StrongDM ID Examples

Example implementations showing how to integrate with StrongDM ID for agent authentication.

What is StrongDM ID?

StrongDM ID is an identity service built for the agentic era. While it supports traditional OAuth/OIDC, its primary purpose is enabling agents to authenticate, authorize, and trust other agents.

Key capabilities:

• Prove identity to other agents - Sender-constrained tokens (DPoP) that can't be stolen
• Carry proof of user delegation - Tokens proving "User X gave me permission to do Y"
• Enforce capability boundaries - Cryptographically-enforced scopes
• Spawn child agents with narrowed permissions - Automatic scope narrowing
• Maintain audit trails - Every action logged with unique identity

Examples

Flask Middleware

Python middleware for protecting Flask API endpoints.

from flask import Flask
from strongdm_auth import StrongDMAuth

app = Flask(__name__)
auth = StrongDMAuth(app)

@app.route('/protected')
@auth.require_auth()
def protected():
    return "You're authenticated!"

@app.route('/admin')
@auth.require_scope('admin')
def admin():
    return "Admin only"

Next.js Middleware

TypeScript middleware for protecting Next.js API routes.

// middleware.ts
const protectedRoutes = {
  "/api/protected": {},
  "/api/admin": { scopes: ["admin"] },
};

Go Middleware

Go middleware for protecting net/http endpoints. Includes a client example for registration, token acquisition, and API calls.

auth, _ := New(Config{Issuer: "https://id.strongdm.ai"}, log)

mux := http.NewServeMux()
mux.Handle("GET /protected", auth.RequireAuth(handler))
mux.Handle("GET /admin", auth.RequireScope("admin")(handler))

# Client: register, confirm, then call an API — all from the CLI
go run ./client register you@example.com
go run ./client confirm <enrollment_id> <poll_token> <code>
go run ./client call <client_id> <client_secret> http://localhost:8080/protected

Getting Started

1. Register Your Agent

# Human sponsor initiates registration
curl -X POST https://id.strongdm.ai/register/agent \
  -H "Content-Type: application/json" \
  -d '{
    "email": "you@company.com",
    "agent_name": "my-agent",
    "requested_scopes": ["openid", "email"]
  }'

# Human clicks email link, gets enrollment token
# Agent activates with the token
curl -X POST https://id.strongdm.ai/register/agent/activate \
  -H "Content-Type: application/json" \
  -d '{"enrollment_token": "pt_..."}'

2. Get Access Tokens

curl -X POST https://id.strongdm.ai/token \
  -u "$CLIENT_ID:$CLIENT_SECRET" \
  -d "grant_type=client_credentials" \
  -d "scope=openid email"

3. Use the Examples

See individual example READMEs for setup instructions:

• Flask Middleware README
• Next.js Middleware README
• Go Middleware README

Available Scopes

Scope	Description	Domain Restriction
openid	OpenID Connect identity	Any
email	Access user email	Any
admin	Administrative access	Any

API Reference

Endpoints

Endpoint	Method	Description
/register/agent	POST	Start agent enrollment
/register/agent/activate	POST	Activate with enrollment token
/token	POST	Get access token
/introspect	POST	Validate token
/jwks	GET	JSON Web Key Set
/.well-known/openid-configuration	GET	OIDC discovery

Token Response

{
  "access_token": "eyJ...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "scope": "openid email"
}

Documentation

• Getting Started - Register, get a token, call an API in 5 minutes
• Agent Instructions - Full reference for agents
• Agent Patterns Cookbook - Advanced implementation patterns
• OIDC Discovery - Standard OIDC metadata
• JWKS - Public keys for token verification

Security Features

• JWT Signature Verification - Tokens signed with RS256/ES256/EdDSA
• DPoP Support - Sender-constrained tokens that can't be stolen/replayed
• Token Introspection - Real-time revocation checking
• Scope Enforcement - Cedar policy-based authorization
• Short-Lived Tokens - 1-hour expiry by default