The access layer for the agent era

Auth for humans
and agents.

Authentication, authorization, and audit for every principal — human or agent. Authorize the action, not just the session, and keep signed proof of all of it.

Start building Read the docs
$pip install delego
Why now

Auth was built for humans and static apps.
Agents broke the model.

Agents act on people's behalf and autonomously. Login-plus-coarse-scopes was never meant for software that takes actions — and the credential is the wrong place to catch a redirected one.

the confused deputya valid credential, pointed at the wrong action
Prompt injection
redirects the agent mid-task
Credential is valid
scope covers the action
delego checks the action
fingerprint ≠ what was approved → deny
// OAuth tokens carry no commitment to the original instruction.
order {amount:2400, destination:internal} → fpr c70d4ee5… approved
order {…, recipient:"attacker"} → fpr dabddc8f… deny
Three pillars

Who can act. What they can do.
Proof of everything.

AuthN

Identity for humans and agents

Human auth — sessions, OAuth/SSO, passkeys — plus agent identity, where every agent is a first-class principal with its own scoped, revocable credentials.

  • Sessions · OAuth · SSO · passkeys
  • Agents as first-class principals
  • Scoped, revocable credentials
AuthZ

Authority to act

Fine-grained, policy-based authorization down to the individual action — with constraints, intent-binding, and human approval for sensitive operations.

  • Per-action, not per-session
  • Constraints, caps & allow-lists
  • Action-bound human approval
Audit

Observability & proof

Full-stack visibility and tamper-evident proof of every access and action — who or what did what, when, and under whose authority — exportable as evidence.

  • Signed, hash-chained receipts
  • Who · what · when · whose authority
  • Export as compliance evidence
How it works

One decision point. Every action accounted for.

The agent proposes; delego decides — deterministically, with no model in the path — parks sensitive actions for a human, and signs a receipt either way.

principal
human or agent
propose
action + instruction
delego
policy · approval · audit
broker
injects credential
service
the upstream API
needs_approvala human approves out-of-band — bound to one exact fingerprint, used once
For humans

Sessions, SSO, and approvals that fit how people already work

Drop-in sessions, OAuth & SSO, passkeys
Approve sensitive actions from CLI, Slack, or web
See exactly what an agent did on your behalf
For agents

First-class identity with scoped, revocable, per-action authority

Every agent is its own principal, not a shared key
Authority granted per action, bound to intent
Revoke an agent's reach without touching the human's
Code-forward

Add auth, agent identity, and an audit trail in a few lines.

One small, deterministic, Apache-2.0 library. No LLM in the decision path, no credential custody — it rides your existing broker instead of replacing it.

Read the docs View the spec
# first match wins · fail-closed
rules:
  - name: place-order
    decision: needs_approval
    match: { method: POST, path: /orders }
    constraints:
      amount:     { field: amount, max: 5000, currency: USD }
      allow_list: { field: destination, in: [internal] }
default: deny   # anything not allowed is refused
Observability & audit

A signed receipt for every access and every action.

Who or what did what, when, and under whose authority — a tamper-evident, hash-chained ledger you can verify and export as compliance evidence.

Audit ledgerchain verified
0042
POST /ordersexecution · agent:checkout
allow
0041
POST /ordersdecision · agent:checkout
needs_approval
0040
GET /accounts/meexecution · user:alice
allow
0039
POST /permissionsdecision · agent:research
deny
receipt · seq 0042
phaseexecutionoutcomeallowfingerprintc70d4ee5…d4ed394intent_hashec949034…04af46prev_hasha1f0…9c2bsignatureEd25519 ✓
No LLM in the decision path
Fail-closed by default
Ed25519-signed audit chain
Intent- & action-bound approvals
Apache-2.0, open spec
Pricing

Start free. Pay as agents act.

The firewall and the spec are open source forever. Bring the hosted control plane when you're ready.

Open source
Self-host the firewall & spec
Free
pip install delego
  • Deterministic policy engine
  • Signed, hash-chained audit
  • CLI + MCP server
  • Apache-2.0
Popular
Team
Hosted authorizer & audit
$0.00/ decision after free tier
Start building
  • Hosted PDP & approval queue
  • Slack / web approvals
  • Dashboard & exports
  • SSO for your team
Enterprise
Regulated & high-assurance
Let's talk
Contact sales
  • HSM / KMS signing keys
  • External head anchoring
  • SOC 2 evidence exports
  • SLA & support