[{"data":1,"prerenderedAt":912},["ShallowReactive",2],{"navigation":3,"/guides/how-it-works":145,"/guides/how-it-works-surround":907},[4,28,49,88,101,127],{"title":5,"path":6,"stem":7,"children":8,"icon":27},"Getting Started","/getting-started","1.getting-started/1.index",[9,11,15,19,23],{"title":10,"path":6,"stem":7},"Introduction",{"title":12,"path":13,"stem":14},"Working with Agents","/getting-started/working-with-agents","1.getting-started/2.working-with-agents",{"title":16,"path":17,"stem":18},"Setup a Service Provider","/getting-started/setup-service-provider","1.getting-started/3.setup-service-provider",{"title":20,"path":21,"stem":22},"Setup an Identity Provider","/getting-started/setup-identity-provider","1.getting-started/4.setup-identity-provider",{"title":24,"path":25,"stem":26},"Developers","/getting-started/developers","1.getting-started/5.developers",false,{"title":29,"icon":27,"path":30,"stem":31,"children":32,"page":27},"Guides","/guides","2.guides",[33,37,41,45],{"title":34,"path":35,"stem":36},"How It Works","/guides/how-it-works","2.guides/1.how-it-works",{"title":38,"path":39,"stem":40},"Capabilities Guide","/guides/capabilities-guide","2.guides/2.capabilities-guide",{"title":42,"path":43,"stem":44},"End-to-End Tutorial","/guides/end-to-end-tutorial","2.guides/3.end-to-end-tutorial",{"title":46,"path":47,"stem":48},"Delegation Guide","/guides/delegation-guide","2.guides/4.delegation-guide",{"title":50,"path":51,"stem":52,"children":53,"icon":27},"Ecosystem","/ecosystem","3.ecosystem/1.index",[54,56,60,64,68,72,76,80,84],{"title":55,"path":51,"stem":52},"Overview",{"title":57,"path":58,"stem":59},"grapes CLI","/ecosystem/grapes","3.ecosystem/2.grapes",{"title":61,"path":62,"stem":63},"shapes CLI","/ecosystem/shapes","3.ecosystem/3.shapes",{"title":65,"path":66,"stem":67},"escapes","/ecosystem/escapes","3.ecosystem/4.escapes",{"title":69,"path":70,"stem":71},"OpenApe Proxy","/ecosystem/proxy","3.ecosystem/5.proxy",{"title":73,"path":74,"stem":75},"OpenApe Browser","/ecosystem/browser","3.ecosystem/6.browser",{"title":77,"path":78,"stem":79},"OpenApe Auth","/ecosystem/auth","3.ecosystem/7.auth",{"title":81,"path":82,"stem":83},"OpenApe Grants","/ecosystem/grants","3.ecosystem/8.grants",{"title":85,"path":86,"stem":87},"nuxt-auth-sp","/ecosystem/nuxt-auth-sp","3.ecosystem/9.nuxt-auth-sp",{"title":89,"icon":27,"path":90,"stem":91,"children":92,"page":27},"Security","/security","4.security",[93,97],{"title":94,"path":95,"stem":96},"Compliance","/security/compliance","4.security/1.compliance",{"title":98,"path":99,"stem":100},"Threat Model","/security/threat-model","4.security/2.threat-model",{"title":102,"path":103,"stem":104,"children":105,"icon":27},"Reference","/reference","5.reference/1.index",[106,107,111,115,119,123],{"title":102,"path":103,"stem":104},{"title":108,"path":109,"stem":110},"IdP Configuration","/reference/idp-configuration","5.reference/2.idp-configuration",{"title":112,"path":113,"stem":114},"SP Configuration","/reference/sp-configuration","5.reference/3.sp-configuration",{"title":116,"path":117,"stem":118},"API Endpoints","/reference/api-endpoints","5.reference/4.api-endpoints",{"title":120,"path":121,"stem":122},"escapes Config","/reference/escapes-config","5.reference/5.escapes-config",{"title":124,"path":125,"stem":126},"Proxy Config","/reference/proxy-config","5.reference/6.proxy-config",{"title":128,"path":129,"stem":130,"children":131,"icon":27},"Operations","/operations","6.operations/1.index",[132,133,137,141],{"title":128,"path":129,"stem":130},{"title":134,"path":135,"stem":136},"Deployment","/operations/deployment","6.operations/2.deployment",{"title":138,"path":139,"stem":140},"Troubleshooting","/operations/troubleshooting","6.operations/3.troubleshooting",{"title":142,"path":143,"stem":144},"Monitoring","/operations/monitoring","6.operations/4.monitoring",{"id":146,"title":34,"body":147,"description":900,"extension":901,"links":902,"meta":903,"navigation":904,"path":35,"seo":905,"stem":36,"__hash__":906},"docs/2.guides/1.how-it-works.md",{"type":148,"value":149,"toc":889},"minimark",[150,154,159,170,179,183,186,191,318,322,325,329,332,483,487,494,498,512,548,551,669,672,710,733,737,745,842,885],[151,152,34],"h1",{"id":153},"how-it-works",[155,156,158],"h2",{"id":157},"login-flow-ddisa","Login