Feature: Per-tool authorization middleware for agent tool calls

[stevenkozeniesky02]

Problem

VoltAgent provides guardrails and tool management, but there's no built-in mechanism for per-tool authorization based on agent identity.

When building multi-agent systems with VoltAgent, different agents in the workflow need different tool access levels. An orchestrator agent might need broad access, while a sub-agent it delegates to should only have read permissions.

Use Case

const agent = new Agent({
  name: 'research-bot',
  tools: [searchDocs, saveNote, deleteNote, deployProd],
});

This agent can call all four tools. In production, you want:

• research-bot can call searchDocs only
• content-bot can call searchDocs + saveNote
• admin-bot can call everything
• Every tool call logged with who called what and whether it was allowed

Proposal

A tool authorization hook in the agent or tool configuration:

const agent = new Agent({
  name: 'research-bot',
  tools: [searchDocs, saveNote, deleteNote],
  toolGuard: async (toolName, context) => {
    // Check against permission rules
    const allowed = context.permissions?.some(
      pattern => matchGlob(pattern, toolName)
    );
    if (!allowed) {
      return { denied: true, reason: `${toolName} not in allowed tools` };
    }
    return { denied: false };
  },
});

This would integrate with VoltAgent's existing guardrails system and enable:

• Per-agent tool restrictions
• Integration with external permission engines (like AgentsID for deny-first agent permissions)
• Audit trail of tool call authorization decisions
• Delegation with automatic scope narrowing

Since VoltAgent already has MCP support, this becomes especially relevant — MCP servers expose many tools, and agents connecting to them need per-tool authorization.

Would this fit within VoltAgent's guardrails architecture, or is there an existing pattern I should use?

[0xbrainkid]

This is a really important feature request — especially with MCP tool proliferation. Just at RSAC 2026, Unit 42 + Adversa.ai found that 38% of 500+ public MCP servers have no authentication at all, and there were 30 CVEs filed against MCP implementations in just 60 days.

Per-tool authorization within a single agent framework is step one. But the harder problem comes when agents from different organizations call each other's tools — different auth systems, different identity claims, no shared trust.

We've been working on this at AgentFolio with SATP (Solana Agent Trust Protocol) — on-chain verifiable identity and behavioral reputation that agents can carry across platforms. The idea is that your toolGuard could check not just local permissions, but also query an external trust score for the calling agent before authorizing tool access.

Something like:

toolGuard: async (toolName, context) => {
  const callerTrust = await verifyAgentIdentity(context.callerDID);
  if (callerTrust.score < MINIMUM_TRUST && toolName === 'deployProd') {
    return { denied: true, reason: 'Insufficient cross-org trust score' };
  }
  return { denied: false };
}

Would VoltAgent be open to supporting pluggable external trust providers alongside local permission rules? Happy to share what we've learned building cross-org identity verification.

[0xbrainkid]

Strong proposal. Per-tool authorization is the right abstraction — and the middleware pattern means it composes cleanly with VoltAgent's existing guardrails.

One extension worth considering: external trust signals as authorization inputs. The current proposal scopes authorization to static role definitions (agent.identity.role). This works within a single VoltAgent deployment, but breaks down when agents cross organizational boundaries — a delegated sub-agent from an external system has no role in your local RBAC.

A pluggable TrustProvider interface would let the authorization middleware query external trust data alongside local roles:

const authMiddleware = createToolAuth({
  providers: [
    localRBAC({ roles: agentRoles }),
    externalTrust({
      // Query cross-org behavioral trust score
      provider: 'satp',
      endpoint: 'https://agentfolio.bot/api/profile',
      minScore: 60
    })
  ],
  policy: 'all'  // all providers must pass
});

This pattern is being implemented across several frameworks right now:

• browser-use #4563 (85K⭐) — multi-provider TrustProvider for browser agents
• LangChain #36232 (96K⭐) — pluggable TrustProvider for tool execution
• A2A #1672 (23K⭐) — trust providers in Agent Cards

The ToolAuthMiddleware interface you proposed is a clean fit for this — it just needs a TrustProvider as an additional input alongside the local role check. Same middleware, richer trust signals.