2:47am. Your support agent issues a $500 refund. Compliance asks: "Who approved this?"
You check the logs. Valid OAuth token. Agent was authorized to access Stripe. But nothing says a human approved this specific refund.
That's the gap. Session auth proves capability. It doesn't prove approval.
I built AgentMint to close it.
How it works
Human clicks approve → AgentMint signs a token:
{
"sub": "alice@company.com",
"action": "refund:order:123:max:50",
"exp": "60 seconds",
"jti": "f1268944-..."
}
Agent includes token in the API call. Downstream verifies:
- Signature valid? (Ed25519, can't forge)
- Expired? (short-lived, can't hoard)
- Already used? (JTI tracked, can't replay)
Passes → action executes, audit log updated.
Fails → blocked.
~3ms verification. Single-use. Cryptographic proof of who approved what, when.
Who needs this
| Industry | Blocked action | Why they're stuck |
|---|---|---|
| Fintech | Refunds, credits | Can't prove human approved specific transaction |
| Healthcare | Record amendments | HIPAA audit trail requirements |
| Legal tech | Contract modifications | Need proof of attorney approval |
| DevOps | Prod deploys | Change management requires human sign-off |
Common pattern: The agent works. Legal says no because there's no proof a human approved this specific action.
What this unlocks
Your support agent goes from "I can suggest a refund" to "I can issue the refund with Alice's signed approval attached."
Your deploy agent goes from "PR ready for review" to "Deployed to prod with engineer sign-off token verified by CI."
The agent gets write access. Compliance gets attribution. Everyone moves faster.
Does it scale?
Current prototype: single-node, in-memory JTI tracking.
Production path:
- JTI store: Redis or DynamoDB with TTL expiry. Lookup stays ~15μs.
- Keys: HSM-backed signing (CloudHSM, GCP HSM). Rotation with grace periods.
- Throughput: ~300 req/s per instance at 3ms/verify. Horizontal scaling with shared JTI backend.
The primitives are simple. Scaling is standard distributed systems work.
SDK or proxy?
Two integration paths:
SDK approach: Agent calls agentmint.verify(token) before executing sensitive actions. Explicit, fine-grained control. You decide where verification happens.
Transparent proxy: AgentMint sits between agent and downstream API. Strips and verifies token from header, forwards request if valid. Zero agent code changes.
Current prototype supports both. Proxy is faster to adopt. SDK is more flexible.
MCP integration is next — verification as a tool server that agents call through the protocol.
Run it
git clone https://github.com/aniketh-maddipati/agentmint
cd agentmint
cargo run
~500 lines of Rust. Ed25519 signatures. Replay protection. Audit log.
If you're building agents that need write access and keep hitting the "legal won't sign off" wall, I want to hear what's blocking you.
Top comments (0)