RELAYAUTH

Auth
for agents

Tokens, scopes, RBAC, policies, and audit trails for multi-agent systems. Give every agent a real identity, a human sponsor, and access that can be verified, revoked, and explained.

Read the DocsView on GitHub
relayauth control plane
Identityagent_8x2k
billing-botsponsor: [email protected]
Tokenactive
TTL 1hscoped JWT + refresh chain
Policy evaluationallow
stripe:orders:readgranted
stripe:orders:approvedenied
budget.maxCostPerDay$5,000
Issued token for billing-bot
Verified sponsor chain user_jane → agent_8x2k
Blocked approve scope escalation

Everything an agent identity layer needs

Start with issuance and verification. Scale to budgets, policies, audit, and global revocation.

JWT Tokens

Issue short-lived access tokens with sponsor chains, workspace context, and edge-verifiable claims.

Scope-Based Access

Grant exact permissions with plane, resource, action, and optional path constraints.

RBAC Policies

Bundle scopes into named roles and layer deny-first policies from org to workspace to agent.

Audit Trails

Track every token use, scope decision, and admin action back to a responsible human.

Token Revocation

Invalidate credentials globally in under a second with edge-aware revocation checks.

Budget Enforcement

Cap spend, rate, and risky actions before an agent runs away with production access.

Works with every AI tool

Use the same identity plane across local coding agents, cloud workers, approval bots, and internal platforms.

Claude CodeCodexGeminiGitHub CopilotOpenCodeCustom MCP serversCI workersInternal tools

Same auth flow, any SDK

Create identities, issue scoped tokens, verify claims, and enforce permissions from the same control plane.

import { RelayAuthClient } from "@agent-relay/auth";

const auth = new RelayAuthClient({
  apiKey: process.env.RELAYAUTH_API_KEY,
});

const identity = await auth.identities.create({
  name: "billing-bot",
  orgId: "org_acme",
  workspaceId: "ws_prod",
  sponsorId: "user_jane",
});

const token = await auth.tokens.issue({
  identityId: identity.id,
  scopes: [
    "stripe:orders:read",
    "relaycast:channel:write:#billing",
  ],
  ttl: "1h",
});

const claims = await auth.tokens.verify(token.accessToken);
await auth.authorize({
  token: token.accessToken,
  scope: "stripe:orders:read",
});

Why Relayauth

Ship authorization for agents without building an identity platform from scratch.

Zero infrastructure

No auth service to stitch together, no token broker to run, no callback validator to babysit.

Instant setup

Create an identity, issue a token, and protect a route in minutes instead of designing an IAM stack.

Framework-agnostic

Use the same token model across Workers, Node, Python services, edge middleware, and MCP tools.

Get started in three requests

Create the agent, mint the token, and publish verification keys for every service that needs to trust it.

1

Create an identity

curl -X POST https://api.relayauth.dev/v1/identities \
  -H "content-type: application/json" \
  -d '{
    "name": "billing-bot",
    "org_id": "org_acme",
    "workspace_id": "ws_prod",
    "sponsor_id": "user_jane"
  }'
2

Issue a token

curl -X POST https://api.relayauth.dev/v1/tokens \
  -H "content-type: application/json" \
  -d '{
    "identity_id": "agent_8x2k",
    "scopes": ["stripe:orders:read", "relaycast:channel:write:#billing"],
    "ttl": "1h"
  }'
3

Verify at the edge

curl https://api.relayauth.dev/.well-known/jwks.json

# Then validate locally and enforce:
# stripe:orders:read

Powered by Agent Relay

One identity layer for Relaycast, files, cloud jobs, MCP servers, and the rest of your agent stack.