Getting Started
Authensor is the open-source safety stack for AI agents. It checks every action an agent wants to take, evaluates it against a policy, scans content for threats, and creates a tamper-evident audit trail. It works with any agent framework.
Install
Add the SDK to your project:
npm install @authensor/sdk
Or scaffold a full project with templates:
npx create-authensor
Quick start
Five lines to evaluate an agent action against a policy:
import { Authensor } from '@authensor/sdk';
const authensor = new Authensor({ apiKey: process.env.AUTHENSOR_API_KEY });
const decision = await authensor.evaluate({
action: 'file.delete',
resource: '/etc/passwd',
parameters: { recursive: true },
principal: { id: 'agent-1', type: 'agent' },
});
if (decision.decision === 'deny') {
console.log('Blocked:', decision.reason);
}Policy Engine
Policies are YAML files that define what an agent is allowed to do. The engine evaluates actions against rules synchronously with zero side effects. No I/O, no async, no dependencies.
Policy format
name: production-policy
version: "1.0"
defaultDecision: deny
rules:
- id: allow-read
action: "file.read"
decision: allow
conditions:
resource:
pattern: "/data/**"
- id: block-delete
action: "file.delete"
decision: deny
reason: "File deletion is not permitted"
- id: escalate-payments
action: "payment.*"
decision: escalate
reason: "Payment actions require human approval"
approvers:
- role: admin
count: 1Rules
Each rule has:
- action - A glob pattern matching action names (
file.*,db.query,**) - decision - One of
allow,deny, orescalate - conditions - Optional filters on resource, parameters, principal, or time
- reason - Human-readable explanation included in the receipt
Default deny
If no rule matches an action, the engine returns deny. This is fail-closed by design. You must explicitly allow actions. There is no implicit pass-through.
Aegis Scanner
Aegis is a content safety scanner that runs with zero npm dependencies. It detects prompt injection, memory poisoning, PII, credential leaks, data exfiltration, and unsafe code patterns using regex rules. Sub-millisecond latency.
What it detects
Instruction override, role manipulation, delimiter injection, encoding attacks, few-shot poisoning, payload splitting
Sleeper triggers, fake system tags, persona hijacking, RAG poisoning, cross-session persistence
SSN, email, phone (US/EU/intl), credit cards, passports, IBAN, Aadhaar, medical records
AWS keys, OpenAI keys, GitHub tokens, Stripe keys, JWTs, private keys, database URIs
curl piping, DNS tunneling, SSRF, webhook callbacks, steganographic exfil, email exfil
rm -rf, reverse shells, eval(), privilege escalation, deserialization, prototype pollution
Usage
import { scan } from '@authensor/aegis';
const result = scan(agentOutput);
if (result.threatLevel === 'critical') {
return { error: 'Content blocked by safety policy' };
}
// result.findings contains matched rules with:
// - id, type, confidence, description, matched text
console.log(result.findings);Sentinel Monitor
Sentinel is a real-time behavioral monitoring engine. It uses EWMA (Exponentially Weighted Moving Average) and CUSUM (Cumulative Sum) algorithms to detect anomalies in agent behavior over time. Zero dependencies.
8 behavioral dimensions
Usage
import { SentinelMonitor } from '@authensor/sentinel';
const monitor = new SentinelMonitor();
// Feed actions into the monitor
monitor.observe({
action: 'db.query',
principal: 'agent-1',
timestamp: Date.now(),
metadata: { rowCount: 1500 },
});
// Check for anomalies
const status = monitor.getStatus('agent-1');
if (status.anomalyScore > 0.8) {
console.log('Behavioral anomaly detected:', status.alerts);
}Shield Proxy
Shield is a local proxy that sits between your AI desktop apps and the internet. One command protects every AI app on your machine. No code changes required.
npx @authensor/shield
How it works
- Shield starts a local proxy and opens a dashboard at
localhost:8901 - It auto-detects AI apps on your machine (Claude Desktop, Cursor, VS Code, ChatGPT)
- Click protect next to each app. Shield writes the proxy config.
- Every AI request and response is scanned by Aegis in real time
- Threats are blocked. Clean traffic passes through transparently.
See the full Shield page for supported apps and features.
