[{"data":1,"prerenderedAt":1047},["ShallowReactive",2],{"navigation":3,"/ecosystem/grants":145,"/ecosystem/grants-surround":1042},[4,28,49,88,101,127],{"title":5,"path":6,"stem":7,"children":8,"icon":27},"Getting Started","/getting-started","1.getting-started/1.index",[9,11,15,19,23],{"title":10,"path":6,"stem":7},"Introduction",{"title":12,"path":13,"stem":14},"Working with Agents","/getting-started/working-with-agents","1.getting-started/2.working-with-agents",{"title":16,"path":17,"stem":18},"Setup a Service Provider","/getting-started/setup-service-provider","1.getting-started/3.setup-service-provider",{"title":20,"path":21,"stem":22},"Setup an Identity Provider","/getting-started/setup-identity-provider","1.getting-started/4.setup-identity-provider",{"title":24,"path":25,"stem":26},"Developers","/getting-started/developers","1.getting-started/5.developers",false,{"title":29,"icon":27,"path":30,"stem":31,"children":32,"page":27},"Guides","/guides","2.guides",[33,37,41,45],{"title":34,"path":35,"stem":36},"How It Works","/guides/how-it-works","2.guides/1.how-it-works",{"title":38,"path":39,"stem":40},"Capabilities Guide","/guides/capabilities-guide","2.guides/2.capabilities-guide",{"title":42,"path":43,"stem":44},"End-to-End Tutorial","/guides/end-to-end-tutorial","2.guides/3.end-to-end-tutorial",{"title":46,"path":47,"stem":48},"Delegation Guide","/guides/delegation-guide","2.guides/4.delegation-guide",{"title":50,"path":51,"stem":52,"children":53,"icon":27},"Ecosystem","/ecosystem","3.ecosystem/1.index",[54,56,60,64,68,72,76,80,84],{"title":55,"path":51,"stem":52},"Overview",{"title":57,"path":58,"stem":59},"grapes CLI","/ecosystem/grapes","3.ecosystem/2.grapes",{"title":61,"path":62,"stem":63},"shapes CLI","/ecosystem/shapes","3.ecosystem/3.shapes",{"title":65,"path":66,"stem":67},"escapes","/ecosystem/escapes","3.ecosystem/4.escapes",{"title":69,"path":70,"stem":71},"OpenApe Proxy","/ecosystem/proxy","3.ecosystem/5.proxy",{"title":73,"path":74,"stem":75},"OpenApe Browser","/ecosystem/browser","3.ecosystem/6.browser",{"title":77,"path":78,"stem":79},"OpenApe Auth","/ecosystem/auth","3.ecosystem/7.auth",{"title":81,"path":82,"stem":83},"OpenApe Grants","/ecosystem/grants","3.ecosystem/8.grants",{"title":85,"path":86,"stem":87},"nuxt-auth-sp","/ecosystem/nuxt-auth-sp","3.ecosystem/9.nuxt-auth-sp",{"title":89,"icon":27,"path":90,"stem":91,"children":92,"page":27},"Security","/security","4.security",[93,97],{"title":94,"path":95,"stem":96},"Compliance","/security/compliance","4.security/1.compliance",{"title":98,"path":99,"stem":100},"Threat Model","/security/threat-model","4.security/2.threat-model",{"title":102,"path":103,"stem":104,"children":105,"icon":27},"Reference","/reference","5.reference/1.index",[106,107,111,115,119,123],{"title":102,"path":103,"stem":104},{"title":108,"path":109,"stem":110},"IdP Configuration","/reference/idp-configuration","5.reference/2.idp-configuration",{"title":112,"path":113,"stem":114},"SP Configuration","/reference/sp-configuration","5.reference/3.sp-configuration",{"title":116,"path":117,"stem":118},"API Endpoints","/reference/api-endpoints","5.reference/4.api-endpoints",{"title":120,"path":121,"stem":122},"escapes Config","/reference/escapes-config","5.reference/5.escapes-config",{"title":124,"path":125,"stem":126},"Proxy