Skip to main content

Modeling Task-Based Authorization for Agents

Agents need credentials to interact with APIs. These can be user or service credentials, for internal or third-party systems. In most cases, these credentials grant agents broad access because the underlying authorization systems do not support fine-grained permissions. Consent prompts and service credentials are too coarse for agent use cases.

Task-Based Authorization grants agents access to perform specific actions only when necessary, without permanent permissions. Agents start with no permissions and receive only what a given task requires. For example, rather than allowing an agent to create tickets across all projects, you authorize it to "create a ticket in project X" — scoping permissions to a specific context.

This guide shows how to model task-based authorization in OpenFGA, progressing from a basic tool-calling model to patterns that support permission hierarchies, session scoping, expiration, and agent binding.

Tool authorization

The simplest model represents tool authorization for a Model Context Protocol server. When a task starts, you write tuples granting it permission to call the tools it needs.

model
  schema 1.1

type task

type tool
  relations
    define can_call: [task, task:*]

type tool_resource
  relations
    define tool: [tool]
    define can_call: [task] or can_call from tool

A tool represents a capability (e.g., slack_send_message), and a tool_resource represents a specific target within that tool (e.g., a Slack channel). Granting can_call on a tool automatically grants access to all of its resources. You can also grant access to individual resources, or use task:* to allow any task to call a tool.

For example, you can grant task:1 access to send any Slack message, while restricting task:2 to a specific channel:

tuples:
  # Any task can list Slack channels
  - user: task:*
    relation: can_call
    object: tool:slack_list_channels

  # task:1 can send any Slack message
  - user: task:1
    relation: can_call
    object: tool:slack_send_message

  # task:2 can only send messages to channel XGA14FG
  - user: task:2
    relation: can_call
    object: tool_resource:slack_send_message/XGA14FG

When checking whether task:2 can call tool_resource:slack_send_message/XGA14FG, send a contextual tuple linking the resource to its tool. This avoids storing a tuple for every channel — you provide the tool-to-resource relationship at query time.


// Run a check
const { allowed } = await fgaClient.check({
    user: 'task:2',
    relation: 'can_call',
    object: 'tool_resource:slack_send_message/XGA14FG',
    contextualTuples: [
      {
        user: 'tool:slack_send_message',
        relation: 'tool',
        object: 'tool_resource:slack_send_message/XGA14FG',
      }
    ],
  }, {
    authorizationModelId: '01HVMMBCMGZNT3SED4Z17ECXCA',
});

// allowed = true

Domain-specific models

The model above is generic. If you are building agents for your own application, your authorization model should reflect your domain. Consider a project management system:

model
  schema 1.1

type user

type task

type organization
  relations
    define admin: [user]
    define member: [user]

type project
  relations
    define organization: [organization]
    
    # relations for users
    define owner: [user]
    define member: [user]
    
    # relations for tasks
    define read: [task]
    define write: [task]
    define delete: [task]

    # permissions for users
    define can_delete: delete or owner or admin from organization
    define can_edit: write or owner or admin from organization
    define can_read: read or can_edit or member from organization
    define can_create_ticket: can_edit

type ticket
  relations
    define project: [project]
    define owner: [user]

    # relations for tasks
    define read: [task]
    define write: [task]
    define delete: [task]
    define can_delete: owner or delete or can_delete from project
    define can_edit: owner or write or can_edit from project
    define can_read: read or write or can_read from project

This enriches an existing user-oriented model by adding task as a principal. Granting a task the write relation on a project gives it permission to read and edit the project and all its tickets. You can also grant permissions at the ticket level for more granular control. This makes your application ready for agent authorization with minimal changes to your existing model.

If you follow this approach, your application needs to perform both user and task authorization. This means two separate checks: one to verify the user has access to a resource, and another to verify the task has permission to perform the action on behalf of the agent, as described in Binding agents to tasks.

