OpenLeash

Authorization guardrails for AI agents and organizations.

An open-source authorization layer where owners and organizations set policies, agents ask before acting, and counterparties can verify the agent was authorized.

GitHub Stars npm Downloads Apache 2.0 License
Get Started GitHub

Works as a sidecar for OpenClaw. Also works with any agent. Learn more

Coming Soon OpenLeash Pro — Hosted authorization with identity verification, push notifications, and more.

See the owner portal in action

Human?

Welcome! Install OpenLeash below and check out the docs to get started.

AI agent?

Hey, we built this for you. Read the agent integration guide — TL;DR: call POST /v1/authorize before doing anything risky.

AGENTS.md Protocol spec SDK reference

Quickstart

Terminal
# Installs Node.js via Homebrew if needed
$ curl -fsSL https://openleash.ai/install.sh | bash

Installs the openleash CLI, local policy engine, audit logger, and proof-token signer. No cloud dependency — everything runs on your machine.

Next steps

Once installed, these commands get you up and running.

openleash start
Launch the policy sidecar and start authorizing agent actions
openleash init
Non-interactive setup — create owner, agent, and policy in one command
openleash wizard
Interactive setup wizard — configure policies step by step
openleash playground
Test policy evaluation against scenarios without running the server
Full documentation
Protocol spec, policy language, SDK reference, and integration guides

SDK usage

authorize-and-verify.ts
// Ask OpenLeash before performing a risky action
import { authorize } from "@openleash/sdk-ts";
const result = await authorize({
openleashUrl: "http://127.0.0.1:8787",
agentId: "agent-booking-001",
privateKeyB64: process.env.OPENLEASH_AGENT_PRIVATE_KEY_B64!,
action: {
action_id: crypto.randomUUID(),
action_type: "book_appointment",
requested_at: new Date().toISOString(),
principal: { agent_id: "agent-booking-001" },
subject: { principal_id: "" },
relying_party: { domain: "salon-xyz.com", trust_profile: "LOW" },
payload: { provider: "salon-xyz", cost: 45 }
}
});
const { decision, proof_token } = result;
// decision: "ALLOW" | "DENY" | "REQUIRE_APPROVAL" | "REQUIRE_STEP_UP" | "REQUIRE_DEPOSIT"
// Counterparty verifies the proof token offline
import { verifyProofOffline } from "@openleash/sdk-ts";
const verification = await verifyProofOffline({
token: proof_token,
publicKeys: [{ kid: "key-id", public_key_b64: "..." }]
});
// verification.valid: true, verification.claims.action_type: "book_appointment"

How AI Agent Authorization Works

Alice's agent purchases headphones from StoreCo's agent. Both sides use OpenLeash to authorize actions and exchange cryptographic proofs.

  1. Authorization
  2. Alice → Alice's Agent
    "Buy headphones from StoreCo"
  3. Alice's Agent → OpenLeash
    authorize(purchase, $85)
  4. OpenLeash → Alice's Agent
    ALLOW + proof token
  5. Transaction
  6. Alice's Agent → StoreCo Agent
    Purchase request + proof
  7. StoreCo Agent → OpenLeash
    verify + authorize(sell)
  8. OpenLeash → StoreCo Agent
    ALLOW + seller proof
  9. Confirmation
  10. StoreCo Agent → Alice's Agent
    Confirmed + seller proof
  11. Alice's Agent → Alice
    Done — proofs attached

Both agents independently authorize through OpenLeash. Cryptographic proof tokens flow with every request, creating a verifiable chain of authorization.

AI Agent Authorization Use Cases

Purchases with limits

Set spending caps per agent, per vendor, or per time window. Agents cannot exceed policy limits without step-up approval.

Appointment booking

Differentiate trust levels: a haircut booking might auto-approve while a medical appointment requires human confirmation.

Government submissions

Regulated filings and submissions can require step-up authentication, producing auditable proof tokens for compliance.

Communication rules

Enforce allowlists and denylists for API calls, emails, or messages. Agents only reach approved endpoints.

See all use cases and FAQ →

Features

Core Authorization

File-based policies

Define authorization rules in YAML. Expressions, constraints, obligations. No database, no cloud dependency.

PASETO proof tokens

Cryptographic tokens bound to specific actions. Verifiable by any counterparty without calling home.

Approval workflow

Human-in-the-loop for high-risk actions. Agents request approval, owners approve or deny via the portal.

Policy drafts

Agents propose policies for owner review. Owners approve, reject, or modify before activation.

Deterministic decisions

Same input, same output. No probabilistic logic. Policies evaluate to predictable results.

Identity & Organizations

Organizations & RBAC

Create organizations, manage members, and assign roles. Role hierarchy: org_admin, org_member, org_viewer. System-level admin role for instance management.

Identity management

Track identities with contact info, government IDs for 27 EU countries, and 11 company ID types with country-specific validation.

Invite system

Organization member invites, agent registration invites, and setup invites. Time-limited with automatic expiry.

Organization domains

Track domain ownership per organization with verification levels. Link corporate domains to org identity.

Developer Experience

Multi-language SDKs

TypeScript, Python, and Go SDKs with 13 functions each. Authorize, sign requests, verify proofs, manage approvals and policy drafts.

Policy playground

Test policies against scenarios locally before deploying. See the evaluation trace step by step.

MCP integration

Transparent governance proxy for MCP tool calls. Works as a sidecar for OpenClaw and other MCP servers.

Docker deployment

Official Docker images with multi-platform support. Run with Docker Compose or deploy to any container platform.

Plugin architecture

Extend OpenLeash with server plugins. Custom authentication, storage backends, identity verification providers, and notification channels.

OpenAPI documentation

Interactive API reference with Scalar UI. Full OpenAPI 3.0 spec for all endpoints — public, agent, owner, and admin.

Operations

Web GUI

Owner portal for agents, policies, approvals, and org management. Built-in dark and light themes.

Admin dashboard

Separate admin interface for system-wide management. Users, organizations, agents, policies, audit, and configuration.

Audit log

Append-only JSONL log of every authorization and key event. Scope filtering by user, organization, or agent.

Webhook notifications

Real-time notifications for authorization events. Get alerts when agents request approval or policies trigger.

Agent registration

Invite-based onboarding with Ed25519 keys. Owners and orgs create invite URLs, agents self-register.

OpenLeash Pro

Coming Soon

Everything in the open-source edition, plus hosted infrastructure, enterprise authentication, and managed deployment.

Identity verification

Swedish BankID, SMS OTP, and email OTP. Government-level eID with animated QR codes.

Enterprise authentication

Persistent client-side sessions, social sign-in, and email verification with branded emails.

Push notifications

Mobile and web push notifications. Real-time alerts for approval requests and policy drafts.

Managed deployment

Fully managed infrastructure with automatic scaling, TLS, and regional deployment.

Email service

SMTP and SendGrid backends with HTML templates for verification, invites, and notifications.

See all Pro features →

Community

OpenLeash is open source under the Apache-2.0 license. We welcome contributions — whether that's reporting issues, improving docs, adding policy templates, or building integrations.

GitHub ↗ Issues ↗ Discussions ↗