What is may_act_grants and how does delegation work?

SharkAuth expresses delegation policy as structured data. Every grant is scoped to specific actions, resources, and time windows, and can be revoked or expired automatically when conditions change.

How does DPoP protect against token theft?

Every access token is cryptographically bound to the agent's private key via RFC 9449 DPoP. A stolen token is useless without the key, making replay attacks impossible by design.

What is act chain depth and why does it matter?

SharkAuth preserves the complete delegation chain across every agent hop. When agent A delegates to B who calls API C, the full provenance is surfaced in token introspection, eliminating 'the agent did it' dead ends.

How fast is cascade revocation?

Revoke any grant and every downstream token invalidates automatically. The change is indexed by grant_id and propagated through introspection in under 12 ms p99.

Can SharkAuth run offline or on edge devices?

Yes. It ships as a single static Go binary with embedded SQLite WAL. Deploy it next to your app, in a container, on a corporate VM, or an air-gapped edge. Or drop it on a $5 VPS. Backup is a single file copy.

What audit capabilities does SharkAuth provide?

Structured JSON audit logs, indexed by grant_id, subject, actor, and grant. Stream directly to your SIEM via events websocket. Compliance-ready out of the box.

SharkAuth v0.1.0: Auth for the Agent Era

Today we are shipping SharkAuth v0.1.0 — the open-source identity platform built for AI agents.

Why we built it

Auth was designed for humans clicking login buttons. Your agents need something better.

When an AI agent delegates to a sub-agent, the trust chain breaks. Bearer tokens leak. Revocation becomes a mess. Auditors ask "which agent did what?" and you have no answer.

SharkAuth fixes this. It treats agents as first-class identities with native delegation, cryptographically bound tokens, and a unified audit trail that tracks every hop from user to resource.

What you get

| Feature | Status | |--------|--------| | OAuth 2.1 | ✅ | | OpenID Connect | ✅ | | RFC 8693 Token Exchange | ✅ | | RFC 9449 DPoP (default) | ✅ | | Agent delegation chains | ✅ | | Cascade revocation (< 12 ms p99) | ✅ | | may_act_grants | ✅ | | Passkeys (FIDO2) | ✅ | | Magic Links | ✅ | | MFA (TOTP) | ✅ | | Enterprise SSO (SAML 2.0, OIDC) | ✅ | | Zero-Code Auth Proxy | ✅ | | HMAC-signed Webhooks | ✅ | | grant_id-indexed Audit Logs | ✅ |

Install in 10 seconds

bash

curl -fsSL sharkauth.com/get | sh
shark serve

That is it. No Docker. No Postgres. No Redis. No Helm charts. One binary, one command.

What is coming

Visual Flow Builder
Shark Cloud (managed infrastructure)
Postgres Mode (optional external DB)
Shark Email (built-in delivery)

Get involved

GitHub: github.com/shark-auth/shark
Discord: discord.gg/sharkauth
Docs: sharkauth.com/docs

MIT licensed. No telemetry. No vendor lock-in.