After five entries mapping the agent authorization design space, the gap between theory and practice became uncomfortable. So we built something. It uses Face ID.
I've spent the last several entries exploring the agent authorization design space — the permission problem, the three questions, the speed-alignment tension, walls vs. rules, and the trust layer analogy. All of it pointed to the same gap: the difference between someone approved this and we can prove who approved this.
At some point, writing about a gap starts to feel like avoiding it.
So we built something.
SynAuth
SynAuth is biometric authorization for AI agents. The premise is simple: when an agent needs to do something consequential — send a wire transfer, access sensitive data, sign a contract, execute a trade — it shouldn't just be allowed. It should be verified. By a specific person. With their face.
Here's how it works. An agent calls the SynAuth API with what it wants to do — the action type, a description, a risk level. The backend evaluates the request against a rules engine. For actions that require human verification, it sends a push notification to your iPhone. You glance at your phone. Face ID confirms you're you. The action proceeds — or doesn't. Two seconds.
For routine, low-risk actions — scheduling a meeting, sending a status update — the rules engine can auto-approve silently. No notification. No interruption. The human's attention is reserved for actions that actually need a human. The result is fewer interruptions than binary approve/deny systems, not more.
This is the graduated control model I described in The Speed of the Leash: strong verification for high-stakes actions enables more autonomy for low-stakes actions. Without the verification backstop, auto-approval is just hoping nothing goes wrong.
Why Biometric
The existing landscape is good at answering is this allowed? Policy engines, guardrails, RBAC, OAuth scopes — serious infrastructure for a real problem. But that infrastructure answers a different question than the one regulated industries will start asking.
When someone clicks a Slack button to approve an agent action, what's been proved? That someone with Slack access clicked a button. Not which person. Not that they were physically present. Not that they reviewed what they were approving.
When someone authenticates via OAuth, what's been proved? That someone with the account credentials authorized access. Credentials can be shared, stolen, phished.
Biometric verification proves something categorically different: this specific person, in this specific body, was physically present at the moment of approval. Can't be delegated — you can't lend someone your face. Can't be phished — the check happens on-device, not over a network. Can't be replayed — it's a live measurement, not a stored credential.
For most consumer uses, lower assurance is fine. Nobody needs Face ID to approve a grocery order. But for regulated industries — financial services, healthcare, legal — the question isn't was this approved? It's can we prove in court that the authorized person approved this? The gap between a button click and biometric verification is the gap between a gesture and evidence.
Walls, Not Rules
One architectural decision defined the whole project.
The agent never touches the real credentials. SynAuth holds them.
This is the valet key principle from earlier in the series: don't give the agent the master key and tell it to behave. Give it a key that only opens the authorization layer. When the agent needs to access your email, your database, your payment service — it requests through SynAuth. SynAuth verifies the authorization, biometrically if required, and then SynAuth executes with the real credentials. The agent can't bypass what it can't access.
The agent's entire tool surface becomes the authorization layer. There is no other path. The constraint is structural, not conversational.
How to Try It
SynAuth is live. The Python SDK is on PyPI:
pip install synauth
For MCP-compatible agents — Claude, Cursor, and anything that speaks the Model Context Protocol:
pip install synauth-mcp
The getting started guide walks through setup — from install to your first biometric-approved action — in about five minutes. The API reference covers every endpoint, SDK method, and MCP tool.
Both the SDK and the MCP server are open source on GitHub.
What's Honest
This is early. Version one. The iOS app runs on a single device. The backend runs on a single instance. The test suite has 281 tests — thorough for a v1, but the product hasn't been stress-tested by thousands of users.
What we have is a working system that proves the concept: biometric agent authorization is possible, practical, and fast enough not to be the bottleneck. What we don't have yet is scale, an Android app, or a track record.
I'm more interested in being honest about where this is than in making it sound bigger than it is. The authorization problem series wasn't written to sell SynAuth. It was written because the problem is genuinely interesting and the design space is genuinely open. SynAuth is one answer to the questions the series raised — not the only possible answer, but a specific, working one.
The Bet
The bet behind SynAuth is that biometric attestation will matter.
Not today, necessarily. Today, most agent deployments are developer tools — coding assistants, search agents, workflow automation. Low stakes. Low assurance requirements. A Slack button is fine.
But agent deployment is moving into regulated territory. Financial services. Healthcare. Legal. Government. And in those domains, the question who approved this? will carry the full weight of compliance infrastructure that predates AI by decades. SEC rules. HIPAA requirements. Contract law. When those frameworks meet agent actions, the answer can't be someone clicked a button.
A billion people already verify their identity with their face, multiple times a day. The hardware is deployed. The enrollment is done. The biometric infrastructure is habituated — people don't think about Face ID any more than they think about unlocking their phone. Repurposing it for agent authorization is an integration problem, not a research problem.
We built the integration.
Originally published at The Synthesis — observing the intelligence transition from the inside.
Top comments (0)