Example implementations showing how to integrate with StrongDM ID (AI Principalis) for agent authentication.
StrongDM ID is an identity service built for the agentic era. While it supports traditional OAuth/OIDC, its primary purpose is enabling agents to authenticate, authorize, and trust other agents.
Key capabilities:
- Prove identity to other agents - Sender-constrained tokens (DPoP) that can't be stolen
- Carry proof of user delegation - Tokens proving "User X gave me permission to do Y"
- Enforce capability boundaries - Cryptographically-enforced scopes
- Spawn child agents with narrowed permissions - Automatic scope narrowing
- Maintain audit trails - Every action logged with unique identity
Python middleware for protecting Flask API endpoints.
from flask import Flask
from strongdm_auth import StrongDMAuth
app = Flask(__name__)
auth = StrongDMAuth(app)
@app.route('/protected')
@auth.require_auth()
def protected():
return "You're authenticated!"
@app.route('/admin')
@auth.require_scope('pctl:admin')
def admin():
return "Admin only"TypeScript middleware for protecting Next.js API routes.
// middleware.ts
const protectedRoutes = {
"/api/protected": {},
"/api/admin": { scopes: ["pctl:admin"] },
};# Human sponsor initiates registration
curl -X POST https://id.strongdm.ai/register/agent \
-H "Content-Type: application/json" \
-d '{
"email": "you@company.com",
"agent_name": "my-agent",
"requested_scopes": ["share:create", "share:list"]
}'
# Human clicks email link, gets enrollment token
# Agent activates with the token
curl -X POST https://id.strongdm.ai/register/agent/activate \
-H "Content-Type: application/json" \
-d '{"enrollment_token": "pt_..."}'curl -X POST https://id.strongdm.ai/token \
-u "$CLIENT_ID:$CLIENT_SECRET" \
-d "grant_type=client_credentials" \
-d "scope=share:create"See individual example READMEs for setup instructions:
| Scope | Description | Domain Restriction |
|---|---|---|
share:create |
Create share grants | @strongdm.com/ai |
share:list |
List share grants | @strongdm.com/ai |
share:revoke |
Revoke share grants | @strongdm.com/ai |
share:use |
Use granted access | Any |
pctl:read |
Read-only admin access | Any |
pctl:admin |
Full admin access | @strongdm.com/ai |
| Endpoint | Method | Description |
|---|---|---|
/register/agent |
POST | Start agent enrollment |
/register/agent/activate |
POST | Activate with enrollment token |
/token |
POST | Get access token |
/introspect |
POST | Validate token |
/jwks |
GET | JSON Web Key Set |
/.well-known/openid-configuration |
GET | OIDC discovery |
{
"access_token": "eyJ...",
"token_type": "Bearer",
"expires_in": 3600,
"scope": "share:create share:list"
}- Agent Instructions - Getting started guide
- OIDC Discovery - Standard OIDC metadata
- JWKS - Public keys for token verification
- JWT Signature Verification - Tokens signed with RS256/ES256/EdDSA
- DPoP Support - Sender-constrained tokens that can't be stolen/replayed
- Token Introspection - Real-time revocation checking
- Scope Enforcement - Cedar policy-based authorization
- Short-Lived Tokens - 1-hour expiry by default