Technical decision guides

AI Agent Authorization Comparisons

Choose an authorization design by comparing security boundaries, not slogans. These pages explain what API keys, OAuth, MCP, and Grantex each do—and where they work together.

Grantex is an open-source delegated authorization and trust layer for AI agents. It gives services a verifiable statement of which agent may perform which action for which principal.

Comparisons and security guide

Every page states scope, limitations, and implementation consequences. Grantex complements OAuth 2.0 and MCP; it is not an identity provider, model runtime, payment processor, or merchant connector.

The short distinction

Authentication and connectivity

  • API keys identify a credential, often with broad shared authority.
  • OAuth 2.0 delegates application access for a user or client.
  • MCP connects models and agent applications to tools.

Agent-specific authority

  • Grantex identifies the acting agent and principal.
  • Signed grants carry narrow scopes, expiry, and delegation context.
  • Receiving services verify grants and enforce policy before acting.

A critical verification boundary

Local JWT verification checks signatures and claims after JWKS retrieval. It does not prove current revocation unless the verifier performs an online state check or synchronizes revocation data. This distinction is documented in the quickstart and release status.