Permissions & Access Control
Tag-based access policies and admin approval workflows for agent-to-agent communication
Permissions & Access Control
Control which agents can call which functions using tag-based access policies and admin approval workflows
When agents call other agents autonomously, you need to control who can call what. An internal analytics agent shouldn't be able to invoke a payment processing agent. A third-party plugin shouldn't access your customer data agent.
Agentfield's permissions system uses tag-based access policies with DID-authenticated requests to enforce fine-grained access control between agents. Admins define policies, agents authenticate with cryptographic signatures, and the control plane enforces rules at execution time.
Two-Step Authorization Model
Agentfield's authorization works in two steps:
Tag Approval
Agents propose tags at registration (e.g., ["finance", "read-only"]). An admin reviews and approves which tags the agent actually gets. Tags define an agent's identity for policy evaluation.
Policy Evaluation
Access policies are ALLOW/DENY rules that match caller tags against target tags. When Agent A calls Agent B, the control plane checks if A's tags satisfy a policy that permits the call.
How It Works
1. Agent Registration with Tags
Agents declare their proposed tags when registering with the control plane:
from agentfield import Agent
app = Agent(
node_id="payment-processor",
tags=["finance", "pci-compliant", "internal"],
description="Handles payment processing"
)const agent = new Agent({
nodeId: 'payment-processor',
tags: ['finance', 'pci-compliant', 'internal'],
description: 'Handles payment processing'
});agentNode, _ := agent.New(agent.Config{
NodeID: "payment-processor",
Tags: []string{"finance", "pci-compliant", "internal"},
})When tag approval mode is admin, the agent enters a pending_approval state until an admin approves the tags.
2. Admin Defines Access Policies
Policies are ALLOW or DENY rules that match tags:
# agentfield.yaml
authorization:
enabled: true
tag_approval_mode: admin # "auto" or "admin"
access_policies:
- effect: ALLOW
caller_tags: ["internal"]
target_tags: ["finance"]
description: "Internal agents can access finance services"
- effect: DENY
caller_tags: ["third-party"]
target_tags: ["pci-compliant"]
description: "Third-party agents cannot access PCI systems"
- effect: ALLOW
caller_tags: ["analytics"]
target_tags: ["data"]
actions: ["*.read_*", "*.get_*"]
description: "Analytics agents can only read data"Policies are evaluated in priority order. The first matching policy wins. If no policy matches, the request is allowed by default (zero-disruption mode).
3. DID-Authenticated Requests
When Agent A calls Agent B, the SDK automatically signs the request using the agent's DID (Decentralized Identifier) keypair:
POST /api/v1/execute/payment-processor.charge
X-Caller-DID: did:web:example.com:agents:analytics-agent
X-DID-Signature: <Ed25519 signature>
X-DID-Timestamp: 1709000000
X-DID-Nonce: abc123The signature covers {timestamp}:{nonce}:{SHA256(body)}, providing cryptographic proof of the caller's identity.
4. Control Plane Enforces Policies
When the request arrives at the control plane:
- DID Auth Middleware verifies the Ed25519 signature against the caller's DID document public key
- Permission Middleware resolves the caller's tags, evaluates access policies, and checks for an existing
PermissionApproval - If denied, the system auto-creates a
PermissionRequestfor admin review
Admin UI
The Authorization page in the Agentfield UI provides:
- Access Rules Tab — View, create, and delete ALLOW/DENY policies with color-coded indicators
- Agent Tags Tab — See all agents with their proposed and approved tags, approve or reject tag requests
- Approval Dialogs — Approve tags with a preview of which policies will apply
- Revocation — Revoke previously approved permissions at any time
Agent-to-Agent Direct Verification
For latency-sensitive workloads, agents can verify requests locally without round-tripping to the control plane. Each SDK includes a LocalVerifier that caches:
- Access policies
- Revocation lists
- Registered DIDs
- Admin public key
from agentfield import Agent
app = Agent(
node_id="payment-processor",
tags=["finance"],
# Local verification is enabled automatically
# when authorization is configured
)
# The agent's middleware verifies incoming DID signatures
# and evaluates policies locally using cached dataagentNode, _ := agent.New(agent.Config{
NodeID: "payment-processor",
Tags: []string{"finance"},
// LocalVerifier caches policies, revocation lists,
// and registered DIDs from the control plane
})The LocalVerifier periodically refreshes its cache from the control plane, so policy changes propagate automatically.
Configuration
Environment Variables
| Variable | Type | Default | Description |
|---|---|---|---|
AGENTFIELD_AUTHORIZATION_ENABLED | boolean | false | Enable VC-based authorization |
AGENTFIELD_AUTHORIZATION_MASTER_SEED | string | — | Master seed for DID key derivation (required when enabled) |
AGENTFIELD_AUTHORIZATION_TAG_APPROVAL_MODE | string | auto | Tag approval mode: auto (approve immediately) or admin (require admin approval) |
YAML Configuration
authorization:
enabled: true
master_seed: "your-secure-seed-here"
tag_approval_mode: admin
access_policies:
- effect: ALLOW
caller_tags: ["internal"]
target_tags: ["*"]
description: "Internal agents have full access"Master Seed Security
The master_seed is used to derive Ed25519 keypairs for all agent DIDs. Keep it secret and consistent across restarts. Changing it invalidates all existing DID signatures.
Permission Request Flow
When an agent is denied access:
- The control plane automatically creates a
PermissionRequest - The request appears in the admin UI under pending permissions
- Admin approves or rejects with optional context
- Approved agents can retry the call immediately
- Admins can revoke approvals at any time, and the system handles re-requests
Backward Compatibility
When authorization is first enabled with no policies defined, all requests are allowed by default. This lets you adopt authorization incrementally — start by defining a few policies for sensitive agents and expand over time.
API Reference
Permission Endpoints
| Method | Path | Description |
|---|---|---|
| GET | /api/v1/permissions/check | Check if caller has permission |
| POST | /api/v1/permissions/request | Create permission request |
| GET | /api/v1/admin/permissions/pending | List pending requests |
| POST | /api/v1/admin/permissions/:id/approve | Approve request |
| POST | /api/v1/admin/permissions/:id/reject | Reject request |
| POST | /api/v1/admin/permissions/:id/revoke | Revoke approval |
Tag Management Endpoints
| Method | Path | Description |
|---|---|---|
| GET | /api/v1/admin/tags/agents | List agents with tag data |
| GET | /api/v1/admin/tags/known | List all known tags |
| POST | /api/v1/admin/tags/:agentId/approve | Approve agent tags |
Access Policy Endpoints
| Method | Path | Description |
|---|---|---|
| GET | /api/v1/admin/access-policies | List access policies |
| POST | /api/v1/admin/access-policies | Create access policy |
| DELETE | /api/v1/admin/access-policies/:id | Delete access policy |
Next Steps
- Human-in-the-Loop — Pause agents for human approval on high-stakes decisions
- Identity & DIDs — How DID identities are generated and managed
- Verifiable Credentials — Cryptographic proof of agent actions
- Authentication — API key authentication for the control plane