Flow (DDISA)",[160,161,166],"pre",{"className":162,"code":164,"language":165},[163],"language-text","User enters email at SP\n        ↓\nSP extracts domain → DNS lookup: _ddisa.example.com\n        ↓\nDiscovers IdP URL → Redirects to IdP /authorize\n        ↓\nUser authenticates with Passkey (or Agent via Ed25519)\n        ↓\nIdP issues authorization code → Redirect back to SP\n        ↓\nSP exchanges code for signed JWT (backchannel)\n        ↓\nSP validates JWT (issuer, audience, signature, nonce, act)\n        ↓\nUser is logged in ✅\n","text",[167,168,164],"code",{"__ignoreMap":169},"",[171,172,173,174,178],"p",{},"This is a standard ",[175,176,177],"strong",{},"Authorization Code + PKCE"," flow, enhanced with DNS-based IdP discovery and Passkey-only authentication.",[155,180,182],{"id":181},"grant-flow-permissions","Grant Flow (Permissions)",[171,184,185],{},"When an agent needs to perform a privileged action:",[187,188,190],"h3",{"id":189},"_1-agent-requests-a-grant","1. Agent Requests a Grant",[160,192,196],{"className":193,"code":194,"language":195,"meta":169,"style":169},"language-bash shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","POST /api/grants\n{\n  \"requester\": \"agent@example.com\",\n  \"target\": \"prod-server\",\n  \"grant_type\": \"once\",\n  \"permissions\": [\"deploy\"],\n  \"reason\": \"Deploy hotfix #123\"\n}\n","bash",[167,197,198,211,218,240,257,274,296,312],{"__ignoreMap":169},[199,200,203,207],"span",{"class":201,"line":202},"line",1,[199,204,206],{"class":205},"sBMFI","POST",[199,208,210],{"class":209},"sfazB"," /api/grants\n",[199,212,214],{"class":201,"line":213},2,[199,215,217],{"class":216},"sMK4o","{\n",[199,219,221,224,228,231,234,237],{"class":201,"line":220},3,[199,222,223],{"class":205},"  \"requester\"",[199,225,227],{"class":226},"s2Zo4",":",[199,229,230],{"class":216}," \"",[199,232,233],{"class":209},"agent@example.com",[199,235,236],{"class":216},"\"",[199,238,239],{"class":209},",\n",[199,241,243,246,248,250,253,255],{"class":201,"line":242},4,[199,244,245],{"class":205},"  \"target\"",[199,247,227],{"class":226},[199,249,230],{"class":216},[199,251,252],{"class":209},"prod-server",[199,254,236],{"class":216},[199,256,239],{"class":209},[199,258,260,263,265,267,270,272],{"class":201,"line":259},5,[199,261,262],{"class":205},"  \"grant_type\"",[199,264,227],{"class":226},[199,266,230],{"class":216},[199,268,269],{"class":209},"once",[199,271,236],{"class":216},[199,273,239],{"class":209},[199,275,277,280,282,286,288,291,293],{"class":201,"line":276},6,[199,278,279],{"class":205},"  \"permissions\"",[199,281,227],{"class":226},[199,283,285],{"class":284},"sTEyZ"," [",[199,287,236],{"class":216},[199,289,290],{"class":209},"deploy",[199,292,236],{"class":216},[199,294,295],{"class":284},"],\n",[199,297,299,302,304,306,309],{"class":201,"line":298},7,[199,300,301],{"class":205},"  \"reason\"",[199,303,227],{"class":226},[199,305,230],{"class":216},[199,307,308],{"class":209},"Deploy hotfix #123",[199,310,311],{"class":216},"\"\n",[199,313,315],{"class":201,"line":314},8,[199,316,317],{"class":216},"}\n",[187,319,321],{"id":320},"_2-human-reviews","2. Human Reviews",[171,323,324],{},"The agent's owner or designated approver sees the request in the web UI (or via notification) and approves or denies it.",[187,326,328],{"id":327},"_3-agent-receives-authz-jwt","3. Agent Receives AuthZ-JWT",[171,330,331],{},"On approval, the agent can request a signed