Version: 1.0 | Status: Final | Last updated: February 2026 (rev 3)The specification is frozen. Changes require a new version.
Abstract
Grantex defines an open protocol for delegated authorization of AI agents acting on behalf of human users. It specifies: cryptographic agent identity, a human-consent-based grant flow, a signed token format, a revocation model, an append-only audit trail schema, a policy engine for automated authorization decisions, enterprise identity federation, and anomaly detection for runtime behavioral monitoring.1. Motivation
AI agents increasingly take autonomous actions — submitting forms, initiating payments, sending communications — on behalf of humans across third-party services. No interoperable standard exists for:- Verifying that an agent is who it claims to be
- Confirming that a specific human authorized a specific agent to perform a specific action
- Revoking that authorization in real time
- Producing a tamper-proof record of what the agent did
2. Definitions
3. Agent Identity
3.1 DID Format
Every Agent registered with a Grantex-compatible Identity Service receives a DID:<agent_id> is a ULID (Universally Unique Lexicographically Sortable Identifier).
3.2 Identity Document
The DID resolves to an identity document containing:3.3 Key Management
- Identity Services MUST use RS256 (RSA + SHA-256) for signing
- Private keys MUST never leave the Identity Service
- Public keys MUST be published at
/.well-known/jwks.json - Key rotation MUST be supported without changing the DID
4. Scopes
4.1 Format
4.2 Standard Scope Registry
4.3 Custom Scopes
Services MAY define custom scopes using reverse-domain notation:4.4 Scope Governance
Grantex maintains the canonical scope registry in §4.2 as normative. Implementations MUST support all standard scopes. Custom scopes MUST use reverse-domain notation.4.5 Scope Display
Identity Services MUST maintain a human-readable description for each scope. Consent UIs MUST display human-readable descriptions, never raw scope strings.5. Grant Flow
5.1 Overview
5.2 Authorization Request
5.3 Token Exchange
6. Grant Token Format
6.1 Header
6.2 Payload
6.3 Custom Claims
6.4 Validation Rules
Services receiving a Grant Token MUST verify:- Signature using the JWKS at
iss/.well-known/jwks.json exphas not passedaudmatches the service’s identifier (if set)scpcontains the required scopes for the requested operation- (Online verification only) Token has not been revoked
7. Revocation
7.1 Revoke a Grant
7.2 Revoke a Specific Token
7.3 Online Revocation Check
7.4 Token Lifetime Guidance
Implementations caching revocation state MUST NOT cache for longer than 5 minutes.
8. Audit Trail
8.1 Log Entry Schema
8.2 Hash Chain
Each entry’shash is SHA-256(canonical_json(entry) + prevHash). This makes any retrospective tampering detectable.
9. Multi-Agent Authorization
Sub-agent tokens carry delegation claims:- Sub-agent scopes MUST be a subset of the parent’s scopes
delegationDepthis incremented at each hop- Hard cap of 10 delegation hops
- Revoking a root grant cascades to all descendants atomically
10. Self-Hosting Endpoints
Core Endpoints (Required)
Optional Extensions
Policy Engine, Webhooks, SCIM 2.0, SSO (OIDC), Anomaly Detection, Compliance, and Billing endpoints are optional extensions. See the full specification for details.11. Policy Engine
Evaluates rules against each authorization request before consent UI. Deny rules are evaluated first — the first matchingauto_deny wins. Then allow rules. If no rule matches, consent UI is shown.
12. Enterprise Identity (SCIM & SSO)
SCIM 2.0 user provisioning from enterprise IdPs (Okta, Azure AD). SSO via OIDC withstate and nonce validation.
13. Anomaly Detection
Advisory-only runtime monitoring. Anomaly types:unusual_scope_access, high_frequency, off_hours_activity, new_principal, cascade_delegation.
14. Security Considerations
- Tokens MUST be signed with RS256. HS256 and
alg: noneMUST be rejected. - Token replay MUST be detectable via
jtitracking. - Consent UIs MUST validate
stateto prevent CSRF. - Redirect URIs MUST be pre-registered and exactly matched.
- Audit logs MUST be append-only (no update or delete endpoints).
- SCIM endpoints MUST use dedicated bearer tokens, separate from API keys.
- SSO callbacks MUST validate
stateandnonce. - Policy engine MUST evaluate deny before allow.
- Anomaly detection MUST NOT block token issuance.
The full specification is maintained at github.com/mishrasanjeev/grantex/blob/main/SPEC.md and is licensed under Apache 2.0.