Skip to content

Kanoniv Auth

Kanoniv Auth replaces API keys with cryptographic delegation tokens. Three functions make up the entire API: delegate() issues scoped, time-bounded authority. verify() checks it offline. sign() proves what happened. Everything else - Claude Code skills, MCP proxies, CI/CD actions, git hooks - is built on these three primitives.

Ed25519 keypairs generate did:agent: identifiers on the spot. No registry, no server. Delegation tokens use macaroon-style attenuation - caveats can only narrow authority, never widen it. Verification walks the full chain offline, checking every signature and every caveat. Nothing phones home.

The Core API

python
from kanoniv_auth import delegate, verify, sign

# Issue scoped authority
token = delegate(scopes=["deploy.staging", "test.run"], ttl="4h", name="ci-agent")

# Check authorization (offline - no server calls)
verify(action="deploy.staging", token=token)  # ok
verify(action="deploy.prod", token=token)     # raises ScopeViolation

# Prove what happened
envelope = sign(action="deploy.staging", token=token, target="app-v2.3.1")
rust
use kanoniv_agent_auth::{AgentKeyPair, Delegation, Caveat, Invocation, verify_invocation};

let root = AgentKeyPair::generate();
let agent = AgentKeyPair::generate();

let delegation = Delegation::create_root(&root, &agent.identity().did, vec![
    Caveat::ActionScope(vec!["deploy.staging".into()]),
    Caveat::ExpiresAt("2026-04-01T00:00:00Z".into()),
]).unwrap();

let invocation = Invocation::create(
    &agent, "deploy.staging", serde_json::json!({"target": "app-v2"}), delegation
).unwrap();

verify_invocation(&invocation, &agent.identity(), &root.identity()).unwrap();
typescript
import { generateKeyPair, createRootDelegation, createInvocation, verifyInvocation } from "@kanoniv/agent-auth";

const root = generateKeyPair();
const agent = generateKeyPair();

const delegation = createRootDelegation(root, agent.identity.did, [
  { type: "action_scope", value: ["deploy.staging"] },
  { type: "expires_at", value: "2026-04-01T00:00:00Z" },
]);

const invocation = createInvocation(agent, "deploy.staging", { target: "app-v2" }, delegation);
verifyInvocation(invocation, agent.identity, root.identity);

Three functions. The rest of this page covers the seven surfaces where those functions run.

Seven Integration Surfaces

The same delegation tokens work across every surface. Pick the integration points that match your stack.

SurfaceWhat it doesInstall
Python SDKCore library. delegate, verify, sign.pip install kanoniv-auth
Rust CrateNative performance. Same API.cargo add kanoniv-agent-auth
TypeScript SDKBrowser and Node.js.npm install @kanoniv/agent-auth
Claude Code Skills5 skills with PreToolUse enforcement.kanoniv-auth install-skill
wrap-mcpAuth proxy for any MCP server.kanoniv-auth wrap-mcp --mode strict -- <cmd>
GitHub ActionCI/CD delegation with OIDC support.uses: kanoniv/auth-action@v1
Git HookPre-push scope enforcement.kanoniv-auth install-hook

Claude Code Skills

Five slash commands give Claude Code agents scoped, time-bounded authority with full audit logging.

SkillPurpose
/delegateIssue a delegation token with scopes and TTL
/scopeShow current active scopes
/ttlShow time remaining on the active delegation
/statusCheck delegation status, agent identity, and active constraints
/auditView the local audit trail

How enforcement works. PreToolUse hooks intercept every tool call (Bash, Edit, Write) before execution. The hook maps the operation to a scope string, then verifies the active delegation token against that scope. If the scope is not granted, the tool call is blocked. PostToolUse hooks log every action - allowed or denied - to ~/.kanoniv/audit.log.

Example:

bash
/delegate --scope code.edit,test.run --ttl 2h --name my-agent

Scope mapping:

OperationScope
git push origin maingit.push.{repo}.main
git commitgit.commit.{repo}
File editscode.edit
Test runstest.run
File readsAlways allowed

INFO

File reads are always allowed regardless of delegation scope. Reads do not mutate state.

wrap-mcp

wrap-mcp sits between Claude Code and any MCP server. It intercepts JSON-RPC tool calls and verifies delegation tokens before forwarding them to the downstream server.

bash
kanoniv-auth wrap-mcp --mode strict --root-key ~/.kanoniv/root.key -- npx my-mcp-server

Three modes control enforcement behavior:

ModeBehavior
strictNo valid token = reject with JSON-RPC error
warnNo valid token = log warning, forward anyway
auditLog everything, verify nothing

Verification priority:

  1. _proof field in tool arguments - cryptographic MCP proof embedded in the call
  2. Session token file at ~/.kanoniv/session-token - set by /delegate or kanoniv-auth delegate
  3. Reject, warn, or pass through based on mode

WARNING

In strict mode, every tool call without a valid proof or session token returns a JSON-RPC error. Make sure the agent has an active delegation before starting work.

