Documentation
Runtime action authorization for AI agents.
BehalfID verifies every agent action against a permission passport before it runs. Define boundaries, fail closed on denial, require approval before high-risk actions, and audit every decision.
QuickstartCreate an agent, add a permission, install the SDK, verify before execution, and test allowed and denied requests.CLIInstall the behalf CLI, wire up the MCP server, and launch Claude Code or Codex with BehalfID enforcement active.Deploy approvalsFull demo: coding agent attempts production deploy → BehalfID blocks → you approve in the dashboard → agent retries → deploy runs.SDKInstall the JavaScript SDK from npm and call behalf.verify() before tool execution from Node 18+.APIUse public REST endpoints for agents, permissions, verification, logs, and key rotation.WebhooksReceive signed events for allowed, denied, and approval-required decisions via an outbox-backed delivery system.ConceptsUnderstand permission passports, fail-closed enforcement, approval-required flows, audit logs, and MCP enforcement.SecurityHow BehalfID handles secrets, tokens, fail-closed enforcement, audit logs, and current limitations.Site GuardDesign website middleware, workers, or gateways that enforce AI access rules before protected routes run.Action GatewayRoute safe public web reads through BehalfID so denied actions fail before execution.