Tool Authorization Protocol

Credential isolation and approval gating for AI agents.

Tool Authorization Protocol is an open-source (MIT) proxy that sits between your AI agents and external APIs. Agents never see credential values — they reference credentials by name using the X-TAP-Credential header, and the proxy injects real secrets after policy checks. Policies are fully configurable: auto-approve everything, require human approval for specific operations, or anything in between.

The Problem

AI agents need API access to do useful work — posting to Slack, reading email, calling LLMs. But giving an agent raw API keys means a prompt injection, hallucination, or compromised tool can exfiltrate credentials, make unauthorized calls, or leak secrets in responses.

How TAP Solves It

                                                         ┌──────────┐
┌─────────┐     ┌───────────────────────────────────┐    │ External │
│  Agent   │────>│           TAP Proxy          │───>│   API    │
│          │     │                                   │    │          │
│ uses     │     │  1. Authenticate agent            │    └──────────┘
│ cred by  │     │  2. Resolve team + credentials    │
│ name,    │<────│  3. Check policy                   │
│ never    │     │  4. Approval (if policy requires)  │
│ sees     │     │  5. Inject real credentials        │         ┌────────────┐
│ value    │     │  6. Forward request                │────────>│  Telegram  │
└─────────┘     │  7. Scrub secrets from response    │         │  (optional)│
                └───────────────────────────────────┘         └────────────┘

• Credential isolation — agents reference credentials by name (X-TAP-Credential: slack), never see actual secrets
• Configurable policies — by default, reads (GET) are auto-approved and writes (POST/DELETE) require human approval. You can override this per credential: auto-approve everything, require approval for everything, whitelist specific URL patterns, or define your own method rules
• Optional human-in-the-loop — when a policy requires approval, the request is routed for human review. Approvers can respond via Telegram (one-tap approve/deny) or via passkey (Face ID, fingerprint, YubiKey) for hardware-backed approval. You can also auto-approve all operations if credential isolation alone is sufficient for your use case
• Response sanitization — scrubs credential values from API responses (exact match, base64, URL-encoded variants)
• Multi-tenant teams — credentials, agents, roles, and policies are scoped to teams with full isolation
• Multi-account — a single agent can access credentials across multiple teams (personal + company) using the X-TAP-Team header
• Audit trail — every request logged with agent ID, team, credential name (not value), approval status, and latency

Two Ways to Run

Managed hosting at toolsec.org — runs in Evervault hardware enclaves where encryption keys are generated and stored in hardware, never exported. This is the recommended option for most users. Key management is the hardest part of credential security, and the enclave model eliminates it entirely. The admin dashboard at auth.toolsec.org provides a visual interface for managing credentials, agents, roles, and policies.

Self-hosted — clone the repo, run with Docker Compose, manage your own keys and infrastructure. MIT licensed, always free. Best for local development, air-gapped environments, and organizations with on-premises requirements.

Both use the same proxy, the same API, and the same agent interface. See Managed vs Self-Hosted for a detailed comparison.

Architecture

Tool Authorization Protocol is a Rust workspace with 5 crates:

All configuration lives in SQLite — credentials, agents, roles, policies, teams, and admin accounts. Credential values are encrypted at rest with AES-256-GCM. There is no YAML config file.

Next Steps

• Quickstart — get running in 5 minutes (managed or self-hosted)
• How It Works — understand the architecture and request flow
• Configuration — manage credentials, agents, and policies via the admin dashboard or API