Gemma 4 Agents.
Now With Offline Authorization.

The only auth library purpose-built for on-device AI agents — offline consent, offline verification, offline audit. Apache 2.0.

npm npm install @grantex/gemma Copy
Read the Docs →
📱 Android Gemma 4
🧠 Agent On-Device
🔒 Grantex ConsentBundle
Verified in 2ms · No network required
Day-zero integration Apache 2.0 < 5ms verification Raspberry Pi ready
The problem

On-device agents have no authorization layer

Gemma 4 runs locally — but your security model still assumes a cloud connection. These are the gaps.

🔑

API keys with no scope boundaries

Your agent carries raw API keys with full access. There are no per-action scopes, no expiration, and no way to limit what the agent can do on a user's behalf.

📡

No audit trail survives offline

When the device goes offline, actions happen in a black box. Logs are unsigned, mutable, and lost when the device reconnects — making compliance impossible.

No mid-session revocation without connectivity

If a user wants to stop an agent mid-task, they need network access to reach a revocation endpoint. Offline, the agent keeps running with full permissions.

The solution

ConsentBundle: Issue once online. Verify forever offline.

A single signed bundle contains everything the agent needs to prove authorization, verify scopes, and log actions — without ever calling home.

1

Issue online

Human approves scopes via consent flow. Grantex bundles the grant token, JWKS snapshot, and audit signing key.

One-time
2

Verify in 2ms

Agent verifies the JWT against the bundled JWKS — no network call. Scope checks included.

< 5ms
3

Log locally, signed

Every action is appended to an Ed25519-signed, hash-chained audit log on the device.

Tamper-evident
4

Revocation at sync

When connectivity returns, the agent syncs its audit log and checks for revocation updates.

Resilient
Quickstart

Three phases. Ten lines each.

Issue a consent bundle while online. Verify and audit while offline. Works with TypeScript, Python, and Google ADK. 

import { createConsentBundle, createOfflineVerifier, createOfflineAuditLog } from '@grantex/gemma';

// Phase 1: Online — issue consent bundle (once)
const bundle = await createConsentBundle({
  apiKey: process.env.GRANTEX_API_KEY,
  agentId: 'ag_01HXYZ',
  userId: 'user_abc',
  scopes: ['calendar:read', 'files:write:max_10mb'],
  offlineTTL: '72h',
});

// Phase 2: Offline — verify in < 5ms
const verifier = createOfflineVerifier({
  jwksSnapshot: bundle.jwksSnapshot,
  requireScopes: ['calendar:read'],
});
const grant = await verifier.verify(bundle.grantToken);

// Phase 3: Audit — Ed25519-signed, hash-chained
const auditLog = createOfflineAuditLog({
  signingKey: bundle.offlineAuditKey,
  logPath: '/var/grantex/audit.jsonl',
});
await auditLog.append({
  action: 'calendar.read',
  agentDID: grant.agentDID,
  grantId: grant.jti,
  scopes: ['calendar:read'],
  result: 'success',
});
from grantex_gemma import (
    create_consent_bundle,
    create_offline_verifier,
    create_offline_audit_log,
)

# Phase 1: Online — issue consent bundle (once)
bundle = await create_consent_bundle(
    api_key=os.environ["GRANTEX_API_KEY"],
    agent_id="ag_01HXYZ",
    user_id="user_abc",
    scopes=["files:read", "email:send:max_10"],
    offline_ttl="48h",
)

# Phase 2: Offline — verify in < 5ms
verifier = create_offline_verifier(
    jwks_snapshot=bundle.jwks_snapshot,
)
grant = await verifier.verify(bundle.grant_token)

# Phase 3: Audit — Ed25519-signed, hash-chained
audit_log = create_offline_audit_log(
    signing_key=bundle.offline_audit_key,
    log_path="/var/grantex/audit.jsonl",
)
await audit_log.append(
    action="files.read",
    agent_did=grant.agent_did,
    grant_id=grant.jti,
    scopes=["files:read"],
    result="success",
)
import { withGrantexAuth } from '@grantex/gemma/adapters/google-adk';
import { createOfflineVerifier, createOfflineAuditLog } from '@grantex/gemma';

// Wrap any Google ADK tool with offline auth
const verifier = createOfflineVerifier({
  jwksSnapshot: bundle.jwksSnapshot,
});

const auditLog = createOfflineAuditLog({
  signingKey: bundle.offlineAuditKey,
  logPath: '/var/grantex/audit.jsonl',
});

// One line to protect any tool
const securedCalendarTool = withGrantexAuth(calendarTool, {
  verifier,
  auditLog,
  requiredScopes: ['calendar:write'],
});

// Tool now auto-verifies grants and logs every invocation
const securedEmailTool = withGrantexAuth(emailTool, {
  verifier,
  auditLog,
  requiredScopes: ['email:send'],
});
Compatibility

Runs Everywhere Gemma 4 Runs

Tested on every platform that supports Gemma 4 inference. Same API, same verification guarantees.

📱

Android

Pixel, Galaxy, any device with MediaPipe

🍎

iOS

iPhone and iPad via ML frameworks

💻

Raspberry Pi

Pi 5, Pi 4 with 4GB+ RAM

🎮

NVIDIA Jetson

Orin Nano, Orin NX, AGX

🖥

Desktop

Windows, macOS, Linux x64/ARM

Performance

Benchmarks: Real Hardware, Real Numbers

Grant verification is a single Ed25519 signature check against a local JWKS cache. No network. No database. Just math.

Platform Verification Memory
Raspberry Pi 5 3.2ms avg 1.1 MB
Android (mid-range) 1.8ms avg 0.9 MB
Jetson Orin Nano 1.1ms avg 0.8 MB
Integrations

Works With Your Stack

First-class adapters for the frameworks developers actually use. Wrap any tool with one line.

🌐 Google ADK 🔗 LangChain OpenAI Agents 🤖 CrewAI

Get Started in 60 Seconds

npm npm install @grantex/gemma Copy
pip pip install grantex-gemma Copy
Full Documentation → GitHub Examples →