v0.1.0 · Now Shipping · Open Source · Self-hosted

Auth for the Agent Era.
Your agents know tools and keys. Shark knows scopes and revocations.

One ~29 MB Go binary with embedded SQLite. OAuth 2.1, OIDC, RFC 8693 Token Exchange, and DPoP — all zero-config.
Deploy anywhere, from cloud to air-gapped edge.

Read Documentation Join Cloud Waitlist
OAuth 2.1 OpenID Connect RFC 8693 Token Exchange RFC 9449 DPoP MIT
Scroll
SharkAuth Dashboard
Agent-auth comparison

Built for the world that
actually exists in 2026.

Identity vendors were built for users clicking buttons. SharkAuth was built for agents calling agents calling APIs — with the same RFC-grade rigor.

Some competitors support adjacent pieces — token exchange, token vaults, or machine identities. SharkAuth is the only system where agent delegation is the core model.

2 of 6 groups open
Feature
SharkAuth Logo SharkAuth
Auth0ClerkKeycloakOry HydraAutheliaZitadelAuthentik
Agent Era7
Agent as first-class identity
RFC 8693 Token Exchange (full)PartialPartialPartialPartial
Act / actor chain (depth ≥ 4)
may_act_grants & granular policy
RFC 9449 DPoP key bindingPartial
Cascade revocation (< 12 ms)
Audit indexed by grant_idPartialPartialPartialPartialPartialPartial
Standard Auth6
Passkeys / FIDO2Partial
Magic linksPartial
MFA / TOTPPartial
Enterprise SSO (SAML 2.0, OIDC)Partial
Multi-tenant organizationsPartial
Wildcard RBACPartialPartial
Platform2
Click to expand
HMAC-signed webhooksPartialPartial
Zero-config admin UIPartial
Deployment4
Click to expand
Single binary, zero deps
Self-hostable & open-source
Runs on a $5 VPSPartialPartial
Air-gapped / no outbound calls
Pricing2
Click to expand
Free tier self-host limitUnlimited25K MAU50K MRUUnlimitedUnlimitedUnlimitedUnlimitedUnlimited
First paid tier$49/mo (Cloud)$35/mo (B2C)$20/mo (Pro)FreeFreeFreeFreeFree
Ecosystem (Shark gaps)11
Click to expand
Native iOS / Android SDKs
LDAP / Active Directory native
SCIM user provisioningPartial
Push notification MFAPartialPartial
Breach / leaked password detection
GeoIP & impossible-travel alertsPartial
FIPS 140-2 / compliance certsPartial
Global multi-region managed cloud
Terraform / Pulumi providerPartial
SIEM connectors (Splunk, Datadog)Partial
Custom claims scripting enginePartialPartial
Get the Binary Join Cloud WaitlistRead the Specs

We don't have everything yet. SharkAuth v0.1.0 is a focused auth server for agents. We intentionally skipped enterprise baggage (LDAP, SCIM, FIPS, native mobile SDKs) to ship RFC-grade agent primitives first. If you need Active Directory federation or Splunk connectors today, Keycloak or Auth0 is the safer choice. If you need self-hosted agent delegation chains with RFC-native token exchange, DPoP binding, grant_id audit, and cascade revocation in one binary, SharkAuth is purpose-built for that.

Comparison based on publicly documented product capabilities as of April 2026.
Benchmarks
Independent performance numbers are coming soon.
Token issuance p99, introspection latency, revocation propagation, and memory footprint vs. Keycloak and Ory Hydra.
Get notified
60-second quickstart

Simple ops.

No Postgres. No Helm chart. No identity vendor SDK with 18 transitive dependencies. One binary, one SQLite file, zero excuses.
~/acme · zsh
shark ❯ shark serve  main    

  ▄▄▄▄▄                             
 ██▀▀▀▀█▄ █▄                          
 ▀██▄  ▄▀ ██          ▄     ▄▄      
   ▀██▄▄  ████▄ ▄▀▀█▄ ████▄ ██ ▄█▀  
 ▄   ▀██▄ ██ ██ ▄█▀██ ██    ████    
 ▀██████▀▄██ ██▄▀█▄██▄█▀   ▄██ ▀█▄  
                                    
                                                                                                       
SharkAuth — Open Source Auth for Agents and Humans
Binary: 29 MB · Version: 0.1.0
Docs:   https://sharkauth.com/docs
Repo:   https://github.com/shark-auth/shark
13:17:42 INFO  database schema up to date
13:17:42 INFO  email: provider=dev — using in-db dev inbox for capture
13:17:42 INFO  oauth: loaded existing ES256 signing key  kid=uLHp-sa54BeWehkO

  Dashboard   http://localhost:8080/admin

13:17:42 INFO  SharkAuth starting  addr=:8080  dev_mode=false
13:17:42 INFO  admin dashboard  url=http://localhost:8080/admin
13:17:42 INFO  health check  url=http://localhost:8080/healthz
STEP 01
Drop the binary
Single Go binary, ~29 MB. macOS, Linux, ARM. No runtime, no daemon.
STEP 02
Configure once
Environment variables or the admin API. Issuers, clients, may_act_grants.
STEP 03
Mint agent tokens
OAuth 2.1, OIDC, Token Exchange, DPoP. Audit by grant_id. Done.
What makes it different

Six primitives legacy auth stacks were not designed around.

may_act_grants

Authorization that knows who you are and who you brought.

