# tenuo
Cryptographic authorization primitive for AI agents.
[](https://crates.io/crates/tenuo)
[](https://docs.rs/tenuo)
> **Status: v0.1 Beta** — Core frozen. See [CHANGELOG](../CHANGELOG.md).
## Overview
Tenuo implements **capability tokens** (Warrants) for AI agent authorization:
- **Offline verification** in ~27μs - no network calls
- **Monotonic attenuation** - delegated tokens can only shrink in scope
- **Proof-of-possession** - stolen tokens are useless without the private key
- **Constraint types** - `Exact`, `Pattern`, `Range`, `OneOf`, `Regex`, `Wildcard`
## Quick Start
```rust
use tenuo::{SigningKey, Warrant, Constraint, ConstraintSet, Authorizer};
// Generate keys
let issuer_key = SigningKey::generate();
let holder_key = SigningKey::generate();
// Issue a warrant
let warrant = Warrant::builder()
.capability("read_file", ConstraintSet::new().insert("path", Constraint::pattern("/data/*")))
.holder(holder_key.public_key())
.ttl_secs(300)
.build(&issuer_key)?;
// Verify and authorize
let authorizer = Authorizer::new(vec![issuer_key.public_key()]);
authorizer.verify_and_authorize(
&warrant,
"read_file",
&[("path", "/data/report.txt")],
Some(&holder_key.create_pop(&warrant, "read_file", &args)?),
)?;
```
## Features
| `control-plane` | Warrant issuance (default) |
| `data-plane` | Warrant verification (default) |
| `python` | PyO3 bindings |
| `server` | HTTP server dependencies |
## Use Cases
- **Sidecar authorizer** - Verify warrants at the edge
- **Gateway integration** - Envoy/Istio external authorization
- **Embedded verification** - In-process authorization checks
## Documentation
- [tenuo.dev](https://tenuo.dev) - Full documentation
- [docs.rs/tenuo](https://docs.rs/tenuo) - API reference
- [GitHub](https://github.com/tenuo-ai/tenuo) - Source code
## License
MIT OR Apache-2.0