Config","/reference/proxy-config","5.reference/6.proxy-config",{"title":128,"path":129,"stem":130,"children":131,"icon":27},"Operations","/operations","6.operations/1.index",[132,133,137,141],{"title":128,"path":129,"stem":130},{"title":134,"path":135,"stem":136},"Deployment","/operations/deployment","6.operations/2.deployment",{"title":138,"path":139,"stem":140},"Troubleshooting","/operations/troubleshooting","6.operations/3.troubleshooting",{"title":142,"path":143,"stem":144},"Monitoring","/operations/monitoring","6.operations/4.monitoring",{"id":146,"title":81,"body":147,"description":1035,"extension":1036,"links":1037,"meta":1038,"navigation":1039,"path":82,"seo":1040,"stem":83,"__hash__":1041},"docs/3.ecosystem/8.grants.md",{"type":148,"value":149,"toc":1024},"minimark",[150,154,159,163,168,179,183,259,272,276,279,580,583,630,634,773,780,790,807,812,871,876,896,905,925,932,936,939,1020],[151,152,81],"h1",{"id":153},"openape-grants",[155,156,158],"h2",{"id":157},"openapegrants","@openape/grants",[160,161,162],"p",{},"The permission engine. Framework-agnostic. This package provides the core grant lifecycle, AuthZ-JWT issuance, and verification — independent of any framework.",[164,165,167],"h3",{"id":166},"grant-lifecycle","Grant Lifecycle",[169,170,175],"pre",{"className":171,"code":173,"language":174},[172],"language-text","Request → Pending → Approved/Denied → (if approved) Active → Used/Expired/Revoked\n","text",[176,177,173],"code",{"__ignoreMap":178},"",[164,180,182],{"id":181},"grant-types","Grant Types",[184,185,186,205],"table",{},[187,188,189],"thead",{},[190,191,192,196,199,202],"tr",{},[193,194,195],"th",{},"Type",[193,197,198],{},"Behavior",[193,200,201],{},"AuthZ-JWT Lifetime",[193,203,204],{},"Reusable?",[206,207,208,225,244],"tbody",{},[190,209,210,216,219,222],{},[211,212,213],"td",{},[176,214,215],{},"once",[211,217,218],{},"Single use — consumed after first use",[211,220,221],{},"5 minutes",[211,223,224],{},"No",[190,226,227,232,235,241],{},[211,228,229],{},[176,230,231],{},"timed",[211,233,234],{},"Valid for a time window (TTL)",[211,236,237,238],{},"Until ",[176,239,240],{},"expires_at",[211,242,243],{},"Yes",[190,245,246,251,254,257],{},[211,247,248],{},[176,249,250],{},"always",[211,252,253],{},"Standing permission — active until revoked",[211,255,256],{},"1 hour (renewable)",[211,258,243],{},[160,260,261,262,264,265,268,269,271],{},"For ",[176,263,231],{}," grants, specify a ",[176,266,267],{},"duration"," in seconds when requesting. For ",[176,270,250],{}," grants, the AuthZ-JWT expires after 1 hour but can be re-fetched as long as the grant is not revoked.",[164,273,275],{"id":274},"authz-jwt","AuthZ-JWT",[160,277,278],{},"On approval, a signed AuthZ-JWT is issued:",[169,280,284],{"className":281,"code":282,"language":283,"meta":178,"style":178},"language-json shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","{\n  \"iss\": \"https://id.example.com\",\n  \"sub\": \"agent@example.com\",\n  \"aud\": \"target-system\",\n  \"target_host\": \"prod-server.example.com\",\n  \"grant_id\": \"uuid\",\n  \"grant_type\": \"once\",\n  \"permissions\": [\"deploy\"],\n  \"command\": [\"systemctl\", \"restart\", \"nginx\"],\n  \"cmd_hash\": \"sha256:a1b2c3...\",\n  \"decided_by\": \"alice@example.com\",\n  \"exp\": 1234567890,\n  \"jti\": \"unique-grant-id\"\n}\n","json",[176,285,286,295,323,344,365,386,407,427,452,494,515,536,554,574],{"__ignoreMap":178},[287,288,291],"span",{"class":289,"line":290},"line",1,[287,292,294],{"class":293},"sMK4o","{\n",[287,296,298,301,305,308,311,314,318,320],{"class":289,"line":297},2,[287,299,300],{"class":293},"  \"",[287,302,304],{"class":303},"spNyl","iss",[287,306,307],{"class":293},"\"",[287,309,310],{"class":293},":",[287,312,313],{"class":293}," \"",[287,315,317],{"class":316},"sfazB","https://id.example.com",[287,319,307],{"class":293},[287,321,322],{"class":293},",\n",[287,324,326,328,331,333,335,337,340,342],{"class":289,"line":325},3,[287,327,300],{"class":293},[287,329,330],{"class":303},"sub",[287,332,307],{"class":293},[287,334,310],{"class":293},[287,336,313],{"class":293},[287,338,339],{"class":316},"agent@example.com",[287,341,307],{"class":293},[287,343,322],{"class":293},[287,345,347,349,352,354,356,358,361,363],{"class":289,"line":346},4,[287,348,300],{"class":293},[287,350,351],{"class":303},"aud",[287,353,307],{"class":293},[287,355,310],{"class":293},[287,357,313],{"class":293},[287,359,360],{"class":316},"target-system",[287,362,307],{"class":293},[287,364,322],{"class":293},[287,366,368,370,373,375,377,379,382,384],{"class":289,"line":367},5,[287,369,300],{"class":293},[287,371,372],{"class":303},"target_host",[287,374,307],{"class":293},[287,376,310],{"class":293},[287,378,313],{"class":293},[287,380,381],{"class":316},"prod-server.example.com",[287,383,307],{"class":293},[287,385,322],{"class":293},[287,387,389,391,394,396,398,400,403,405],{"class":289,"line":388},6,[287,390,300],{"class":293},[287,392,393],{"class":303},"grant_id",[287,395,307],{"class":293},[287,397,310],{"class":293},[287,399,313],{"class":293},[287,401,402],{"class":316},"uuid",[287,404,307],{"class":293},[287,406,322],{"class":293},[287,408,410,412,415,417,419,421,423,425],{"class":289,"line":409},7,[287,411,300],{"class":293},[287,413,414],{"class":303},"grant_type",[287,416,307],{"class":293},[287,418,310],{"class":293},[287,420,313],{"class":293},[287,422,215],{"class":316},[287,424,307],{"class":293},[287,426,322],{"class":293},[287,428,430,432,435,437,439,442,444,447,449],{"class":289,"line":429},8,[287,431,300],{"class":293},[287,433,434],{"class":303},"permissions",[287,436,307],{"class":293},[287,438,310],{"class":293},[287,440,441],{"class":293}," [",[287,443,307],{"class":293},[287,445,446],{"class":316},"deploy",[287,448,307],{"class":293},[287,450,451],{"class":293},"],\n",[287,453,455,457,460,462,464,466,468,471,473,476,478,481,483,485,487,490,492],{"class":289,"line":454},9,[287,456,300],{"class":293},[287,458,459],{"class":303},"command",[287,461,307],{"class":293},[287,463,310],{"class":293},[287,465,441],{"class":293},[287,467,307],{"class":293},[287,469,470],{"class":316},"systemctl",[287,472,307],{"class":293},[287,474,475],{"class":293},",",[287,477,313],{"class":293},[287,479,480],{"class":316},"restart",[287,482,307],{"class":293},[287,484,475],{"class":293},[287,486,313],{"class":293},[287,488,489],{"class":316},"nginx",[287,491,307],{"class":293},[287,493,451],{"class":293},[287,495,497,499,502,504,506,508,511,513],{"class":289,"line":496},10,[287,498,300],{"class":293},[287,500,501],{"class":303},"cmd_hash",[287,503,307],{"class":293},[287,505,310],{"class":293},[287,507,313],{"class":293},[287,509,510],{"class":316},"sha256:a1b2c3...",[287,512,307],{"class":293},[287,514,322],{"class":293},[287,516,518,520,523,525,527,529,532,534],{"class":289,"line":517},11,[287,519,300],{"class":293},[287,521,522],{"class":303},"decided_by",[287,524,307],{"class":293},[287,526,310],{"class":293},[287,528,313],{"class":293},[287,530,531],{"class":316},"alice@example.com",[287,533,307],{"class":293},[287,535,322],{"class":293},[287,537,539,541,544,546,548,552],{"class":289,"line":538},12,[287,540,300],{"class":293},[287,542,543],{"class":303},"exp",[287,545,307],{"class":293},[287,547,310],{"class":293},[287,549,551],{"class":550},"sbssI"," 1234567890",[287,553,322],{"class":293},[287,555,557,559,562,564,566,568,571],{"class":289,"line":556},13,[287,558,300],{"class":293},[287,560,561],{"class":303},"jti",[287,563,307],{"class":293},[287,565,310],{"class":293},[287,567,313],{"class":293},[287,569,570],{"class":316},"unique-grant-id",[287,572,573],{"class":293},"\"\n",[287,575,577],{"class":289,"line":576},14,[287,578,579],{"class":293},"}\n",[160,581,582],{},"Key