Authorization for AI agents.
Beyond credentials.
Your existing identity stack answers "is this permitted?" When an AI agent gets prompt-injected, every layer says yes — because the credentials are valid. IntentGate adds the missing layer: capability tokens, policy, audit, and a human in the loop for the decisions that matter.
Runs in your environment
Agent traffic, audit data, policy decisions — all inside your cluster. No NetGnarus-operated control plane between your agents and your tools.
Apache 2.0 gateway forever
The authorization control point is Apache 2.0. The Pro tier adds the enterprise operator console — SSO, SCIM, audit verify, JIT elevation. We commit to never moving control features behind a paywall.
Cryptographic audit chain
Every authorization decision is hashed into a per-tenant SHA-256 chain. One-click verification proves the log wasn't tampered with. Export as CSV or NDJSON for your auditor.
The four-control bypass
A prompt-injected agent attempts to read your customer database and email it externally. Every layer of your existing stack evaluates the call and approves it — because the credentials are valid.
| Control | Question it answers | Verdict |
|---|---|---|
| Identity (OIDC) | Is the user real? | PASS — alice exists |
| IGA | Is the user entitled to financial data? | PASS — entitled |
| PAM | Is the JIT credential valid for this tool? | PASS — credential ok |
| ABAC / PBAC | Does policy permit this action on this resource? | PASS — in policy |
| IntentGate | Did the user actually request this specific action? | BLOCK — never asked |
Four controls answer "is this permitted?" — all say yes. Only IntentGate asks "did the user ask?" That's the missing layer.
Six capabilities, all shipping today
Every feature below is in production code as of v0.5 — not on a roadmap, not behind a flag. Buyers can deploy and run them this week.
Four-check pipeline
Capability tokens, intent classification, Rego policy, budget ceilings. The agent's authorization runs every call through all four. Apache 2.0.
Tamper-evident audit
Per-tenant SHA-256 hash chain. Operator dashboard verifies in one click. Stream CSV / NDJSON export to your auditor. Pro dashboard
JIT admin elevation
No standing admin. Request elevation with a reason, get TOTP-gated approval from a different admin, role auto-expires. Pro
OIDC SSO + SCIM
Operators sign in via Okta, Entra, Auth0, Keycloak, Google. SCIM push handles off-boarding automatically. Pro
TOTP step-up
Destructive operations — policy rollback, clear active, high-risk approvals — gate behind a fresh TOTP code. Pro
Per-tenant notifications
Slack Block Kit, Teams Adaptive Card, PagerDuty Events v2 — fan out HMAC-signed gateway webhooks per tenant. Pro
Built to clear procurement
SOC 2, ISO 27001, GDPR Article 30, AI Act Article 12 — every audit framework asks the same question. "Show me the log, prove it wasn't tampered with." IntentGate hands the auditor a verified chain and a CSV. That conversation now takes minutes, not weeks.
For your security team
-
Standing admin replaced by JIT elevation
SOC 2 CC6.3 evidence — "prove no operator held admin without approval" — answers in one query.
-
Step-up on every destructive operation
Policy rollback, clear active, approve high-risk all require a fresh TOTP factor. Captured session cookies aren't enough.
-
Cryptographic audit chain
SHA-256 hash chain over canonical event JSON. Tamper detected in one click via the operator dashboard.
For your platform team
-
Two containers, one database
Gateway, console. Postgres. Helm chart deploys both in one
helm install. No SaaS dependencies. -
OIDC, SCIM, OCSF, SIEM — vendor-agnostic
Wire Okta or Entra. Push SCIM. Stream audit to Splunk, Datadog, Sentinel side-by-side. Existing stack stays as is.
-
Open source you can fork
Apache 2.0 components remain Apache 2.0 in perpetuity. You're never locked into our cloud — there isn't one.
Ready to evaluate?
A standard pilot is 4 weeks against your real OIDC IdP, your real Slack workspace, and your real audit volume — no synthetic demos.