MCP Gateway
The MCP Gateway is a transparent proxy between an MCP client (like Claude Desktop) and any MCP server. It evaluates every tool call against your policy before forwarding it. 32% of MCP servers have critical vulnerabilities. The gateway fixes that.
Configuration
Add Authensor as a gateway in your claude_desktop_config.json:
{
"mcpServers": {
"authensor-gateway": {
"command": "npx",
"args": ["@authensor/mcp-server"],
"env": {
"AUTHENSOR_API_KEY": "your-api-key",
"AUTHENSOR_POLICY": "./policy.yaml",
"UPSTREAM_MCP": "npx @modelcontextprotocol/server-filesystem /tmp"
}
}
}
}The gateway implements the MCP SEP authorization protocol with authorization/propose, authorization/decide, and authorization/receipt message types.
Connectors
Authensor has adapters for major agent frameworks. Each connector wraps the framework's tool-calling layer so every action is evaluated against your policy.
Anthropic / Claude
import { Authensor } from '@authensor/sdk';
import { withAuthensor } from '@authensor/anthropic';
const client = withAuthensor(new Anthropic(), {
policy: './policy.yaml',
});OpenAI Agents SDK
import { withAuthensor } from '@authensor/openai';
const agent = withAuthensor(myAgent, {
policy: './policy.yaml',
});LangChain / LangGraph
import { AuthensorCallbackHandler } from '@authensor/langchain';
const handler = new AuthensorCallbackHandler({
policy: './policy.yaml',
});
// Pass as a callback to any LangChain agentAPI Reference
The control plane exposes a REST API. All endpoints require an API key via the Authorization: Bearer <key> header. Responses are JSON.
Evaluate an action against the active policy. Returns a decision and a receipt.
{
"action": "file.delete",
"resource": "/etc/passwd",
"parameters": { "recursive": true },
"principal": { "id": "agent-1", "type": "agent" }
}{
"decision": "deny",
"reason": "File deletion is not permitted",
"matchedRule": "block-delete",
"receipt": {
"id": "rcpt_abc123",
"hash": "sha256:e3b0c44...",
"previousHash": "sha256:d4f2a1..."
}
}List all policies. Returns an array of policy metadata.
[
{
"id": "pol_abc123",
"name": "production-policy",
"version": "1.0",
"ruleCount": 12,
"createdAt": "2026-01-15T10:00:00Z"
}
]Create or update a policy. Accepts YAML or JSON in the request body.
{
"name": "production-policy",
"version": "1.0",
"defaultDecision": "deny",
"rules": [
{
"id": "allow-read",
"action": "file.read",
"decision": "allow"
}
]
}{
"id": "pol_def456",
"name": "production-policy",
"version": "1.0",
"ruleCount": 1,
"createdAt": "2026-03-18T12:00:00Z"
}List audit receipts. Supports pagination with ?limit and ?offset query parameters.
{
"receipts": [
{
"id": "rcpt_abc123",
"action": "file.delete",
"decision": "deny",
"principal": "agent-1",
"hash": "sha256:e3b0c44...",
"previousHash": "sha256:d4f2a1...",
"timestamp": "2026-03-18T12:01:00Z"
}
],
"total": 1847,
"limit": 50,
"offset": 0
}Public stats endpoint. No authentication required. Returns aggregate counters.
{
"evaluations": 284719,
"denials": 12847,
"escalations": 3291,
"scans": 198432,
"threats": 847
}Self-Hosting
Authensor is fully self-hostable. The control plane needs PostgreSQL. Everything else runs standalone.
Docker Compose
git clone https://github.com/AUTHENSOR/AUTHENSOR.git cd AUTHENSOR cp .env.example .env # Edit with your database URL docker compose up -d
Environment variables
| Variable | Required | Description |
|---|---|---|
| DATABASE_URL | Yes | PostgreSQL connection string |
| AUTHENSOR_API_KEY | Yes | Admin API key for the control plane |
| AUTHENSOR_AEGIS_ENABLED | No | Enable Aegis content scanning (default: true) |
| AUTHENSOR_SENTINEL_ENABLED | No | Enable Sentinel behavioral monitoring (default: true) |
| PORT | No | HTTP port (default: 3000) |
Requirements
- PostgreSQL 14+ (for receipts, policies, API keys)
- Node.js 20+ or Docker
- The engine, Aegis, and Sentinel have zero runtime dependencies