Agents can only spend what you delegated.
AgentDiet gives every agent a signed, shrinking mandate. In this demo, the root budget is 3,000 EUR, the gateway delegates a 1,000 EUR budget, and pay(2500) is blocked before the payment tool runs.
* This example, and all the ones that follow, use real Biscuit token mechanics.
Payment Guard
Delegate a smaller payment token, then test safe and unsafe requests.
payment:execute
1,000 EUR
pay(2500)
Denied
Signed proof
The problem: Autonomous AI agents are a brand-new attack surface
Handing an unpredictable agent a broad backend or API token is like leaving a child alone in a candy store. Since MCP (Nov 2024) and A2A (Apr 2025), the public incidents keep coming.
Supabase / Cursor · Jul 2025
An agent holding a service-role token processes a booby-trapped support ticket → tokens exfiltrated through a public thread.
GitHub MCP · May 2025
A public issue carrying a prompt injection pushes the agent to exfiltrate private repositories into a public pull request.
CVE-2025-6514 · Jul 2025
Critical OS command injection in the OAuth proxy of MCP clients (mcp-remote) — the transport itself is exploitable.
Rug-pull / redefinition · Apr 2025
A tool's description mutates after install: validated on day 1, it quietly hijacks your keys on day 7.
⚠ These are design limits of MCP and A2A as specified today — no minor update fixes them. An orthogonal authorization layer is needed.
The model: Root mandate → delegated budget → tool check
The payment demo is just one shape of the same rule: every hop can add restrictions, and the verifier checks the final token at the tool boundary.
Mint
The user picks permissions, a budget and an expiry. That becomes a signed root Biscuit token.
Attenuate
Gateways and personal agents append checks per sub-agent. Biscuit attenuation can only add restrictions.
Enforce
The @guarded decorator verifies the token on each call — locally, or via a remote MCP server.
Comparison: You know OAuth. Here's what changes for agents
OAuth 2.0 is the common reference. From there: how each alternative stacks up — and why AgentDiet is the only one that ticks every box.
| OAuth 2.0the reference | Auth0 / Oktafor AI | OPA / Cedarpolicy engine | AgentDietBiscuit | |
|---|---|---|---|---|
| Per-request dynamic granularity | ✕ | ~ | ✓ | ✓ |
| Cascading cryptographic attenuation | ✕ | ✕ | ✕ | ✓ |
| Verifiable offline (no central server) | ~ | ✕ | ✓ | ✓ |
| Open source & sovereign (no US SaaS) | ✓ | ✕ | ✓ | ✓ |
| Built for AI agent chains | ✕ | ✓ | ✕ | ✓ |
−70 to −90% cost vs Auth0/Okta in internal deployment · real sovereignty · auditability demanded by critical-infrastructure operators, banking and health.
Step 1: Mint your agent's mandate
Tick what the agent may do, set a budget and an expiry. You get the signed root token everything downstream leans on.
Run it live: Ten examples, executed in your browser
Each card runs the real example on the backend — every ALLOWED / DENIED badge is a genuine Biscuit verification, not a mock. Covering payments, code, transactions, IoT, data, guided tampering, and prompt injection.
One mandate spawns a tree of agents — one is compromised
Watch a root mandate fan out into an orchestrator and three sub-agents. Each tool call passes through the AgentDiet verification layer. The hijacked agent's request is mathematically refused — its token can only ever shrink.
Build your own: Token sandbox
Mint tokens with any rights, compose logical conditions with AND/OR, then either attenuate a token or verify an attempt. Every action is a real Biscuit operation on the backend.
Token library
Mint signed tokens with arbitrary rights. Stored in your browser only.
Compose a condition
Combine clauses, then attenuate the selected token or verify an attempt against it.
—