explaingit

legant-dev/legant

Analysis updated 2026-05-18

1GoAudience · ops devopsComplexity · 4/5LicenseSetup · hard

TLDR

An open-source Go server that controls what AI agents can do on a user's behalf, with scoped time-limited tokens, multi-agent delegation chains, and an MCP gateway.

Mindmap

mindmap
  root((Legant))
    Core auth
      Delegation tokens
      Offline constraint verify
      Monotonic attenuation
    MCP Gateway
      Tool filtering
      Mid-task kill
      Per-agent scope
    Audit
      Hash-chained events
      Audit verify command
    SDKs
      Go
      TypeScript
      Python
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Issue scoped, time-limited tokens so an AI agent can act on a user's behalf without full account access.

USE CASE 2

Deploy an MCP gateway that filters which tools each AI agent can see and call, with mid-task cancellation.

USE CASE 3

Build multi-agent pipelines where each child agent automatically has narrower permissions than its parent.

USE CASE 4

Add tamper-evident audit logs for all AI agent actions across your infrastructure.

What is it built with?

GoPostgreSQLTypeScriptPython

How does it compare?

legant-dev/legantashutosh-swain-git/dahmeraudriusbutkevicius/gohashcompare
Stars111
LanguageGoGoGo
Last pushed2016-07-09
MaintenanceDormant
Setup difficultyhardeasymoderate
Complexity4/51/52/5
Audienceops devopsdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · hard Time to first run · 30min

Requires Go and a running Postgres instance, production use also needs a Kubernetes cluster for the MCP gateway demos.

Apache 2.0: use freely for any purpose including commercial use, you must include the license notice and state any changes.

In plain English

Legant is an open-source authorization system designed specifically for AI agents. When an AI agent needs to take actions on behalf of a user, like submitting expenses, booking travel, or querying a database, Legant controls exactly what the agent is allowed to do and for how long. It runs as a single self-hostable binary written in Go. The core idea is delegated authorization. Instead of giving an AI agent the same permissions as a full user, Legant issues a special token that carries fine-grained restrictions baked in: a maximum dollar amount, specific categories of actions it can perform, which services it can talk to, and how many minutes before the token expires. These constraints are embedded in a signed token that any connected service can verify on its own, without calling back to Legant every time. When one AI agent spawns another, like a planning agent delegating work to an execution agent, each level in the chain can only have the same permissions or fewer than its parent. This property prevents a sub-agent from quietly expanding its own authority. The full chain of who-delegated-to-whom is recorded inside the token itself. Legant also ships with a gateway component for the Model Context Protocol (MCP), a standard way for AI models to connect to tools and data sources. The gateway filters which tools each agent is allowed to see and call, and can kill a running agent mid-task. Tamper-evident audit logs record every agent action in a hash-chained event store. The project includes over a dozen runnable demos covering scenarios like OAuth token theft replay, multi-agent pipelines, Kubernetes-based AI infrastructure, and analytics over a real Postgres database. SDKs are available for Go, TypeScript, and Python for verifying delegation tokens in resource servers. The project requires Go and Postgres to run. It is licensed under the Apache 2.0 license, which allows free use including commercial use.

Copy-paste prompts

Prompt 1
How do I issue a Legant delegation token that lets an AI agent submit expenses up to $500 for the next hour?
Prompt 2
How does Legant's MCP gateway filter tool visibility per agent and cancel a session mid-execution?
Prompt 3
How do I add the Legant FastAPI middleware to my Python resource server to verify delegation tokens offline?
Prompt 4
How does monotonic attenuation in Legant prevent a sub-agent from gaining broader permissions than its parent?

Frequently asked questions

What is legant?

An open-source Go server that controls what AI agents can do on a user's behalf, with scoped time-limited tokens, multi-agent delegation chains, and an MCP gateway.

What language is legant written in?

Mainly Go. The stack also includes Go, PostgreSQL, TypeScript.

What license does legant use?

Apache 2.0: use freely for any purpose including commercial use, you must include the license notice and state any changes.

How hard is legant to set up?

Setup difficulty is rated hard, with roughly 30min to a first successful run.

Who is legant for?

Mainly ops devops.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Scan in gitsafehub Deploy in gitdeployhub legant-dev on gitmyhub

Verify against the repo before relying on details.