AuthZ-JWT:",[160,333,337],{"className":334,"code":335,"language":336,"meta":169,"style":169},"language-json shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","{\n  \"sub\": \"agent@example.com\",\n  \"act\": \"agent\",\n  \"aud\": \"prod-server\",\n  \"grant_type\": \"once\",\n  \"permissions\": [\"deploy\"],\n  \"decided_by\": \"alice@example.com\",\n  \"exp\": 1234567890\n}\n","json",[167,338,339,343,364,384,403,422,443,463,478],{"__ignoreMap":169},[199,340,341],{"class":201,"line":202},[199,342,217],{"class":216},[199,344,345,348,352,354,356,358,360,362],{"class":201,"line":213},[199,346,347],{"class":216},"  \"",[199,349,351],{"class":350},"spNyl","sub",[199,353,236],{"class":216},[199,355,227],{"class":216},[199,357,230],{"class":216},[199,359,233],{"class":209},[199,361,236],{"class":216},[199,363,239],{"class":216},[199,365,366,368,371,373,375,377,380,382],{"class":201,"line":220},[199,367,347],{"class":216},[199,369,370],{"class":350},"act",[199,372,236],{"class":216},[199,374,227],{"class":216},[199,376,230],{"class":216},[199,378,379],{"class":209},"agent",[199,381,236],{"class":216},[199,383,239],{"class":216},[199,385,386,388,391,393,395,397,399,401],{"class":201,"line":242},[199,387,347],{"class":216},[199,389,390],{"class":350},"aud",[199,392,236],{"class":216},[199,394,227],{"class":216},[199,396,230],{"class":216},[199,398,252],{"class":209},[199,400,236],{"class":216},[199,402,239],{"class":216},[199,404,405,407,410,412,414,416,418,420],{"class":201,"line":259},[199,406,347],{"class":216},[199,408,409],{"class":350},"grant_type",[199,411,236],{"class":216},[199,413,227],{"class":216},[199,415,230],{"class":216},[199,417,269],{"class":209},[199,419,236],{"class":216},[199,421,239],{"class":216},[199,423,424,426,429,431,433,435,437,439,441],{"class":201,"line":276},[199,425,347],{"class":216},[199,427,428],{"class":350},"permissions",[199,430,236],{"class":216},[199,432,227],{"class":216},[199,434,285],{"class":216},[199,436,236],{"class":216},[199,438,290],{"class":209},[199,440,236],{"class":216},[199,442,295],{"class":216},[199,444,445,447,450,452,454,456,459,461],{"class":201,"line":298},[199,446,347],{"class":216},[199,448,449],{"class":350},"decided_by",[199,451,236],{"class":216},[199,453,227],{"class":216},[199,455,230],{"class":216},[199,457,458],{"class":209},"alice@example.com",[199,460,236],{"class":216},[199,462,239],{"class":216},[199,464,465,467,470,472,474],{"class":201,"line":314},[199,466,347],{"class":216},[199,468,469],{"class":350},"exp",[199,471,236],{"class":216},[199,473,227],{"class":216},[199,475,477],{"class":476},"sbssI"," 1234567890\n",[199,479,481],{"class":201,"line":480},9,[199,482,317],{"class":216},[187,484,486],{"id":485},"_4-target-verifies","4. Target Verifies",[171,488,489,490,493],{},"The target system validates the AuthZ-JWT: signature, audience, expiry, permissions, and optionally ",[167,491,492],{},"cmd_hash"," for exact command binding.",[155,495,497],{"id":496},"escapes-privilege-elevation-for-agents","escapes — Privilege Elevation for Agents",[171,499,500,505,506,511],{},[501,502,503],"a",{"href":66},[167,504,65],{}," is a setuid-root Rust binary that brings the grant flow to local privilege elevation. It receives a pre-approved AuthZ-JWT (typically from ",[501,507,508],{"href":58},[167,509,510],{},"grapes",") and executes the authorized command.",[160,513,515],{"className":193,"code":514,"language":195,"meta":169,"style":169},"escapes --grant \u003Cjwt> -- systemctl restart nginx\n",[167,516,517],{"__ignoreMap":169},[199,518,519,521,524,527,530,533,536,539,542,545],{"class":201,"line":202},[199,520,65],{"class":205},[199,522,523],{"class":209}," --grant",[199,525,526],{"class":216}," \u003C",[199,528,529],{"class":209},"jw",[199,531,532],{"class":284},"t",[199,534,535],{"class":216},">",[199,537,538],{"class":209}," --",[199,540,541],{"class":209}," systemctl",[199,543,544],{"class":209}," restart",[199,546,547],{"class":209}," nginx\n",[171,549,550],{},"Grant