflationhigh
Elevation of Privilege
OAuth
Auth51
A7A8
T10Intent Origin Forgeryhigh
Repudiation
OAuth
Auth51
A9A10
T11Delegation Chain Manipulationcritical
Tampering
OAuth
Auth51
A6A9
T12Agent Configuration Exposuremedium
Information Disclosure
OAuth
Auth51
A1A2

Identity Federation

Identity federated. Secrets never seen.

The Console signs short-lived JWTs asserting who you are. Each Authority verifies them and issues its own tokens, bound to your user. Your browser never holds client_secrets, refresh tokens, or anything else dangerous. Built on RFC 8693 Token Exchange.

1. subject_token · signed JWT2. RFC 8693 token exchange3. access_token issued4. direct API call · Bearer …BrowserClerk sessionConsoleserver-sideAuthoritycustomer-ownedResourceOpenAI · GitHub · API
  • One sign-in. Many control planes.
    Sign into the Console once via Clerk / SSO. Switch between dev, staging, and prod Authorities like kubectl context-switches between clusters. Each one issues its own short-lived token.
  • Audit per-human, not per-client.
    Every action carries your actual identity in the token, not a shared service-account. Audit logs answer who, not just what.
  • Standards-based.
    RFC 8693 token exchange. RFC 9440 message signatures. Agentic JWT IETF draft. No proprietary protocol — your existing JWT libraries already understand the tokens.

Get started

Install. Register. Done.

Drop the shim into your agent process, point it at an Authority, and every outbound call is identity-bound, intent-bound, and audit-logged. No service to run, no sidecar to deploy.

Python
$ pip install auth51-shim

# In your agent process
from auth51 import init_security, get_secure_client

await init_security(
    app_id="patchet",
    idp_url="https://idp.auth51.com",
)

client = get_secure_client()

# Every outbound call now mints a fresh intent token,
# carries the agent's checksum, and is bound to the
# current workflow step. PoP signed in-process.
res = await client.post(
    "https://api.openai.com/v1/chat/completions",
    json={...},
    intent="generate_response",
)
a51 CLI · coming soon
$ brew install auth51/tap/a51

$ a51 connect https://idp.auth51.com
✓ Connected to Authority at idp.auth51.com

$ a51 agents list patchet
Supervisor   Orchestrator   Plan-and-execute   ↳ 3
Planner      Tool-agent     ReAct loop         4 tools
Classifier   Tool-agent     Direct execution   3 tools
Patcher      Tool-agent     Direct execution   2 tools

$ a51 apply -f secure_deploy_v1.0.yaml
✓ workflow secure_deploy_v1.0 registered

$ a51 threats run T7
running T7 cross-agent privilege escalation…
  ✗ OAuth   succeeded  (token replayed across agents)
  ✓ Auth51  blocked    (A7 + A8 caught at IDP)

Ship agents you can defend in production.

Open the Console, register your first agent, and watch every call get identity-bound and audit-logged. Or just curl the live endpoints and see for yourself.

Open the Console →How it works