Which integrations are available for this server?

Provides a drop-in adapter to enforce safety policies, budget limits, and tool governance for agents built with the CrewAI framework. Offers a guardrail adapter to evaluate and authorize agent actions, tool calls, and API requests within LangChain workflows before execution. Enables governance, policy enforcement, and audit trails for complex agentic workflows and tool interactions built using LangGraph. Integrates with the OpenAI Agents SDK to provide content safety scanning, action authorization, and session-level threat detection. Features built-in governance and monitoring capabilities specifically designed to provide coverage against the OWASP Agentic Top 10 security vulnerabilities. Facilitates human-in-the-loop approval workflows for high-risk agent actions through mobile Progressive Web App notifications. Enables real-time human approval workflows for high-consequence agent actions directly via Slack notifications and interactions. Governs agent interactions with the Stripe API, allowing for policy enforcement on charges, spending limits, and detailed audit logging of financial actions. Provides an adapter for the Vercel AI SDK to add a comprehensive safety layer, including policy evaluation and tamper-evident action receipts.

authensor-mcp-server by AUTHENSOR

The Problem

AI agents are shipping to production without guardrails. They call APIs, browse the web, execute code, and manage infrastructure — often with no policy enforcement, no approval workflows, and no audit trail.

32% of MCP servers have at least one critical vulnerability (Enkrypt AI)
Agents fall for dark patterns 41% of the time (arxiv 2510.18113)
88% of organizations have confirmed or suspected AI security incidents
EU AI Act high-risk deadline is August 2, 2026 — creating urgent compliance demand

Existing guardrails focus on what models say (prompt/response filtering). Authensor focuses on what agents do (action authorization, approval workflows, and cryptographic audit trails).

The Solution

Authensor is four open-source tools that together cover the full surface area of agent risk:

Tool	What it guards	How
Authensor	Agent actions (API calls, tool use, data access)	Policy engine + control plane with hash-chained receipts
SpiroGrapher	Agent web browsing	Compiles HTML to structured IR, detects dark patterns, constitutional rules
SafeClaw	Local agent execution	PreToolUse hook gating, deny-by-default, mobile approval workflows
SiteSitter	Website safety monitoring	Continuous governance for deployed sites

Quickstart

Self-hosted (recommended)

git clone https://github.com/authensor/authensor.git
cd authensor
docker compose up -d
# Control plane running at http://localhost:3000
# Admin token printed to logs: docker compose logs control-plane

That's it. Postgres starts, migrations run, a bootstrap admin key is created, and a default-safe policy (deny-by-default) is provisioned. Aegis content safety and Sentinel monitoring are enabled out of the box.

30 seconds: Run a safe local agent

npx safeclaw init --demo
npx safeclaw run "list my project files"
# Opens dashboard at localhost:7700 with policy enforcement + audit trail

Add to any agent (TypeScript)

import { Authensor } from '@authensor/sdk';

const authensor = new Authensor({
  controlPlaneUrl: 'http://localhost:3000',
  principalId: 'my-agent',
});

const result = await authensor.execute(
  'stripe.charges.create',
  'stripe://customers/cus_123/charges',
  async () => stripe.charges.create({ amount: 1000, currency: 'usd' }),
  { constraints: { maxAmount: 10000 } }
);
// Receipt created, policy enforced, action audited

Add to any agent (Python)

from authensor import Authensor

async with Authensor(
    control_plane_url="http://localhost:3000",
    principal_id="my-agent",
) as authensor:
    result = await authensor.execute(
        action_type="stripe.charges.create",
        resource="stripe://customers/cus_123/charges",
        executor=lambda: create_charge(),
        constraints={"max_amount": 10000},
    )

Framework adapters

Drop-in integration for popular agent frameworks:

// LangChain / LangGraph
import { AuthensorGuardrail } from '@authensor/langchain';
const guardrail = new AuthensorGuardrail({ controlPlaneUrl: '...' });

// OpenAI Agents SDK
import { AuthensorGuardrail } from '@authensor/openai';

// CrewAI
import { AuthensorGuardrail } from '@authensor/crewai';

// Vercel AI SDK
import { AuthensorGuardrail } from '@authensor/vercel-ai-sdk';

