Metadata-Version: 2.4
Name: authsec-langchain-sdk
Version: 0.1.0
Summary: AuthSec identity, delegation, and CIBA approval for LangChain agents
Author-email: AuthSec <support@authsec.ai>
License: Apache-2.0
Project-URL: Homepage, https://authsec.ai
Project-URL: Documentation, https://docs.authsec.ai
Project-URL: Source, https://github.com/authsec-ai/authsec-langchain
Keywords: langchain,authsec,auth,oauth,spiffe,delegation,ciba,agents
Classifier: Development Status :: 4 - Beta
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: Apache Software License
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Requires-Python: >=3.9
Description-Content-Type: text/markdown
Requires-Dist: httpx>=0.27
Requires-Dist: pydantic>=2.5
Requires-Dist: langchain-core>=0.2
Provides-Extra: dev
Requires-Dist: pytest>=8; extra == "dev"
Requires-Dist: pytest-asyncio>=0.23; extra == "dev"
Requires-Dist: respx>=0.21; extra == "dev"
Requires-Dist: ruff>=0.5; extra == "dev"
Requires-Dist: mypy>=1.10; extra == "dev"
Provides-Extra: examples
Requires-Dist: langchain>=0.2; extra == "examples"
Requires-Dist: langchain-openai>=0.1; extra == "examples"

# authsec-langchain

AuthSec identity, delegation, and human-in-the-loop approval for LangChain agents.

## What this gives you

- **Delegation tokens** — short-lived JWTs scoped to a single agent run, fetched from AuthSec
- **Cloud credential exchange** — trade the delegation JWT for AWS STS / Azure AD / GCP IAM credentials, so the agent never holds long-lived cloud keys
- **CIBA approval** — pause the agent and require a human tap-to-approve before a high-risk tool runs
- **LangChain callback** — drop-in handler that surfaces the current delegation token to every tool invocation

The SDK only consumes the AuthSec HTTP API. No AuthSec server changes are required.

## Install

```bash
pip install authsec-langchain
```

## Quick start

```python
from authsec_langchain import AuthsecClient, AuthsecConfig, AuthsecCallbackHandler

client = AuthsecClient(AuthsecConfig(
    base_url="https://auth.example.com",
    api_token="<agent-bootstrap-jwt>",
    tenant_id="tenant-123",
))

# Get a delegation JWT
token = client.get_delegation_token()

# Trade it for AWS credentials
aws_creds = client.exchange_cloud_credentials(
    "aws",
    audience="sts.amazonaws.com",
    role_arn="arn:aws:iam::123456789012:role/my-agent-role",
)

# Ask the user to approve a high-risk action
approved_jwt = client.request_approval(
    login_hint="user@example.com",
    binding_message="Allow agent to delete production resources?",
)
```

See [examples/aws_s3_agent.py](examples/aws_s3_agent.py) for an end-to-end LangChain agent.

## What's in v0.1

| Feature | Status |
|---|---|
| Delegation-token fetch + cache | ✅ |
| AWS / Azure / GCP cloud exchange | ✅ |
| CIBA initiate + poll | ✅ |
| LangChain callback handler | ✅ |
| Async client | ⏳ v0.2 |
| LangGraph node helpers | ⏳ v0.2 |
| Streaming approval (webhook) | ⏳ v0.3 |

## Development

```bash
pip install -e ".[dev]"
pytest
```