Express delegation policy as structured data. Scope every grant by action, resource, and expiry. Revoke or expire automatically when conditions change.

spec: act / actor / may_act
RFC 9449 DPoP

Tokens bound to keys, not bearers.

Every access token is cryptographically bound to the agent's private key via RFC 9449 DPoP. A stolen token is useless without the key. Replay-resistant by design.

replay-resistant by default
Full act chain

Provable provenance across every agent hop.

Preserve the complete delegation chain across every agent hop. Surface full provenance in token introspection. Eliminate 'the agent did it' dead ends.

chain depth observed: up to 7
Cascade revocation

Pull one thread, the whole graph unravels.

Revoke any grant and every downstream token invalidates automatically. Indexed by grant_id and propagated through introspection in under 12 ms p99.

p99 propagation < 12 ms
~29 MB binary

One binary. Zero dependencies. Anywhere.

Static Go binary with embedded SQLite WAL. Run it next to your app, in a container, on a corporate VM, or an air-gapped edge. Or drop it on a $5 VPS. Backup is a single file copy.

cold start: 38 ms
Audit by grant_id

Every action attributable by grant_id.

Structured JSON audit logs, indexed by grant_id, subject, actor, and grant. Stream directly to your SIEM via events websocket. Compliance-ready out of the box.

append-only · hash-chained
Pricing

Self-host is the product.
Cloud is a convenience.

Self-HostRecommended
$0forever

The complete engine. MIT licensed. Unlimited MAI, unlimited depth, unlimited vaults. No telemetry, no vendor lock-in, no "free until we change our mind."

View source
Binary size~29 MB
LicenseMIT
ProtocolsOAuth 2.1 · OIDC
Token exchangeRFC 8693
Key bindingRFC 9449 DPoP
DatabaseSQLite WAL
MAI limitUnlimited
Act chain depthUnlimited
VaultsUnlimited
SupportCommunity / GitHub
Shark Cloud

Managed infrastructure for teams that prefer not to run their own issuer. Same binary, same spec compliance, zero ops. Pricing scales by MAI — Monthly Active Identities.

Cloud Free
20K MAI · 3 vault connections · 7-day audit
$0/mo
Cloud Pro
50K MAI · 10 vault connections · 30-day audit
$49/mo
Cloud Team
200K MAI · 25 vault connections · 90-day audit
$199/mo
Enterprise
Unlimited · SLA · from $25K/yr
Custom
Join Cloud Waitlist
The flow

Watch delegation flows live

Engineering Journal · /blogs

Building in the open.
Technical deep dives from the team building the future of agent auth.

View all entries
Apr 29, 2026PROTOCOL

The DPoP Revolution

Why sender-constrained tokens are the only way to secure autonomous agent fleets in 2026.

Read log
Apr 29, 2026LAUNCH

SharkAuth v0.1.0: Auth for the Agent Era

SharkAuth v0.1.0 is live. One ~29 MB binary. Zero dependencies. OAuth 2.1, OIDC, RFC 8693 Token Exchange, and RFC 9449 DPoP. Built for agents from day one.

Read log
Use cases

The shape of agent infrastructure people are actually shipping.

01
Personal AI assistant with real keys to your kingdom.

Your assistant reads your inbox because you said it could — bound to one DPoP key, scoped to one label, expiring at 5pm.

02
Multi-agent orchestrator with provable provenance.

Orchestrator fans out to a fetcher, a summarizer, a writer. Each link in the chain is signed, scoped, and revocable independently.

03
Embedded auth for OSS SaaS.

Drop the binary next to your app. Get OAuth 2.1, OIDC, SCIM, and an admin UI without a vendor on the critical path.

04
Internal platforms that need real audit.

Every agent action attributable to a human, indexed by grant_id, hash-chained, replayable into your SIEM.

05
Edge & air-gapped deployments.

A 29 MB binary on a $5 VPS, talking to a SQLite file. No outbound calls. No phone-home. No "free until we change our mind."

06
Compliance teams who have seen too much.

MIT, hash-chained audit, deterministic config. No hidden state. Auditors get receipts. You get to sleep.

Read the source.
Verify the binary. Ship with confidence.

$go install github.com/shark-auth/shark@latest
sha256: 4f5a 8b21 19e6 … · v0.1.0 · MIT
Star on GitHub 4,200Join Cloud WaitlistRead Documentation