// Claude Agent SDK
import { AuthensorGuardrail } from '@authensor/claude-agent-sdk';

// Claude Code (hooks-based integration)
// See docs/claude-code-hooks.md

Why Authensor

vs. the landscape

Capability	Authensor	AWS AgentCore + Cedar	Galileo Agent Control	NeMo Guardrails	Guardrails AI
Action authorization (pre-execution)	Yes	Yes	Yes	No (prompt/response)	No (output validation)
Content safety scanning (pre-eval)	Yes (Aegis)	No	No	Yes	Yes
Approval workflows (human-in-the-loop)	Yes (SMS, Slack, email, mobile PWA)	No	No	No	No
Cryptographic audit trail (receipts)	Yes (hash-chained, Sigstore)	No	No	No	No
Real-time anomaly detection	Yes (Sentinel)	No	No	No	No
Deny-by-default / fail-closed	Yes	Yes	No	No	No
Cloud-agnostic	Yes	No (AWS only)	Yes	Yes	Yes
Open source	Yes (MIT)	No (Cedar is, AgentCore isn't)	Yes (Apache 2.0)	Yes (Apache 2.0)	Yes (Apache 2.0)
MCP tool governance	Yes	No	No	No	No
Web browsing governance	Yes (SpiroGrapher)	No	No	No	No
Multi-party approval	Yes	No	No	No	No
Cross-agent chain tracing	Yes (parentReceiptId)	No	No	No	No
Session-level threat detection	Yes (forbidden sequences, risk scoring)	No	No	No	No
Budget enforcement	Yes (per-principal spending limits)	No	No	No	No
Shadow/canary policy testing	Yes	No	No	No	No
Framework adapters	8 (LangChain, OpenAI, Vercel AI, Claude Agent, CrewAI, Claude Code, TS SDK, Python SDK)	1 (Bedrock)	1 (custom)	1 (custom)	1 (custom)

Key differentiators

Action-level, not prompt-level. Most guardrails filter what the model says. Authensor governs what the agent does — every tool call, API request, and side effect goes through policy evaluation before execution.
Defense in depth. Seven layers of safety in one stack:
- Aegis scans for prompt injection, jailbreak, PII, and memory poisoning before policy evaluation
- Session rules detect privilege escalation through action sequences and cumulative risk scoring
- Policy engine evaluates conditions, constraints, rate limits, and budgets
- Approval workflows force human review for high-consequence actions
- Sentinel monitors per-agent baselines and detects anomalies in real-time
- Receipts create a tamper-evident audit trail with hash chains and optional Sigstore transparency
- TOCTOU protection re-evaluates policy on claim to prevent time-of-check/time-of-use attacks
Receipts, not just logs. Every action produces a structured, policy-versioned receipt recording what was requested, what policy decided, why, and what happened. Hash-chained for tamper evidence. This directly satisfies EU AI Act Article 12 (record-keeping) and SOX audit requirements.
Fail-closed by default. No policy loaded? Denied. Control plane unreachable? Denied. Unknown action type? Denied. This matches OWASP and NIST recommendations.
Cross-provider. Works with Claude, GPT, LangChain, CrewAI, Vercel AI, Claude Code, or any agent framework. Eight adapters, one safety layer for all your agents.

Architecture

┌─────────────────────────────────────────────────────────────────────┐
│                         Your Agent                                    │
│  (Claude, GPT, LangChain, CrewAI, Vercel AI, custom, etc.)           │
└──────────────────────────────┬──────────────────────────────────────┘
                               │ SDK / MCP / Hook
                               ▼
┌─────────────────────────────────────────────────────────────────────┐
│                        Authensor Stack                                │
│                                                                       │
│  ┌────────────┐  ┌────────────┐  ┌────────────┐  ┌──────────────┐   │
│  │   Aegis    │→ │   Engine   │→ │  Control   │→ │  Sentinel    │   │
│  │  (content  │  │   (pure    │  │   Plane    │  │  (real-time  │   │
│  │   safety)  │  │   logic)   │  │  (HTTP API)│  │  monitoring) │   │
│  └────────────┘  └────────────┘  └─────┬──────┘  └──────────────┘   │
│                                        │                              │
│  ┌────────────┐  ┌────────────┐  ┌─────▼──────┐  ┌──────────────┐   │
│  │  SafeClaw  │  │ SpiroGrapher│  │  Receipts  │  │   Adapters   │   │
│  │(local gate)│  │(web govern) │  │(hash chain)│  │(8 adapters)  │   │
│  └────────────┘  └────────────┘  └────────────┘  └──────────────┘   │
└─────────────────────────────────────────────────────────────────────┘

