A developer known as Connerlevi has published CapNet, an open-source authorization proxy designed to replace the broad credentials most AI agents currently carry with tightly scoped permission tokens that expire, attenuate, and can be revoked in an instant.
The problem CapNet targets is straightforward: agents deployed against real services — cloud infrastructure, payment systems, email — typically run with OAuth tokens or API keys that grant far more authority than any single task needs. A booking agent and a billing agent might share the same credential set, meaning a misbehaving or compromised agent can reach well beyond its intended scope.
"The agent should never see the underlying credential," Connerlevi wrote in the project's documentation. "It gets a capability — a signed, scoped token — and the proxy decides whether the action is allowed. That's the whole model."
The 'OAuth for actions' tagline is a deliberate parallel to web authorization. Where OAuth scoped data access, CapNet applies similar attenuation to what an agent can actually execute: which tools it can call, which vendors it can spend with, how much it can spend, which regions it can deploy to, and which email domains it can contact. Parent agents can issue sub-capabilities to child agents, but cannot grant more authority than they themselves hold. Revoking a parent capability cascades immediately through any delegation chain beneath it.
The approach draws on ideas that have circulated in security research for decades. Capability-based access control traces back to operating systems work in the 1970s, and Google's Macaroon tokens explored contextual attenuation for bearer tokens in distributed systems. SPIFFE and SPIRE tackle workload identity in microservice environments along similar lines. CapNet applies that general philosophy to the MCP tool-call layer and the multi-agent delegation patterns now common in production deployments.
The proof-of-concept ships with four integration points: an MCP gateway that intercepts tool calls before execution, an OpenClaw plugin for browser-agent workflows, a Chrome extension for managing capabilities, and a TypeScript SDK. Six scripted attack demos illustrate the practical value — a cleanup bot blocked from dropping a production database, a prompt-injection attack stopped from purchasing $10,250 in gift cards, and a multi-agent simulation enforcing role boundaries between sales, finance, and engineering agents.
Connerlevi has flagged the project explicitly as a proof-of-concept. The roadmap lists production hardening, persistent state, and formal cryptographic audit as outstanding work, alongside planned alignment with the broader MCP specification. Whether CapNet attracts collaborators or ends up mainly as a reference design for whoever tackles the problem next is an open question.