security features:",[584,585,586,596,603,610,617,624],"ul",{},[587,588,589,595],"li",{},[590,591,592,594],"strong",{},[176,593,351],{}," binding"," — token only valid for the intended target service",[587,597,598,602],{},[590,599,600],{},[176,601,372],{}," — restricts to a specific host",[587,604,605,609],{},[590,606,607],{},[176,608,501],{}," — binds to exact command (prevents substitution attacks)",[587,611,612,616],{},[590,613,614],{},[176,615,522],{}," — dual accountability (agent identity ≠ approver identity)",[587,618,619,623],{},[590,620,621],{},[176,622,561],{}," — replay protection",[587,625,626,629],{},[590,627,628],{},"Expiry"," — all grants have a maximum lifetime",[164,631,633],{"id":632},"grant-request-fields","Grant Request Fields",[184,635,636,649],{},[187,637,638],{},[190,639,640,643,646],{},[193,641,642],{},"Field",[193,644,645],{},"Required",[193,647,648],{},"Description",[206,650,651,663,674,693,711,725,736,749,761],{},[190,652,653,658,660],{},[211,654,655],{},[176,656,657],{},"requester",[211,659,243],{},[211,661,662],{},"Agent email (auto-set if using agent token)",[190,664,665,669,671],{},[211,666,667],{},[176,668,372],{},[211,670,243],{},[211,672,673],{},"Host where the grant is valid",[190,675,676,681,683],{},[211,677,678],{},[176,679,680],{},"audience",[211,682,243],{},[211,684,685,686,688,689,692],{},"Service identifier (e.g., ",[176,687,65],{},", ",[176,690,691],{},"proxy",")",[190,694,695,699,701],{},[211,696,697],{},[176,698,414],{},[211,700,224],{},[211,702,703,705,706,708,709],{},[176,704,215],{}," (default), ",[176,707,231],{},", or ",[176,710,250],{},[190,712,713,717,719],{},[211,714,715],{},[176,716,459],{},[211,718,224],{},[211,720,721,722,692],{},"Command array (e.g., ",[176,723,724],{},"[\"apt-get\", \"upgrade\"]",[190,726,727,731,733],{},[211,728,729],{},[176,730,434],{},[211,732,224],{},[211,734,735],{},"Permission strings",[190,737,738,742,746],{},[211,739,740],{},[176,741,267],{},[211,743,261,744],{},[176,745,231],{},[211,747,748],{},"Duration in seconds",[190,750,751,756,758],{},[211,752,753],{},[176,754,755],{},"reason",[211,757,224],{},[211,759,760],{},"Human-readable reason for the request",[190,762,763,768,770],{},[211,764,765],{},[176,766,767],{},"run_as",[211,769,224],{},[211,771,772],{},"Execute as this user",[155,774,776,777],{"id":775},"grant-routes-in-openapenuxt-auth-idp","Grant Routes in ",[176,778,779],{},"@openape/nuxt-auth-idp",[160,781,782,783,785,786,789],{},"Grant management is integrated into ",[176,784,779],{},". Enable grant pages with ",[176,787,788],{},"grants.enablePages: true"," in your module config.",[791,792,794],"callout",{"type":793},"warning",[160,795,796,799,800,803,804,806],{},[176,797,798],{},"@openape/nuxt-grants"," is ",[590,801,802],{},"deprecated",". All grant functionality has been consolidated into ",[176,805,779],{},".",[160,808,809],{},[590,810,811],{},"Auto-registered API routes:",[584,813,814,820,826,832,838,844,850,856,865],{},[587,815,816,819],{},[176,817,818],{},"POST /api/grants"," — create grant request",[587,821,822,825],{},[176,823,824],{},"GET /api/grants"," — list grants",[587,827,828,831],{},[176,829,830],{},"GET /api/grants/:id"," — get grant details (supports ETag polling)",[587,833,834,837],{},[176,835,836],{},"POST /api/grants/:id/approve"," — approve a grant (returns AuthZ-JWT)",[587,839,840,843],{},[176,841,842],{},"POST /api/grants/:id/deny"," — deny a grant",[587,845,846,849],{},[176,847,848],{},"POST /api/grants/:id/revoke"," — revoke an active