Skip to content

Commit c724f9e

Browse files
authored
Document KYA use case for agent client authorization on AI GW
Add a use case for a VC/KYA based dynamically scoped, fine grained/TBAC for Agents on AI gateway Signed-off-by: Manish Singh <mksinghtx@gmail.com>
1 parent eafec3b commit c724f9e

1 file changed

Lines changed: 91 additions & 0 deletions

File tree

Lines changed: 91 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,91 @@
1+
—---With KYA —----
2+
Agent Client with KYA Registration and Policy-Based Authorization
3+
4+
```
5+
\+-------------------------------------------+
6+
| START: Agent (Github action, claude, cursor|
7+
\+-------------------------------------------+
8+
|
9+
v
10+
\+--------------------------+
11+
| AI Gateway (Envoy) |
12+
| (mcp.prod.env.corp.net)
13+
\+--------------------------+
14+
|
15+
v
16+
\+--------------------------+
17+
| KYA Registration/Attestation|
18+
| 1. Agent registers with attributes/proves identity (KYA credential/VC)
19+
\+--------------------------+
20+
| Token Request (KYA Proof, Location, Time Context)
21+
v
22+
\+--------------------------+
23+
| Authorization Service |
24+
| (Policy Evaluation) |
25+
| 1. Validate KYA Attestation
26+
| 2. Evaluate Policy (based on Location, Time, etc.)
27+
| 3. Issue Initial Token (e.g., JWT with claims)
28+
\+--------------------------+
29+
| Initial Token Issued
30+
|
31+
\+--------------------------+
32+
| Agent Client (Send Request)|
33+
\+--------------------------+
34+
| Request sent with Initial Token (e.g., JWT)
35+
v
36+
\+--------------------------+
37+
| AI Gateway (Envoy) |
38+
| (mcp.staging/prod.env.corp.net)
39+
\+--------------------------+
40+
| MCPRoute intercepts request
41+
v
42+
\+--------------------------+
43+
| Initial Token Validation |
44+
| 1. Extract Initial Token
45+
| 2. Validate Token (domain, org, signature, claims, expiration)
46+
\+--------------------------+
47+
|
48+
+--\[Validation Fails\]---\> Request Rejected (END)
49+
|
50+
+--\[Validation Success\]--\> Token Exchange Request
51+
v
52+
\+--------------------------+
53+
| Token Exchange Service |
54+
| 1. Exchanges Initial Token for |
55+
| API/Domain specific Token |
56+
| after Caller/Callee badge/cert verification |
57+
\+--------------------------+
58+
| New Token attached to request
59+
v
60+
\+--------------------------+
61+
| Routing |
62+
\+--------------------------+
63+
/ \
64+
/ \
65+
v v
66+
\+-----------------+ +----------------------+
67+
| Flux MCP Server | | Victoria Metrics MCP |
68+
| (:9090/mcp) | | (:8080/mcp) |
69+
\+-----------------+ \+----------------------+
70+
| Remote or local origin access |
71+
v v
72+
\+-------------------------------------------+
73+
| connects to API/tool( eg read-only mode) using|
74+
| API/domain specific Token |
75+
\+--------------------------------------------+
76+
|
77+
v
78+
+-------+
79+
| END |
80+
+-------+
81+
+------------------------------+
82+
| Connects to \`vmselect\` service |
83+
| in telemetry-system namespace |
84+
| using API/domain specific Token |
85+
+------------------------------+
86+
|
87+
v
88+
+-------+
89+
| END |
90+
+-------+
91+
```

0 commit comments

Comments
 (0)