Scoping permissions to sessions and agents

In interactive scenarios, users may create multiple sessions. You can scope permissions to a session so that access applies to all tasks within it. You can also scope permissions to an agent so they persist across sessions.

model
  schema 1.1

type task

type agent
  relations
    define task: [task]

type session
  relations
    define task: [task]

type tool
  relations
    define can_call: [task, session#task, agent#task]

The can_call relation accepts three types of assignments:

  • task — grant permission to a specific task.
  • session#task — grant permission to all tasks in a session. When the user says "allow this for this session", write a tuple like user: session:1#task, relation: can_call, object: tool:slack_send_message.
  • agent#task — grant permission to all tasks for an agent, across sessions. When the user says "always allow this", write a tuple with agent:1#task instead.

Each task is linked to its session and agent when created:

tuples:
  # Link task to its agent and session
  - user: task:1
    relation: task
    object: agent:1
  - user: task:1
    relation: task
    object: session:1

  # Grant session-level access
  - user: session:1#task
    relation: can_call
    object: tool:slack_send_message

Expiration and call count

You can use OpenFGA conditions to make permissions expire after a duration, or limit how many times the tool can be called.

model
  schema 1.1

type task

type tool
  relations
    define can_call: [task, task with expiration, task with max_call_count]

condition expiration(grant_time: timestamp, grant_duration: duration, current_time: timestamp) {
  current_time < grant_time + grant_duration
}

condition max_call_count(max_tool_calls: int, current_tool_count: int) {
  current_tool_count < max_tool_calls
}

The expiration condition grants access for a fixed duration from the grant time. The max_call_count condition limits how many times the tool can be called. When writing the tuple, you provide the condition parameters:

tuples:
  # task:1 can call the tool for 10 minutes
  - user: task:1
    relation: can_call
    object: tool:slack_send_message
    condition:
      name: expiration
      context:
        grant_time: "2026-03-22T00:00:00Z"
        grant_duration: 10m

  # task:2 can call the tool up to 2 times
  - user: task:2
    relation: can_call
    object: tool:slack_send_message
    condition:
      name: max_call_count
      context:
        max_tool_calls: 2

When checking access, pass the current time or current call count in the request context.

Binding agents to tasks

The examples above do not verify that the agent making the call is actually assigned to the task. You can enforce this using contextual tuples and an intersection (and) in the model, similar to the Authorization Through Organization Context pattern.

model
  schema 1.1

type task

type agent
  relations
    define task: [task]

type tool
  relations
    define calling_agent: [agent]
    define can_call: [task] and task from calling_agent

The can_call relation requires both that the task has been granted access and that the agent making the call is linked to the task. When the task is created, link it to its agent:

tuples:
  - user: task:1
    relation: task
    object: agent:1
  - user: task:1
    relation: can_call
    object: tool:slack_send_message

At check time, send a contextual tuple identifying the calling agent. If the agent is linked to the task, the check returns true:


// Run a check
const { allowed } = await fgaClient.check({
    user: 'task:1',
    relation: 'can_call',
    object: 'tool:slack_send_message',
    contextualTuples: [
      {
        user: 'agent:1',
        relation: 'calling_agent',
        object: 'tool:slack_send_message',
      }
    ],
  }, {
    authorizationModelId: '01HVMMBCMGZNT3SED4Z17ECXCA',
});

// allowed = true

If a different agent tries to use task:1, the check returns false because the agent-to-task link does not match:


// Run a check
const { allowed } = await fgaClient.check({
    user: 'task:1',
    relation: 'can_call',
    object: 'tool:slack_send_message',
    contextualTuples: [
      {
        user: 'agent:2',
        relation: 'calling_agent',
        object: 'tool:slack_send_message',
      }
    ],
  }, {
    authorizationModelId: '01HVMMBCMGZNT3SED4Z17ECXCA',
});

// allowed = false

Delegating task permissions to sub-agents

Sub-agents also start with no permissions. When delegating work, you have two options:

  • Share the task: assign the same task to the sub-agent, giving it all the task's permissions.
  • Restrict further: create a new task with a narrower set of permissions for the sub-agent.

Tuple cleanup

When a task completes, delete all tuples associated with it to revoke its permissions.

Further reading

Mapping user intent to the right set of permissions is an active area of research. These resources explore the topic:

Take a look at the following sections for more information.
Conditions

Learn how to model relationships with conditions such as expiration and call count

Contextual Tuples

Learn how to use contextual tuples to send dynamic context at query time