Skip to main content
Version: 1.0 | Status: Final | Last updated: February 2026 (rev 3)The specification is frozen. Changes require a new version.

Abstract

Grantex defines an open protocol for delegated authorization of AI agents acting on behalf of human users. It specifies: cryptographic agent identity, a human-consent-based grant flow, a signed token format, a revocation model, an append-only audit trail schema, a policy engine for automated authorization decisions, enterprise identity federation, and anomaly detection for runtime behavioral monitoring.

1. Motivation

AI agents increasingly take autonomous actions — submitting forms, initiating payments, sending communications — on behalf of humans across third-party services. No interoperable standard exists for:
  1. Verifying that an agent is who it claims to be
  2. Confirming that a specific human authorized a specific agent to perform a specific action
  3. Revoking that authorization in real time
  4. Producing a tamper-proof record of what the agent did
Grantex fills this gap as an open, model-neutral, framework-agnostic protocol.

2. Definitions

3. Agent Identity

3.1 DID Format

Every Agent registered with a Grantex-compatible Identity Service receives a DID:
Where <agent_id> is a ULID (Universally Unique Lexicographically Sortable Identifier).

3.2 Identity Document

The DID resolves to an identity document containing:

3.3 Key Management

  • Identity Services MUST use RS256 (RSA + SHA-256) for signing
  • Private keys MUST never leave the Identity Service
  • Public keys MUST be published at /.well-known/jwks.json
  • Key rotation MUST be supported without changing the DID

4. Scopes

4.1 Format

4.2 Standard Scope Registry

4.3 Custom Scopes

Services MAY define custom scopes using reverse-domain notation:

4.4 Scope Governance

Grantex maintains the canonical scope registry in §4.2 as normative. Implementations MUST support all standard scopes. Custom scopes MUST use reverse-domain notation.

4.5 Scope Display

Identity Services MUST maintain a human-readable description for each scope. Consent UIs MUST display human-readable descriptions, never raw scope strings.

5. Grant Flow

5.1 Overview

5.2 Authorization Request

5.3 Token Exchange

6. Grant Token Format

6.1 Header

6.2 Payload

6.3 Custom Claims

6.4 Validation Rules

Services receiving a Grant Token MUST verify:
  1. Signature using the JWKS at iss/.well-known/jwks.json
  2. exp has not passed
  3. aud matches the service’s identifier (if set)
  4. scp contains the required scopes for the requested operation
  5. (Online verification only) Token has not been revoked

7. Revocation

7.1 Revoke a Grant

Effect: all active tokens under this Grant are immediately invalidated.

7.2 Revoke a Specific Token

7.3 Online Revocation Check

7.4 Token Lifetime Guidance

Implementations caching revocation state MUST NOT cache for longer than 5 minutes.

8. Audit Trail

8.1 Log Entry Schema

8.2 Hash Chain

Each entry’s hash is SHA-256(canonical_json(entry) + prevHash). This makes any retrospective tampering detectable.

9. Multi-Agent Authorization

Sub-agent tokens carry delegation claims:
Rules:
  • Sub-agent scopes MUST be a subset of the parent’s scopes
  • delegationDepth is incremented at each hop
  • Hard cap of 10 delegation hops
  • Revoking a root grant cascades to all descendants atomically

10. Self-Hosting Endpoints

Core Endpoints (Required)

Optional Extensions

Policy Engine, Webhooks, SCIM 2.0, SSO (OIDC), Anomaly Detection, Compliance, and Billing endpoints are optional extensions. See the full specification for details.

11. Policy Engine

Evaluates rules against each authorization request before consent UI. Deny rules are evaluated first — the first matching auto_deny wins. Then allow rules. If no rule matches, consent UI is shown.

12. Enterprise Identity (SCIM & SSO)

SCIM 2.0 user provisioning from enterprise IdPs (Okta, Azure AD). SSO via OIDC with state and nonce validation.

13. Anomaly Detection

Advisory-only runtime monitoring. Anomaly types: unusual_scope_access, high_frequency, off_hours_activity, new_principal, cascade_delegation.

14. Security Considerations

  • Tokens MUST be signed with RS256. HS256 and alg: none MUST be rejected.
  • Token replay MUST be detectable via jti tracking.
  • Consent UIs MUST validate state to prevent CSRF.
  • Redirect URIs MUST be pre-registered and exactly matched.
  • Audit logs MUST be append-only (no update or delete endpoints).
  • SCIM endpoints MUST use dedicated bearer tokens, separate from API keys.
  • SSO callbacks MUST validate state and nonce.
  • Policy engine MUST evaluate deny before allow.
  • Anomaly detection MUST NOT block token issuance.

The full specification is maintained at github.com/mishrasanjeev/grantex/blob/main/SPEC.md and is licensed under Apache 2.0.
Last modified on February 28, 2026