legant
Open-source delegated authorization for AI agents — RFC 8693 on-behalf-of tokens, offline-verified constraints, monotonic attenuation. Single Go binary, self-hostable.
An open-source Go server that controls what AI agents can do on a user's behalf, with scoped time-limited tokens, multi-agent delegation chains, and an MCP gateway.
Legant is an open-source authorization system designed specifically for AI agents. When an AI agent needs to take actions on behalf of a user, like submitting expenses, booking travel, or querying a database, Legant controls exactly what the agent is allowed to do and for how long. It runs as a single self-hostable binary written in Go.
The core idea is delegated authorization. Instead of giving an AI agent the same permissions as a full user, Legant issues a special token that carries fine-grained restrictions baked in: a maximum dollar amount, specific categories of actions it can perform, which services it can talk to, and how many minutes before the token expires. These constraints are embedded in a signed token that any connected service can verify on its own, without calling back to Legant every time.
When one AI agent spawns another, like a planning agent delegating work to an execution agent, each level in the chain can only have the same permissions or fewer than its parent. This property prevents a sub-agent from quietly expanding its own authority. The full chain of who-delegated-to-whom is recorded inside the token itself.
Legant also ships with a gateway component for the Model Context Protocol (MCP), a standard way for AI models to connect to tools and data sources. The gateway filters which tools each agent is allowed to see and call, and can kill a running agent mid-task. Tamper-evident audit logs record every agent action in a hash-chained event store.
The project includes over a dozen runnable demos covering scenarios like OAuth token theft replay, multi-agent pipelines, Kubernetes-based AI infrastructure, and analytics over a real Postgres database. SDKs are available for Go, TypeScript, and Python for verifying delegation tokens in resource servers. The project requires Go and Postgres to run. It is licensed under the Apache 2.0 license, which allows free use including commercial use.
Where it fits
- Issue scoped, time-limited tokens so an AI agent can act on a user's behalf without full account access.
- Deploy an MCP gateway that filters which tools each AI agent can see and call, with mid-task cancellation.
- Build multi-agent pipelines where each child agent automatically has narrower permissions than its parent.
- Add tamper-evident audit logs for all AI agent actions across your infrastructure.