OpenLeash

Authorization guardrails for AI agents.

Your agent asks before doing anything risky. You define what's allowed in YAML. OpenLeash decides — ALLOW, DENY, or escalate to a human. Every approved action gets a cryptographic proof token, verifiable offline by anyone. Local-first, no cloud dependency, Apache-2.0.

Get Started GitHub

For agent developers

Wrap any risky action with one call. Your agent can't overspend, call random APIs, or take irreversible actions without policy approval — and you get human-in-the-loop escalation for free.

SDKs for TypeScript, Python, Go. Works with LangChain, LlamaIndex, AutoGen, CrewAI, MCP servers.

Add to your agent →

For security & compliance

Every agent action is policy-checked, logged, and produces a cryptographic proof token (PASETO v4.public, Ed25519-signed). Append-only audit log. Policies as YAML, version-controlled in your repo.

Runs locally next to your agent. No data leaves your network. Self-hostable.

See use cases →

Works as a sidecar for OpenClaw. Also works with any agent. Learn more

See the owner portal in action

Human?

Welcome! Install OpenLeash below and check out the docs to get started.

AI agent?

Hey, we built this for you. Read the agent integration guide — TL;DR: call POST /v1/authorize before doing anything risky.

AGENTS.md Protocol spec SDK reference

› Quickstart

Terminal beta

# Installs Node.js via Homebrew if needed

$ curl -fsSL https://openleash.ai/install.sh | bash

Terminal

# Quick start with default config
$ docker run -d -p 8787:8787 \
  -v openleash-data:/app/data \
  ghcr.io/openleash/openleash

With custom config

# Mount your own config.yaml
$ docker run -d -p 8787:8787 \
  -v ./config.yaml:/app/config.yaml \
  -v openleash-data:/app/data \
  ghcr.io/openleash/openleash

data/ stores policies, audit logs, and signing keys. config.yaml is optional — mount it to customize server settings.

Installs the openleash CLI, local policy engine, audit logger, and proof-token signer. No cloud dependency — everything runs on your machine.

› Next steps

Once installed, these commands get you up and running.

openleash start

Launch the policy sidecar and start authorizing agent actions

openleash init

Non-interactive setup — create owner, agent, and policy in one command

openleash wizard

Interactive setup wizard — configure policies step by step

openleash playground

Test policy evaluation against scenarios without running the server

Full documentation

Protocol spec, policy language, SDK reference, and integration guides

Add OpenLeash to your agent

Wrap any risky action with one call. Your agent gets a decision and a cryptographic proof token it can attach to the action.

    agent.ts 
  // Before — your agent acts directly 
  await sendEmail({ to, subject, body }); 
   
  // After — your agent asks OpenLeash first 
  import { authorize } from "@openleash/sdk-ts"; 
   
  const result = await authorize({ 
    openleashUrl: process.env.OPENLEASH_URL!, 
    agentId: process.env.OPENLEASH_AGENT_ID!, 
    privateKeyB64: process.env.OPENLEASH_AGENT_KEY!, 
    action: { 
      action_id: crypto.randomUUID(), 
      action_type: "send_email", 
      requested_at: new Date().toISOString(), 
      principal: { agent_id: process.env.OPENLEASH_AGENT_ID! }, 
      subject: { principal_id: ownerId }, 
      relying_party: { domain: "your-app.com", trust_profile: "LOW" }, 
      payload: { to, subject, body }, 
    }, 
  }); 
   
  if (result.decision !== "ALLOW") { 
    throw new Error(`Action ${result.decision}`); 
  } 
   
  await sendEmail({ to, subject, body }); 
  // result.proof_token — share or store as a verifiable receipt 

› What you get back

Every approved action returns a PASETO v4.public proof token — Ed25519-signed, offline-verifiable by anyone with the public key. The same decision is written to an append-only audit log scoped per user, organization, and agent.

Decoded proof token

    proof_token (claims) 
  { 
    "iss": "openleash", 
    "sub": "agent_01h8x...", 
    "aud": "your-app.com", 
    "iat": "2026-05-05T13:42:11Z", 
    "exp": "2026-05-05T13:47:11Z", 
    "action_id": "8e3b...", 
    "action_type": "send_email", 
    "action_hash": "sha256:b1a7...", 
    "decision": "ALLOW", 
    "policy_id": "default-mail", 
    "kid": "k1" 
  } 

Audit log entry (JSONL)

    audit.log.jsonl 
  { 
    "ts": "2026-05-05T13:42:11Z", 
    "actor_type": "agent", 
    "actor_id": "agent_01h8x...", 
    "action_type": "send_email", 
    "action_id": "8e3b...", 
    "decision": "ALLOW", 
    "policy_id": "default-mail", 
    "proof_kid": "k1", 
    "signature_valid": true 
  } 

› How AI Agent Authorization Works

Alice's agent purchases headphones from StoreCo's agent. Both sides use OpenLeash to authorize actions and exchange cryptographic proofs.

