User Validation¶
Beyond agent-level security, you can validate the human user behind a request.
Validation modes¶
Set via environment variable VALIDATION_MODE:
Mode |
Agent auth |
User auth |
Use case |
|---|---|---|---|
|
❌ |
❌ |
Local development only |
|
✅ |
Optional |
Default — agents must authenticate, users optional |
|
✅ |
✅ |
Production — both agent and user must be validated |
Include user context¶
When building MCP calls, pass the user email:
from abi_core.security.agent_auth import build_semantic_context_from_card
context = build_semantic_context_from_card(
agent_card_path="/app/agent_cards/my_agent.json",
tool_name="find_agent",
query="search query",
user_email="user@example.com", # ← Identifies the human user
)
OPA policy for user permissions¶
package abi
# User permission database
user_permissions := {
"admin@company.com": {"role": "admin", "tools": ["*"]},
"analyst@company.com": {"role": "user", "tools": ["find_agent", "search_tools"]},
}
# Allow if user has permission for this tool
allow if {
perms := user_permissions[input.user.email]
"*" in perms.tools
}
allow if {
perms := user_permissions[input.user.email]
input.request_metadata.mcp_tool in perms.tools
}
# Deny if user not found
deny["User not authorized"] if {
input.context.require_user_validation
not user_permissions[input.user.email]
}
Configure in compose.yaml¶
services:
my-semantic-layer:
environment:
- VALIDATION_MODE=strict
- REQUIRE_USER_VALIDATION=true
- REQUIRE_AGENT_VALIDATION=true