Krutrim Ekam is the agent-identity & delegation control plane. It issues short-lived, audience-bound, delegated tokens your gateway verifies offline — and bills the human owner.
How it works
Owner mints an agent from a blueprint
Short-lived, scoped, delegated token
Gateway verifies offline via JWKS
Map agent → budget → bill owner
Kill-switch stops it in seconds
Key features
agt_… — owned, blueprinted, revocable. Not an API key.
Audience-bound (RFC 8707), scoped, delegated via the act chain (RFC 8693).
ES256 JWT + JWKS — the gateway never calls Ekam on the hot path.
Revoke an agent or token; introspection (RFC 7662) reflects it in seconds.
Google OIDC → type:human, with request → approve → grant.
Tenant / entity model, plus ID-JAG cross-app delegation.
For developers
POST /oauth/token brokers a scoped, delegated token.type:human token./v1/access-requests; /v1/agents/:id/revoke.