Alice

Owner

Alice's Agent

Buyer

OpenLeash

Policy Gate

StoreCo Agent

Seller

StoreCo

Organization

Authorization

"Buy headphones from StoreCo"

authorize(purchase, $85)

ALLOW + proof token

Transaction

Purchase request + proof

verify + authorize(sell)

ALLOW + seller proof

Confirmation

Confirmed + seller proof

Done — proofs attached

Authorization
Alice → Alice's Agent

"Buy headphones from StoreCo"
Alice's Agent → OpenLeash

authorize(purchase, $85)
OpenLeash → Alice's Agent

ALLOW + proof token
Transaction
Alice's Agent → StoreCo Agent

Purchase request + proof
StoreCo Agent → OpenLeash

verify + authorize(sell)
OpenLeash → StoreCo Agent

ALLOW + seller proof
Confirmation
StoreCo Agent → Alice's Agent

Confirmed + seller proof
Alice's Agent → Alice

Done — proofs attached

Both agents independently authorize through OpenLeash. Cryptographic proof tokens flow with every request, creating a verifiable chain of authorization.

› AI Agent Authorization Use Cases

Purchases with limits

Set spending caps per agent, per vendor, or per time window. Agents cannot exceed policy limits without step-up approval.

Appointment booking

Differentiate trust levels: a haircut booking might auto-approve while a medical appointment requires human confirmation.

Government submissions

Regulated filings and submissions can require step-up authentication, producing auditable proof tokens for compliance.

Communication rules

Enforce allowlists and denylists for API calls, emails, or messages. Agents only reach approved endpoints.

See all use cases and FAQ →

› How OpenLeash Compares

OpenLeash is opinionated for AI agents. If you're already using a general-purpose policy engine, here's how the boundaries differ — and where each tool wins.

vs OPA

General-purpose policy engine versus AI-agent-specific sidecar with built-in identity, approvals, and proof tokens.

Read comparison →

vs Cedar

AWS's embedded authorization library versus a sidecar service with cryptographic proof tokens and approval workflows.

Read comparison →

vs OpenFGA

Relationship-based access (Zanzibar-style) versus action-level governance for autonomous agents.

Read comparison →

› Features

YAML policies

Authorization rules as YAML. Constraints, obligations, schema-validated. No database, no cloud dependency, version-controlled in your repo.

PASETO proof tokens

PASETO v4.public, Ed25519-signed. Bound to a specific action and verifiable offline by any counterparty with the public key.

Approval workflow

Human-in-the-loop for high-risk actions. Agents request approval; owners approve or deny in the portal. Tokens are single-use and action-scoped.

Append-only audit log

Every authorization, approval, and policy change in JSONL. Scope filtering by user, organization, or agent.

Multi-language SDKs

TypeScript, Python, and Go SDKs at endpoint parity. 13 functions each — authorize, sign, verify, approvals, policy drafts.

Agent registration

Invite-based onboarding with Ed25519 keys. Every request is signed, timestamp-bound, and replay-protected.

MCP integration

Transparent governance proxy for MCP tool calls. Works as a sidecar for OpenClaw and other MCP servers.

Policy playground

Test policies against scenarios locally before deploying. See the evaluation trace step by step.

Owner & admin GUI

Server-rendered portal for managing agents, policies, approvals, audit, and organization membership.

Plugin architecture

Extend with server plugins — custom authentication, storage backends, identity verification, and notification channels.

Full feature reference in the docs →

Coming Soon OpenLeash Pro — Hosted authorization with identity verification, push notifications, and more. →

› OpenLeash Pro

Coming Soon

Everything in the open-source edition, plus hosted infrastructure, enterprise authentication, and managed deployment.

Identity verification

Swedish BankID, SMS OTP, and email OTP. Government-level eID with animated QR codes.

Enterprise authentication

Persistent client-side sessions, social sign-in, and email verification with branded emails.

Push notifications

Mobile and web push notifications. Real-time alerts for approval requests and policy drafts.

Managed deployment

Fully managed infrastructure with automatic scaling, TLS, and regional deployment.

Email service

SMTP and SendGrid backends with HTML templates for verification, invites, and notifications.

See all Pro features →

› Community

OpenLeash is open source under the Apache-2.0 license. We welcome contributions — whether that's reporting issues, improving docs, adding policy templates, or building integrations.

GitHub ↗ Issues ↗ Discussions ↗