Five Layers

Layer	Package	What It Does	Dependencies
Policy Engine	`@authensor/engine`	Session rules, budget evaluation, constraint enforcement. Pure, synchronous, deterministic.	0
Aegis Content Scanner	`@authensor/aegis`	15+ prompt injection rules, 22 MINJA memory poisoning rules, PII/credential scanning, exfiltration detection, multimodal safety.	0
Sentinel Behavioral Monitor	`@authensor/sentinel`	EWMA/CUSUM baselines, deny-rate/latency/volume anomaly detection, chain depth and fan-out alerts.	0
Control Plane	`@authensor/control-plane`	Hono + PostgreSQL HTTP API. Shadow/canary eval, TOCTOU protection, principal binding, Sigstore/Rekor integration.	Hono, pg
MCP Gateway	`@authensor/mcp-server`	SEP authorization protocol (`authorization/propose`, `authorization/decide`, `authorization/receipt`).	—

How it works

Agent wants to act
  │
  ▼
Action Envelope created (who, what, where, constraints)
  │
  ▼
Aegis scans for injection, jailbreak, PII, memory poisoning
  │
  ▼
Session rules check forbidden sequences + risk threshold
  │
  ▼
Policy engine evaluates conditions, rate limits, budgets
  │
  ▼
Decision: allow | deny | require_approval | rate_limited
  │
  ▼
Receipt created (hash-chained, policy-versioned)
  │
  ▼
Sentinel monitors for anomalies
  │
  ▼
Action executes (or doesn't) → receipt updated

Core concepts

Action Envelope — describes what an agent wants to do:

{
  "id": "uuid",
  "timestamp": "2026-01-01T00:00:00Z",
  "action": {
    "type": "stripe.charges.create",
    "resource": "stripe://customers/cus_123/charges",
    "operation": "create",
    "parameters": { "amount": 1000, "currency": "usd" }
  },
  "principal": { "type": "agent", "id": "my-agent" },
  "context": { "sessionId": "sess_abc", "parentReceiptId": "uuid" },
  "constraints": { "maxAmount": 10000, "currency": "USD" }
}

Receipt — permanent, auditable, hash-chained record:

{
  "id": "uuid",
  "envelopeId": "uuid",
  "parentReceiptId": "uuid",
  "decision": { "outcome": "allow", "policyId": "prod-v2", "policyVersion": "2.1.0" },
  "status": "executed",
  "receiptHash": "sha256:...",
  "prevReceiptHash": "sha256:..."
}

Packages

Core

Package	Description	Deps
`@authensor/schemas`	JSON Schema definitions — single source of truth	0
`@authensor/engine`	Pure policy evaluation (conditions, sessions, budgets, constraints)	0
`@authensor/aegis`	Content safety scanner (injection, jailbreak, PII, memory poisoning, multimodal)	0
`@authensor/sentinel`	Real-time monitoring (EWMA/CUSUM anomaly detection, chain tracking, alerts)	0
`@authensor/control-plane`	HTTP API: evaluate, receipts, approvals, policies, budgets, shadow eval	Hono, pg
`@authensor/mcp-server`	MCP tools with policy enforcement (Stripe, GitHub, HTTP)	—
`@authensor/sdk`	TypeScript SDK for agent builders	—
`authensor`	CLI: `authensor policy lint`, `authensor policy test`, `authensor policy diff`	—
`authensor` (Python)	Python SDK	—
`create-authensor`	Project scaffolder: `npx create-authensor`	—
`@authensor/redteam`	Adversarial red-team test seeds (15 attack patterns, 5 categories, MITRE ATLAS mapped)	0

