Sample code and applications you can build on Ekam — copy, adapt, ship. No login required.
The piece a gateway imports: validate an agent/human token offline against the JWKS, with an optional live kill-switch.
From an owner key to a short-lived, audience-bound, delegated token in three calls.
Advertise Ekam as your MCP server's authorization server so agents discover how to get a token (Protected Resource Metadata).
Carry a verified identity from app A to app B without re-authenticating — tenant + entity preserved.
Let employees sign in with their Ola Google account and receive a type:human Ekam token.
Cut off an agent instantly; every gateway calling introspection sees it within seconds.
The piece a gateway imports: validate an agent/human token offline against the JWKS, with an optional live kill-switch.
import { createEkamVerifier } from "@krutrim/ekam-verify";
const verify = createEkamVerifier({
issuer: "https://ekam.olakrutrim.com",
jwksUri: "https://ekam.olakrutrim.com/.well-known/jwks.json",
audience: "https://your-gateway.example",
introspectUrl: "https://ekam.olakrutrim.com/oauth/introspect", // optional live revocation
});
app.use(async (req, res, next) => {
try {
const p = await verify(req.headers.authorization?.split(" ")[1]);
req.principal = p; // { agentId, ownerId, scopes, tenant, entity, budgetRef }
if (!p.scopes.includes("models:invoke")) return res.status(403).end();
next();
} catch { res.status(401).end(); }
});From an owner key to a short-lived, audience-bound, delegated token in three calls.
BASE=https://ekam.olakrutrim.com
BP=$(curl -s $BASE/v1/blueprints -H "authorization: Bearer $OWNER_KEY" -H 'content-type: application/json' \
-d '{"name":"support","scopes":["models:invoke"],"allowedAudiences":["https://your-gateway.example"],"tokenTtlSeconds":900}' | jq -r .id)
AG=$(curl -s $BASE/v1/agents -H "authorization: Bearer $OWNER_KEY" -H 'content-type: application/json' \
-d "{\"blueprintId\":\"$BP\",\"name\":\"support-bot\"}" | jq -r .id)
curl -s $BASE/oauth/token -H "authorization: Bearer $OWNER_KEY" -H 'content-type: application/json' \
-d "{\"grant_type\":\"urn:ietf:params:oauth:grant-type:token-exchange\",\"agent_id\":\"$AG\",\"resource\":\"https://your-gateway.example\",\"scope\":\"models:invoke\"}"Advertise Ekam as your MCP server's authorization server so agents discover how to get a token (Protected Resource Metadata).
// GET /.well-known/oauth-protected-resource on your MCP server
{
"resource": "https://mcp.example.com",
"authorization_servers": ["https://ekam.olakrutrim.com"],
"bearer_methods_supported": ["header"]
}
// The agent reads this, fetches https://ekam.olakrutrim.com/.well-known/oauth-authorization-server,
// gets a scoped token from the broker, and calls your MCP tools with it.Carry a verified identity from app A to app B without re-authenticating — tenant + entity preserved.
# App A issues an ID-JAG (token-exchange)
curl -s https://ekam.olakrutrim.com/oauth/token -H 'content-type: application/json' -d '{
"grant_type":"urn:ietf:params:oauth:grant-type:token-exchange",
"requested_token_type":"urn:ietf:params:oauth:token-type:id-jag",
"subject_token":"<app-A token>", "audience":"https://app-b.example" }'
# App B redeems it (jwt-bearer) for a local access token
curl -s https://ekam.olakrutrim.com/oauth/token -H 'content-type: application/json' -d '{
"grant_type":"urn:ietf:params:oauth:grant-type:jwt-bearer", "assertion":"<id-jag>" }'Let employees sign in with their Ola Google account and receive a type:human Ekam token.
<a href="https://ekam.olakrutrim.com/auth/login">Sign in with Google</a>
<!-- On return, /auth/callback hands back #access_token=<jwt>&email=<email>.
Decode it for { sub, type:'human', tenant, entity, scope }. Non-Ola domains
are routed to Request access automatically. -->Cut off an agent instantly; every gateway calling introspection sees it within seconds.
# Revoke
curl -s -X POST https://ekam.olakrutrim.com/v1/agents/agt_123/revoke -H "authorization: Bearer $OWNER_KEY"
# Any token it holds now introspects inactive
curl -s https://ekam.olakrutrim.com/oauth/introspect -H 'content-type: application/json' -d '{"token":"<jwt>"}'
# -> { "active": false }