GitHub Action

Add delegation and audit to any CI/CD pipeline.

yaml
- uses: kanoniv/auth-action@v1
  with:
    oidc: true
    api_key: ${{ secrets.KANONIV_API_KEY }}
    scopes: deploy.staging,test.run
    ttl: 4h
    post_audit: true

Inputs:

InputRequiredDefaultDescription
oidcNofalseUse GitHub OIDC for identity instead of a static key
api_keyYes-Kanoniv Auth API key
scopesYes-Comma-separated scope list
ttlNo1hDelegation time-to-live
post_auditNofalseUpload audit log as job artifact on completion

Outputs:

OutputDescription
tokenThe delegation token (use in subsequent steps)
didThe agent DID for this workflow run
expires_atRFC 3339 expiry timestamp

Delegation Model

Authority flows through signed delegation chains. Each delegation is a cryptographic statement: "I (issuer) authorize you (delegate) to perform actions X, subject to constraints Y." Constraints are called caveats. Caveats can only narrow authority, never widen it.

Any token holder can sub-delegate to another agent, adding further restrictions. The chain forms a directed path from root authority to leaf agent. Verification walks the entire chain, checking every signature and every caveat at each step. Chain depth is capped at 32.

Six caveat types:

CaveatPurposeExample
ActionScopeRestrict to specific actions["resolve", "search"]
ExpiresAtToken expiry (RFC 3339)"2026-04-01T00:00:00Z"
MaxCostSpend limit per invocation5.0
ResourceGlob pattern on target resource"entity:customer:*"
ContextKey-value match on invocation context{"key": "environment", "value": "staging"}
CustomArbitrary key-value constraint{"key": "department", "value": "sales"}

Caveats accumulate through the chain. If the root grants ActionScope: [resolve, search, merge] and a middle agent adds ActionScope: [resolve], the leaf can only resolve. The intersection of all caveats at each depth determines the effective authority.

INFO

See the Delegation Quickstart for complete runnable examples of chains, sub-delegation, and caveat enforcement in all three languages.

Observatory

The hosted control plane at auth.kanoniv.com. Five capabilities:

  • Agent Registry - Agents with did:agent: identifiers, capabilities, status (online/idle/offline), and reputation scores. Register via SDK, CLI, or the UI.
  • Delegation Management - Grant, revoke, and modify scoped delegations. View active chains with full caveat details and expiry.
  • Provenance Trail - Chronological timeline of every action. Each entry shows agent name, action type, entity IDs, metadata, and ALLOWED/BLOCKED status.
  • Reputation Scoring - Deterministic scores from 0 to 100, recomputed after every provenance entry and feedback submission.
  • Enforcement Engine - Scope + caveat checking on every action recorded through the Observatory API. Blocked actions are still logged with reason codes.

Reputation signals:

SignalWeightCalculation
Activity30%log2(total_actions + 1) * 15, capped at 100
Success Rate25%successes / (successes + failures) * 100
Reward Signal20%Average feedback score (-1 to 1), normalized to 0-100
Tenure15%days_registered / 90 * 100, capped at 100
Action Diversity10%distinct_action_types / 7 * 100

WARNING

Reputation scores below 20 trigger a warning in the dashboard. This does not block actions automatically, but operators can configure delegation policies that require minimum reputation thresholds.

Plans:

PlanAgentsActions/monthDelegations
Free31005
Team2510,000100
EnterpriseUnlimitedUnlimitedUnlimited

CLI Reference

The kanoniv-auth command provides access to all operations from the terminal.

CommandPurpose
kanoniv-auth initGenerate root keypair and write to ~/.kanoniv/
kanoniv-auth delegate --scopes X --ttl 4hIssue a delegation token
kanoniv-auth verify --scope X --token TCheck authorization offline
kanoniv-auth sign --action X --token TSign an execution proof
kanoniv-auth exec --scope X -- cmdVerify scope, execute command, sign result
kanoniv-auth statusShow active delegation, scopes, and TTL
kanoniv-auth auditView local audit trail
kanoniv-auth wrap-mcp --mode M -- cmdRun MCP auth proxy
kanoniv-auth install-skillInstall Claude Code skills
kanoniv-auth install-hookInstall git pre-push hook
kanoniv-auth serveRun the delegation service

INFO

kanoniv-auth exec combines verify + execute + sign in one step. If verification fails, the command never runs. If it succeeds, the output is signed automatically.

Packages

PackageRegistryVersionLanguage
kanoniv-authPyPI0.4.0Python
kanoniv-agent-authcrates.io0.3.1Rust
@kanoniv/agent-authnpmlatestTypeScript
kanoniv/auth-actionGitHubv1YAML

All three language implementations produce byte-identical DIDs, signatures, and content hashes for the same inputs. A delegation issued in Python can be verified in Rust or TypeScript.

Next Steps

The identity and delegation layer for AI agents.