Framework Adapters

Package	Framework	Description
`@authensor/langchain`	LangChain / LangGraph	Guardrail + interrupt integration
`@authensor/openai`	OpenAI Agents SDK	Pre-execution guardrail
`@authensor/vercel-ai-sdk`	Vercel AI SDK	Middleware integration
`@authensor/claude-agent-sdk`	Claude Agent SDK	Tool-use guardrail
`@authensor/crewai`	CrewAI	Task guardrail
—	Claude Code	Hooks-based PreToolUse / PostToolUse integration
`@authensor/sdk`	TypeScript SDK	Direct integration for any TS agent
`authensor` (Python)	Python SDK	Direct integration for any Python agent

Companion Tools

Tool	Description
SafeClaw	Local agent gating with PreToolUse hooks, mobile PWA dashboard, swipe-to-approve
SpiroGrapher	Web governance: HTML→IR compilation, 26 constitutional rules, dark pattern detection
SiteSitter	Website safety monitoring and governance

Features

Content Safety (Aegis)

Zero-dependency content scanner that runs before policy evaluation:

Prompt injection detection — 15+ heuristic rules
Jailbreak detection — pattern matching for common bypass techniques
PII detection — emails, SSNs, credit cards, phone numbers
Memory poisoning detection — 22 MINJA-informed rules for persistent memory attacks
Multimodal safety — 6 heuristic categories for image/file content
Output scanning — post-execution content validation

Session Rules

Detect privilege escalation through multi-action patterns:

Forbidden sequences — block [auth.login, admin.escalate] chains with glob matching
Risk scoring — cumulative per-session risk with configurable weights
Max actions — cap total actions per session
Lookback windows — configurable history depth for sequence matching

Budget Enforcement

Per-principal spending limits with period-based resets:

Daily, weekly, monthly, or yearly periods
Per-action cost caps
Alert thresholds at configurable utilization levels
Budget utilization exposed via OpenTelemetry metrics

Real-Time Monitoring (Sentinel)

Zero-dependency anomaly detection engine:

Per-agent baselines via EWMA (Exponentially Weighted Moving Average)
CUSUM change detection for gradual behavioral drift
Configurable alerts on deny rate, latency, cost, chain depth, and fan-out
Cross-agent chain tracking — depth and fan-out metrics for delegation chains

Shadow/Canary Policy Testing

Test new policies alongside active ones without enforcement:

?shadow=policy-id query parameter or AUTHENSOR_SHADOW_POLICY_ID env var
Divergence reports: agreement rate, rule breakdown, per-receipt comparison
Zero-risk policy migration path

Transparency & Compliance

Hash-chained receipts — SHA-256 chain makes audit trail tamper-evident
Sigstore/Rekor integration — optional publishing to public transparency log
Cross-agent tracing — parentReceiptId links receipts across delegation chains
TOCTOU protection — re-evaluates policy on claim to prevent stale-approval attacks
Principal binding — bind API keys to specific agent identities
OpenTelemetry — spans and metrics for every evaluation

OWASP Agentic Top 10 Coverage

Authensor addresses all 10 risks in the OWASP Top 10 for Agentic Applications (2026):

OWASP Risk	Authensor Coverage
ASI01: Agent Goal Hijacking	Aegis pre-eval scanning + policy engine evaluates action intent, not input text
ASI02: Tool Misuse	Per-tool policies, parameter constraints, rate limits, budget caps
ASI03: Identity & Privilege Abuse	Principal binding, RBAC, ABAC conditions, session risk scoring
ASI04: Supply Chain Vulnerabilities	MCP tool governance, domain allowlisting, SSRF protection
ASI05: Unexpected Code Execution	Deny-by-default, explicit allowlisting, SafeClaw container mode
ASI06: Memory & Context Poisoning	Aegis memory poisoning detector (22 MINJA rules), hash-chained receipts
ASI07: Insecure Inter-Agent Communication	Cross-agent chain tracing (parentReceiptId), Sentinel chain depth alerts
ASI08: Cascading Failures	Kill switch, per-tool circuit breakers, rate limiting, Sentinel anomaly detection
ASI09: Human-Agent Trust Exploitation	Multi-party approval workflows, TOCTOU re-evaluation, shadow policy testing
ASI10: Rogue Agents	Fail-closed architecture, Sentinel behavioral baselines, forbidden action sequences

See full OWASP alignment document for detailed mapping.

