Get started
Give every agent action an identity you can verify
auth51 mints a scoped, single-use token for every outbound call your agent makes — created at the source, bound to a key that never leaves the process, and verified at the resource. No auth code in your tools. Pick where you're starting from.
Right now, when your agent calls a tool or an API, nothing proves which agent made the call, that its instructions weren't tampered with, or that a leaked token isn't being replayed by something else. That risk is invisible — until it isn't. auth51 makes every agent action carry a verifiable identity, and turning it on is a single import.
You will learn
- Why an agent's identity is a fingerprint of what it is, not a password
- How one import makes your agents identify themselves — no code changes
- How an unregistered agent shows up for you to approve
- Where to watch it happen, live
The one idea
An agent's identity isn't a secret it carries — it's a fingerprint of what it is: its system prompt and the tools it can call. The auth51 client watches your agent talk to its model, computes that fingerprint (a checksum), and matches it against the agents your org has registered. A match identifies the agent with no self-declaration; no match means it's unregistered — a signal in itself. You never tell auth51 which agent is running; it derives it.
Shared API key
One long-lived secret. Every call looks identical. A leaked token replays anywhere, as anyone, until someone notices and rotates it.
With auth51
Each call carries a fresh token — scoped to one action, bound to this agent's fingerprint and a key that never leaves the process. A stolen token is inert.
Quickstart
Create an API key
Sign in to the console — you get an org automatically — and create a key under Settings → API Keys. Set it in your agent's environment; the client reads it on import.
export AUTH51_CLIENT_ID=a51_live_... # Settings → API Keys
export AUTH51_CLIENT_SECRET=... # shown onceNote
Install and import
That's the whole integration. One import installs egress interception and, on your agent's first model call, identifies it from the wire. No configure(), no wrapping your code, no audiences to declare.
pip install auth51import auth51 # ← that's it
# ...run your agent exactly as you already do.
run_your_agent()Approve it in the console
The first time your agent runs, the client sends its observed identity — system prompt, tools, computed checksum — to your org's discovery inbox. It appears under Agents → Discovered. Review what it computed and click Register. From the next run on, that agent is recognized and its actions are governed.
Note
Recap
- API key in the environment +
import auth51— the entire integration. - The client derives each agent's identity from its model call; you don't declare anything.
- Unregistered agents surface in Discovered with the identity they computed — approve to register.
- Registered agents are recognized and governed automatically on the next run.
Advanced & self-host
The defaults above cover the managed (SaaS) path. Reach for these only when you need to.
▸Deep dive · Configure in code instead of env (and self-host)
configure() once at startup. On-prem, point it at your own servers — it never falls back to the SaaS discovery for a custom authority.import auth51
auth51.configure(
client_id="a51_live_...", client_secret="...",
# self-host only — SaaS is the default:
authority_url="https://authority.your-co.internal",
discovery_url="https://discovery.your-co.internal",
)▸Deep dive · Name an agent explicitly, or register from CI/CD
with auth51.agent("checkout-bot"): .... To register agents ahead of time (e.g. a deploy step) rather than discover them at runtime, POST their components to /v1/intent/register/agent — the same call the Approve button makes.▸Deep dive · Enforce at your resource servers (audiences)
audiences (or AUTH51_AUDIENCES) and verify them with the auth51 verifier on those services.