zlacker

I'm working on something similar called agent-creds [0]. I'm using Envoy as the transparent (MITM) proxy and macaroons for credentials.

The idea is that you can arbitrarily scope down credentials with macaroons, both in terms of scope (only certain endpoints) and time. This really limits the damage that an agent can do, but also means that if your credentials are leaked they are already expired within a few minutes. With macaroons you can design the authz scheme that *you* want for any arbitrary API.

I'm also working on a fuse filesystem to mount inside of the container that mints the tokens client-side with short expiry times.

https://github.com/dtkav/agent-creds

>>dtkav+(OP)
made with ai?

>>badeey+8j1
Yeah, it says so at the top of the README (though I suppose I could have put that in the comment too). I'm not building a product, just sharing a pattern for internal tooling.

Someone on another thread asked me to share it so I had claude rework it to use docker-compose and remove the references to how I run it in my internal network.

>>dtkav+(OP)
> With macaroons you can design the authz scheme that you want for any arbitrary API.

How would you build such an authz scheme? When claude asks permissions to access a new endpoint, if the user allows it, then reissue the macaroons?

>>ashwin+uu6
There are two parts here:

1. You can issue your own tokens which means you can design your own authz in front of the upstream API token.

2. Macaroons can be attenuated locally.

So at the time that you decide you want to proxy an upstream API, you can add restrictions like endpoint path to your scheme.

Then, once you have that authz scheme in place, the developer (or agent) can attenuate permissions within that authz scheme for a particular issued macaroon.

I could grant my dev machine the ability to access e.g. /api/customers and /api/products. If i want to have claude write a script to add some metadata to my products, I might attenuate my token to /api/products only and put that in the env file for the script.

Now claude can do development on the endpoint, the token is useless if leaked, and Claude can't read my customer info.

Stripe actually does offer granular authz and short lived tokens, but the friction of minting them means that people don't scope tokens down as much.

>>dtkav+vH6
I understand that, but how do you come up with the endpoints you want claude to have access to ahead of time?

For example, how do you collect all the endpoints that have access to customer info per your example.

Thought about it and couldn't find a way how

>>ashwin+UNd
I'm not sure I'm fully understanding you, but in my experience I have a few upstream APIs I want to use for internal tools (stripe, gmail, google cloud, anthropic, discord, my own pocketbase instance, redis) but there are a lot of different scripts/skills that need differing levels of credentials.

For example, If I want to write a skill that can pull subscription cancellations from today, research the cancellation reason, and then push a draft email to gmail, then ideally I'd have...

- a 5 minute read-only token for /subscriptions and /customers for stripe

- a 5 minute read-write token to push to gmail drafts

- a 5 minute read-only token to customer events in the last 24h

Claude understands these APIs well (or can research the docs) so it isn't a big lift to rebuild authz, and worst case you can do it by path prefix and method (GET, POST, etc) which works well for a lot of public APIs.

I feel like exposing the API capability is the easy part, and being able to get tight-fitting principle-of-least-privilege tokens is the hard part.