The open-source identity platform built for AI agents.
One ~29 MB binary. OAuth 2.1, OIDC, RFC 8693 Token Exchange, and DPoP. Zero config.
When an AI agent delegates to a sub-agent, the trust chain breaks. Bearer tokens leak. Revocation becomes a mess. Auditors ask "which agent did what?" and you have no answer.
SharkAuth fixes this. It treats agents as first-class identities with native delegation, cryptographically bound tokens, and a unified audit trail that tracks every hop from user to resource.
curl -fsSL sharkauth.com/get | sh
# Or with Go 1.22+
go install github.com/shark-auth/shark/cmd/shark@latest# Boot. SQLite-embedded, zero config.
shark serve
# => admin UI : http://localhost:8080/admin
# => issuer : http://localhost:8080Real delegated authority using RFC 8693 Token Exchange. SharkAuth issues may_act_grants that are revocable, time-limited, and hop-constrained. No more prompt-level "trust me" delegation.
Audit every hop: User → Researcher → Tool Agent.
Bearer tokens are a liability. SharkAuth ships Demonstrating Proof-of-Possession by default. Every token is cryptographically bound to the agent's private key. Stolen via prompt injection or log leak? Useless without the key.
One grant_id correlates every token, every hop, and every resource touched. Reconstruct the full lifecycle of an agent's authority instantly. No more "the agent did it" dead ends.
SharkAuth is a single static Go binary with embedded SQLite WAL. No Postgres, no Redis, no Docker, no Helm charts. It cold-starts in 38 ms and runs on a Raspberry Pi as easily as it runs in Kubernetes.
100% open source. No telemetry, no vendor lock-in, no "free until we change our mind." Your data never leaves your infrastructure. Your auth stack is yours forever.
| Category | Highlights |
|---|---|
| Agent Auth | RFC 8693 Token Exchange, RFC 9449 DPoP, may_act_grants, cascade revocation, full act chains (depth ≥ 7 observed) |
| Human Auth | Passkeys (FIDO2), Magic Links, MFA (TOTP), Enterprise SSO (SAML 2.0, OIDC), Argon2id passwords |
| Platform | Zero-Code Auth Proxy, Multi-tenant Orgs, Wildcard RBAC, HMAC-signed Webhooks, grant_id-indexed Audit Logs |
| Admin UI | React dashboard embedded in the binary. One-click revocation for every session, token, and grant |
docker run -p 8080:8080 -v shark-data:/data ghcr.io/shark-auth/sharkshark serve --devMagic links print to stdout. In-memory database. Perfect for rapid prototyping.
import { SharkClient } from "@sharkauth/sdk";
const shark = new SharkClient({ baseUrl: "http://localhost:8080" });
// Sign in with DPoP protection
const session = await shark.signIn({ email: "alice@co.io", password: "..." });from sharkauth import SharkClient
shark = SharkClient(base_url="http://localhost:8080")
session = shark.sign_in(email="alice@co.io", password="...")- Visual Flow Builder — Drag-and-drop auth flows (MFA → SSO → Org Select)
- Shark Cloud — Managed infrastructure, free to enterprise. Join the waitlist
- Postgres Mode — Optional external DB for planet-scale deployments
- Shark Email — Built-in delivery for magic links and MFA codes
- Discord: discord.gg/sharkauth — ask questions, share deployments
- Twitter: @raulgooo — updates and agent identity threads
- Docs: sharkauth.com/docs
- Issues & PRs: github.com/shark-auth/shark/issues
Built by Raúl in Monterrey, Mexico. MIT licensed.
If your product ships agents, the auth stack starts here.