Agent Identity
Every agent gets a persistent identity with a clear owner and platform tag. Short-lived, per-task credentials replace long-lived secrets — shrinking exposure windows to minutes.
Short-lived credentials. Blended agent + user identity.
Cross-cloud policy enforcement. One control plane.
// Your agent checks in before every sensitive action
const result = await fetch('https://api.agentiam.ai/v1/authorize', {
method: 'POST',
headers: { Authorization: `Bearer ${agentSecret}` },
body: JSON.stringify({
agent_id: 'agt_123',
action: 'calendar.events.create',
resource: 'calendar:primary',
}),
});
// ← AgentIAM responds in milliseconds
{
decision: "allow",
reason: "Matched allow rule #2",
decision_id: "dec_789",
policy_version: 1
}How it works
Create an agent record in AgentIAM. Receive an agent_id and a one-time secret. No re-platforming — your agent stays exactly where it is.
Write allow/deny rules for every action your agent may attempt. Rules apply immediately — no restarts, no redeployments needed.
Before each sensitive action, your agent calls POST /v1/authorize. AgentIAM returns allow or deny in milliseconds with a traceable decision ID.
Every decision is logged with its full context. Revoke any agent instantly — all subsequent authorization checks flip to deny immediately.
Features
Every agent gets a persistent identity with a clear owner and platform tag. Short-lived, per-task credentials replace long-lived secrets — shrinking exposure windows to minutes.
Define fine-grained allow/deny rules per action and resource. Policy is evaluated on every request — changes take effect instantly.
Every authorization decision carries both the agent identity and the human who delegated to it — answering "who is this agent and on whose behalf?" in a single policy evaluation.
Click revoke and the agent's next authorization call returns deny — no waiting for session expiry, no token rotation headaches.
Every decision is appended with agent ID, delegating user, action, resource, policy version, and timestamp. SOC 2 and HIPAA-ready out of the box — including full delegation chain tracing.
One policy control plane across GCP, Azure, Salesforce, and internal tools. Built for enterprises whose agents span clouds and can't use any single provider's IAM as the source of truth.
Developer-first
Drop a single POST /v1/authorize call into any agent before a privileged action. That's the entire integration — no SDK lock-in, no heavyweight middleware.
decision_id on every response
POST /v1/authorize
# Request — agent + delegating user in one call
{
"agent_id": "agt_123",
"action": "calendar.events.create",
"resource": "calendar:primary",
"principal": { "user_id": "usr_456", "email": "alice@acme.com" },
"context": { "request_id": "req_001", "cloud": "gcp" }
}
# Response
{
"decision": "allow",
"reason": "Matched allow rule #2",
"decision_id": "dec_789",
"policy_version": 1,
"principal": "usr_456"
}PUT /v1/agents/agt_123/policy
{
"version": 1,
"rules": [
{
"effect": "allow",
"action": "calendar.events.read",
"resource": "calendar:primary"
},
{
"effect": "allow",
"action": "calendar.events.create",
"resource": "calendar:primary"
},
{
"effect": "deny",
"action": "calendar.events.delete",
"resource": "*"
}
]
}POST /v1/agents/agt_123/revoke
# Response
{
"agent_id": "agt_123",
"status": "revoked",
"revoked_at": "2026-05-05T12:00:00Z"
}
# All future authorize calls now return:
{
"decision": "deny",
"reason": "Agent is revoked"
}Get started
We're looking for platform and security teams at enterprises whose agents span GCP, Azure, Salesforce, and internal tools — and need a single governance layer that none of those vendors can provide alone.