grant",[587,851,852,855],{},[176,853,854],{},"POST /api/grants/:id/token"," — get AuthZ-JWT for approved grant",[587,857,858,861,862,864],{},[176,859,860],{},"POST /api/grants/:id/consume"," — consume a ",[176,863,215],{}," grant",[587,866,867,870],{},[176,868,869],{},"POST /api/grants/verify"," — verify an AuthZ-JWT",[160,872,873],{},[590,874,875],{},"Agent API routes:",[584,877,878,884,890],{},[587,879,880,883],{},[176,881,882],{},"POST /api/agent/enroll"," — register a new agent (requires Management Token)",[587,885,886,889],{},[176,887,888],{},"POST /api/agent/challenge"," — request auth challenge",[587,891,892,895],{},[176,893,894],{},"POST /api/agent/authenticate"," — authenticate with signed challenge",[160,897,898,901,902,904],{},[590,899,900],{},"Pages"," (overridable, enabled via ",[176,903,788],{},"):",[584,906,907,913,919],{},[587,908,909,912],{},[176,910,911],{},"/grants"," — grant dashboard",[587,914,915,918],{},[176,916,917],{},"/grant-approval"," — approve/deny UI",[587,920,921,924],{},[176,922,923],{},"/enroll"," — agent enrollment form",[160,926,927,928,806],{},"For detailed request/response schemas, see the ",[929,930,931],"a",{"href":25},"Agent Integration Guide",[155,933,935],{"id":934},"agent-tools","Agent Tools",[160,937,938],{},"The following tools use the grant system for access control:",[184,940,941,954],{},[187,942,943],{},[190,944,945,948,951],{},[193,946,947],{},"Tool",[193,949,950],{},"Purpose",[193,952,953],{},"Docs",[206,955,956,969,981,994,1007],{},[190,957,958,963,966],{},[211,959,960],{},[929,961,962],{"href":58},"grapes",[211,964,965],{},"Universal Grant Management CLI",[211,967,968],{},"Request, approve, delegate, execute",[190,970,971,975,978],{},[211,972,973],{},[929,974,65],{"href":66},[211,976,977],{},"Local privilege elevation via AuthZ-JWT",[211,979,980],{},"Setuid-root Rust binary",[190,982,983,988,991],{},[211,984,985],{},[929,986,987],{"href":70},"@openape/proxy",[211,989,990],{},"Agent HTTP gateway with grant-based access rules",[211,992,993],{},"Forward proxy",[190,995,996,1001,1004],{},[211,997,998],{},[929,999,1000],{"href":74},"@openape/browser",[211,1002,1003],{},"Grant-aware headless browser",[211,1005,1006],{},"Playwright wrapper",[190,1008,1009,1014,1017],{},[211,1010,1011],{},[929,1012,1013],{"href":62},"@openape/shapes",[211,1015,1016],{},"Grant-aware CLI wrappers",[211,1018,1019],{},"Adapters for kubectl, aws, etc.",[1021,1022,1023],"style",{},"html pre.shiki code .sMK4o, html code.shiki .sMK4o{--shiki-light:#39ADB5;--shiki-default:#89DDFF;--shiki-dark:#89DDFF}html pre.shiki code .spNyl, html code.shiki .spNyl{--shiki-light:#9C3EDA;--shiki-default:#C792EA;--shiki-dark:#C792EA}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html pre.shiki code .sbssI, html code.shiki .sbssI{--shiki-light:#F76D47;--shiki-default:#F78C6C;--shiki-dark:#F78C6C}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":178,"searchDepth":325,"depth":297,"links":1025},[1026,1032,1034],{"id":157,"depth":297,"text":158,"children":1027},[1028,1029,1030,1031],{"id":166,"depth":325,"text":167},{"id":181,"depth":325,"text":182},{"id":274,"depth":325,"text":275},{"id":632,"depth":325,"text":633},{"id":775,"depth":297,"text":1033},"Grant Routes in @openape/nuxt-auth-idp",{"id":934,"depth":297,"text":935},"Human-in-the-loop permissions for agents.","md",null,{},true,{"title":81,"description":1035},"divTcVLLFNRVTS2asHun-d7gCEg4ZKVSp87KKs3BGI8",[1043,1045],{"title":77,"path":78,"stem":79,"description":1044,"children":-1},"DNS-based identity for humans and agents.",{"title":85,"path":86,"stem":87,"description":1046,"children":-1},"Add OpenApe login to any Nuxt app in minutes.",1774221117377]