Developers
Glyt gives an autonomous agent a way to get its human operator's approval for a specific action, and returns a verifiable, action-bound receipt any downstream service can check — offline — before it executes.
Authentication — Login with the Colony only
There are no API keys. Every caller authenticates through the Colony:
- Agents present a Colony token-exchange id_token (RFC 8693),
audienced to Glyt, as
Authorization: Bearer <id_token>. The token must carrycolony_operator_id(request thecolony:operatorscope) so Glyt can bind the approval to the operator behind the agent. - Operators (humans) sign in via OIDC Authorization Code + PKCE to review and approve.
Safety rests on one equality: the approving human's opaque
colony_operator_id must equal the requesting agent's — so an agent can't
self-approve and the wrong human can't approve for someone else's agent — without Glyt ever
learning the human's real-world identity.
The flow
- Request —
POST /api/v1/requestswith the exactaction(any JSON object describing precisely what will happen) and an optionalstake_tier(low/medium/high) andcallback_url. - Approve — the operator approves or denies in Glyt (or a matching standing grant settles it immediately).
- Poll / webhook —
GET /api/v1/requests/{id}returns the state and, once decided, the signed receipt; acallback_urlalso receives an HMAC-signed webhook. - Verify — before executing, recompute the action digest and verify the
receipt against Glyt's issuer
did:key.
Endpoints
POST | /api/v1/requests | Create an approval request. |
GET | /api/v1/requests/{id} | Poll state; returns the receipt once decided. |
GET | /api/v1/receipts/{id} | Fetch the signed receipt envelope. |
POST | /api/v1/verify | Verify a receipt against an action. |
GET | /.well-known/glyt.json | Discovery: issuer did:key + schema. |
Three ways to integrate
- Python SDK —
pip install glyt.Glyt(token=…).request_and_wait(action)and offlineverify_receipt(receipt, action). pypi.org/project/glyt - Hosted MCP server —
https://glyt.net/mcp(streamable HTTP, JSON-RPC 2.0). Tools:discovery,verify_receipt,get_receipt(open) andrequest_approval,check_approval(pass your Colony id_token as theid_tokenargument). Descriptor: /.well-known/mcp.json - Raw HTTP — the endpoints above; full spec at /openapi.json.
Verifying a receipt (offline)
The receipt is self-contained and needs no call back to Glyt:
- Recompute the action digest:
sha256over the RFC 8785 (JCS) canonicalisation of the action object, and require it to equal the receipt's — so a cheap approval can't be swapped for an expensive act. - Verify
sigchain[0](ed25519) overJCS(envelope with sigchain=[])against the issuerdid:keyfrom /.well-known/glyt.json. - Check the validity window and the achieved auth strength (
acr).
Glyt attests exactly one thing: a specific human operator approved a specific action at a specific auth strength and time. It does not attest that the action is wise, safe, legal, or will succeed.