Skip to main content

Migrating from API Keys + Manual Audit

If your agents currently authenticate with static API keys and you log actions manually, Grantex gives you verifiable permissions, automatic audit trails, and user-controlled revocation.

What stays the same

  • Your upstream APIs (Google Calendar, Slack, Stripe, etc.) — agents still call them
  • Your users — they keep their accounts and data
  • Your agent logic — business logic doesn’t change

What changes

  • Auth layer: Static API keys are replaced with scoped, time-bound grant tokens
  • Audit: Manual logging is replaced with tamper-evident, hash-chained audit entries
  • Revocation: Instead of rotating API keys, users revoke grants through a dashboard

Step-by-step

1

Register as a developer

Sign up at the Grantex portal or use the SDK:
2

Register your agent

3

Replace API key auth with grant tokens

Before (API key):
After (Grantex):
4

Add token verification to your API

Use the Express middleware or verify manually:
5

Enable audit logging

Log actions automatically through the SDK:

Migrating from Raw OAuth 2.0

If you already use OAuth 2.0 for agent authorization, Grantex extends the model with agent-aware grants, delegation, and built-in audit.

What stays the same

  • Your identity provider (Okta, Auth0, Google) — keep using it for user login
  • Your users and their accounts
  • The general authorize → consent → token flow pattern

What changes

  • Token format: Opaque access tokens become Grantex JWTs with agent, principal, and scope claims
  • Delegation: OAuth has no standard sub-delegation — Grantex tracks the full chain
  • Audit: No more bolting on audit logging — it’s built into the protocol
  • Revocation: Grant-level revocation cascades to all tokens (not just individual token revocation)

Step-by-step

1

Keep your OAuth login flow

Continue using OIDC for user authentication. Map the authenticated user to a Grantex principalId.
2

Replace OAuth token issuance with Grantex authorization

Before (OAuth):
After (Grantex):
3

Replace token introspection with local JWKS verification

Before (OAuth introspection):
After (Grantex signature-and-claim verification):
4

Add delegation support (optional)

If your agents delegate to sub-agents:
5

Enable the permissions dashboard

Give users self-service grant management:

Further Reading

Last modified on July 11, 2026