Skip to main content
End-users (the people your agents act on behalf of) need visibility and control over which agents have access to their data. The Permission Dashboard lets you generate a short-lived, secure link that your users can open to view and revoke agent access — no API key needed.

How It Works

  1. Developer generates a session URL — Your backend calls POST /v1/principal-sessions with the user’s principalId and gets back a short-lived session token embedded in a URL.
  2. You share the URL with the user — Via email, in-app notification, settings page link, etc.
  3. User opens the dashboard — They see all agents with active access, scopes granted, and a revoke button for each.
  4. User revokes access — One click revokes the grant and cascade-revokes any delegated sub-grants.
Session tokens are JWT-based, scoped to a specific principal+developer pair, and expire after 1 hour by default (max 24 hours).

Generate a Session URL

Using curl

Response:

Using the TypeScript SDK

Parameters

principalId
string
required
The user’s principal ID — the same userId / principalId used when creating authorization requests.
expiresIn
string
default:"1h"
How long the session token is valid. Format: "30m", "1h", "24h". Capped at 24 hours.

Response

What the User Sees

When the user opens the dashboard URL, they see:
  • Apps with access — A card for each agent with an active grant, showing the agent name, description, granted scopes, issue date, expiry date, and a “Revoke access” button.
  • Recent activity — A table of recent audit log entries for actions taken by agents on their behalf.
  • Session expired — If the session token has expired, a clear message asking them to request a new link.

Revoking Access

When a user clicks “Revoke access” on a grant:
  1. The grant is marked as revoked
  2. All delegated sub-grants (child grants from agent-to-agent delegation) are also revoked
  3. Redis revocation keys are set so tokens are rejected immediately
  4. A grant.revoked webhook event is fired
This is the same cascade-revoke behavior as the developer-facing DELETE /v1/grants/:id endpoint.

Security Considerations

  • Short-lived tokens — Session tokens default to 1 hour. Use the shortest duration practical for your use case.
  • Scoped access — Session tokens are bound to a specific principal+developer pair. A user cannot see or revoke another user’s grants, and cannot see grants from other developers.
  • Purpose claim — Session JWTs include a purpose: "principal_dashboard" claim that prevents grant tokens from being reused as session tokens (and vice versa).
  • No API key exposure — End-users never see or need the developer’s API key.
  • HTTPS only — Always serve dashboard URLs over HTTPS in production.

API Endpoints

The permission dashboard uses these endpoints under the hood:
Last modified on April 14, 2026