Compliance

Authensor's architecture maps directly to major regulatory requirements:

EU AI Act (August 2, 2026 deadline): Article 12 logging → receipt chain, Article 14 human oversight → approval workflows. See compliance guide.
SOC 2: Immutable audit trail, RBAC, rate limiting, access logging
SOX: Segregation of duties via approval workflows, receipt retention support
HIPAA: Action-level audit logging, access controls, principal binding
NIST AI RMF: Govern, Map, Measure, Manage pillars addressed via policies, receipts, and controls

API Reference

Method	Endpoint	Description	Role
POST	`/evaluate`	Evaluate an action envelope	ingest, admin
POST	`/evaluate?shadow=id`	Evaluate with shadow policy	ingest, admin
GET	`/receipts`	List receipts	admin
GET	`/receipts/:id`	Get a receipt	admin
GET	`/receipts/:id/view`	Human-readable receipt viewer	admin
GET	`/receipts/:id/chain`	Get cross-agent receipt chain	admin
GET	`/receipts/:id/transparency`	Get Sigstore transparency proof	admin
POST	`/receipts/:id/claim`	Claim a receipt for execution	executor, admin
POST	`/receipts/:id/finalize`	Finalize execution	executor, admin
GET	`/policies`	List policies	admin
POST	`/policies`	Create a policy	admin
POST	`/policies/:id/activate`	Activate a policy version	admin
POST	`/approvals/:id/approve`	Approve a pending action	admin
POST	`/approvals/:id/reject`	Reject a pending action	admin
GET	`/budgets`	List budgets with utilization	admin
POST	`/budgets`	Create/update a budget	admin
GET	`/shadow/report`	Shadow evaluation divergence report	admin
GET	`/controls`	Get kill switch / tool controls	executor, admin
POST	`/controls`	Update controls	admin
POST	`/keys`	Create API key	admin
GET	`/keys`	List API keys	admin
POST	`/keys/:id/principal`	Bind principal to key	admin
GET	`/metrics/summary`	Usage metrics	admin
GET	`/health`	Health check	public

CLI

# Lint a policy for common issues
authensor policy lint policy.json

# Test a policy against scenarios
authensor policy test policy.json scenarios.json

# Diff two policy versions
authensor policy diff v1.json v2.json

Development

# Prerequisites: Node.js 20+, Docker, pnpm
corepack enable
pnpm install

# Start the stack
docker compose up -d    # Postgres + control plane
pnpm dev                # Dev servers with hot reload

# Test (924+ tests across 16 packages)
pnpm test

# Build all packages
pnpm build

# Verify generated types match schemas
pnpm gen:check

Self-Hosting vs. Hosted

Everything is open source. Self-host it all, or use the managed version:

	Self-Hosted (Free)	Hosted
Policy engine	Yes	Yes
Control plane	Yes	Yes, managed
Aegis content safety	Yes	Yes
Sentinel monitoring	Yes	Yes, with dashboards
Receipts & audit trail	Yes	Yes, with retention SLA
Approval workflows	Yes	Yes, with SMS/email gateway
SpiroGrapher	Yes	Yes, with federated threat intel
OpenTelemetry export	Yes	Yes, pre-configured
Support	Community	Dedicated
Compliance reports	DIY	Automated
SLA	None	99.9% uptime

Deployment

Docker Compose (simplest)

docker compose up -d

Helm (Kubernetes)

helm install authensor deploy/helm/authensor \
  --set postgresql.auth.password=your-password \
  --set controlPlane.env.AUTHENSOR_BOOTSTRAP_ADMIN_TOKEN=your-token

Terraform

Modules available for AWS (ECS + RDS), GCP (Cloud Run + Cloud SQL), and Railway:

cd deploy/terraform/aws
terraform init && terraform apply

One-line install (CLI only)

curl -fsSL https://raw.githubusercontent.com/authensor/authensor/main/install.sh | sh

Contributing

We welcome contributions! See CONTRIBUTING.md for guidelines.

Authensor is built on the belief that safety tooling should not have a paywall. We open-source every line of safety code because the more people who use these tools, the safer agents get for everyone.

License

MIT — use it however you want.