Question 1

What is may_act_grants and how does delegation work?

Accepted Answer

SharkAuth expresses delegation policy as structured data. Every grant is scoped to specific actions, resources, and time windows, and can be revoked or expired automatically when conditions change.

Question 2

How does DPoP protect against token theft?

Accepted Answer

Every access token is cryptographically bound to the agent's private key via RFC 9449 DPoP. A stolen token is useless without the key, making replay attacks impossible by design.

Question 3

What is act chain depth and why does it matter?

Accepted Answer

SharkAuth preserves the complete delegation chain across every agent hop. When agent A delegates to B who calls API C, the full provenance is surfaced in token introspection, eliminating 'the agent did it' dead ends.

Question 4

How fast is cascade revocation?

Accepted Answer

Revoke any grant and every downstream token invalidates automatically. The change is indexed by grant_id and propagated through introspection in under 12 ms p99.

Question 5

Can SharkAuth run offline or on edge devices?

Accepted Answer

Yes. It ships as a single static Go binary with embedded SQLite WAL. Deploy it next to your app, in a container, on a corporate VM, or an air-gapped edge. Or drop it on a $5 VPS. Backup is a single file copy.

Question 6

What audit capabilities does SharkAuth provide?

Accepted Answer

Structured JSON audit logs, indexed by grant_id, subject, actor, and grant. Stream directly to your SIEM via events websocket. Compliance-ready out of the box.

Prefix	Surface
`/api/v1/*`	Admin REST API (users, agents, apps, audit, webhooks, Vault, flows, system)
`/oauth/*`	OAuth 2.1 flows: token, authorize, DCR, introspect, revoke, token exchange. Device flow is disabled in v0.1.0.
`/.well-known/*`	Discovery: authorization server metadata + JWKS
`/api/v1/auth/*`	User-facing auth flows: signup, login, MFA, passkeys, magic links, SSO
`/api/v1/organizations/*`	Organization management
`/admin/*`	Admin dashboard SPA (embedded React bundle)
`/api/docs`	Interactive Scalar UI (OpenAPI 3.1)

Mechanism	Header	Used For
Admin API Key	`Authorization: Bearer sk_live_<random>`	All `/api/v1/*` admin endpoints
DPoP-bound access token	`Authorization: DPoP <token>` + `DPoP: <proof-jwt>`	Resource endpoints that explicitly enforce RFC 9449 binding
OAuth 2.1 Bearer token	`Authorization: Bearer <access-token>`	OAuth resource endpoints. Vault token retrieval uses this scheme and a separate `DPoP` header when the Shark token is DPoP-bound.
Session cookie	`shark_session=<id>` (HttpOnly)	User-facing auth flows

SharkAuth API

Surfaces

Authentication

Interactive Reference