delivery options:",[160,552,554],{"className":193,"code":553,"language":195,"meta":169,"style":169},"escapes --grant \u003Cjwt> -- \u003Ccommand>           # JWT as argument\nescapes --grant-stdin -- \u003Ccommand>            # JWT from stdin\nescapes --grant-file /path/to/jwt -- \u003Ccommand>  # JWT from file\nescapes --run-as \u003Cuser> --grant \u003Cjwt> -- \u003Ccommand>  # Run as specific user\n",[167,555,556,586,606,629],{"__ignoreMap":169},[199,557,558,560,562,564,566,568,570,572,574,577,580,582],{"class":201,"line":202},[199,559,65],{"class":205},[199,561,523],{"class":209},[199,563,526],{"class":216},[199,565,529],{"class":209},[199,567,532],{"class":284},[199,569,535],{"class":216},[199,571,538],{"class":209},[199,573,526],{"class":216},[199,575,576],{"class":209},"comman",[199,578,579],{"class":284},"d",[199,581,535],{"class":216},[199,583,585],{"class":584},"sHwdD","           # JWT as argument\n",[199,587,588,590,593,595,597,599,601,603],{"class":201,"line":213},[199,589,65],{"class":205},[199,591,592],{"class":209}," --grant-stdin",[199,594,538],{"class":209},[199,596,526],{"class":216},[199,598,576],{"class":209},[199,600,579],{"class":284},[199,602,535],{"class":216},[199,604,605],{"class":584},"            # JWT from stdin\n",[199,607,608,610,613,616,618,620,622,624,626],{"class":201,"line":220},[199,609,65],{"class":205},[199,611,612],{"class":209}," --grant-file",[199,614,615],{"class":209}," /path/to/jwt",[199,617,538],{"class":209},[199,619,526],{"class":216},[199,621,576],{"class":209},[199,623,579],{"class":284},[199,625,535],{"class":216},[199,627,628],{"class":584},"  # JWT from file\n",[199,630,631,633,636,638,641,644,646,648,650,652,654,656,658,660,662,664,666],{"class":201,"line":242},[199,632,65],{"class":205},[199,634,635],{"class":209}," --run-as",[199,637,526],{"class":216},[199,639,640],{"class":209},"use",[199,642,643],{"class":284},"r",[199,645,535],{"class":216},[199,647,523],{"class":209},[199,649,526],{"class":216},[199,651,529],{"class":209},[199,653,532],{"class":284},[199,655,535],{"class":216},[199,657,538],{"class":209},[199,659,526],{"class":216},[199,661,576],{"class":209},[199,663,579],{"class":284},[199,665,535],{"class":216},[199,667,668],{"class":584},"  # Run as specific user\n",[171,670,671],{},"Verification chain:",[673,674,675,683,693,703],"ol",{},[676,677,678,679,682],"li",{},"Loads config from ",[167,680,681],{},"/etc/openape/config.toml"," (root-owned)",[676,684,685,686,689,690,692],{},"Verifies the AuthZ-JWT: issuer, signature, approver, audience, ",[167,687,688],{},"target_host",", ",[167,691,492],{},", and IdP consume check",[676,694,695,696,689,699,702],{},"Sanitizes environment (",[167,697,698],{},"LD_PRELOAD",[167,700,701],{},"PATH"," etc.) before execution",[676,704,705,706,709],{},"Executes the command and logs result to ",[167,707,708],{},"/var/log/openape/audit.log"," (JSONL)",[171,711,712,713,716,717,720,721,724,725,728,729,732],{},"Exit codes: ",[167,714,715],{},"0"," (success), ",[167,718,719],{},"1"," (config/HTTP error), ",[167,722,723],{},"5"," (JWT verification failed), ",[167,726,727],{},"126"," (exec failed), ",[167,730,731],{},"127"," (command not found).",[155,734,736],{"id":735},"grapes-grant-management-cli","grapes — Grant Management CLI",[171,738,739,741,742,744],{},[167,740,510],{}," is the universal CLI for the grant lifecycle. It handles authentication, grant requests, approvals, and integrates with ",[167,743,65],{}," for privilege elevation.",[160,746,748],{"className":193,"code":747,"language":195,"meta":169,"style":169},"grapes login --idp https://id.openape.at --key ~/.ssh/id_ed25519\ngrapes request --target \"api.github.com\" --permissions \"write:issues\"\ngrapes run escapes \"systemctl restart nginx\" --approval once\ngrapes delegate --to agent@example.com --with \"read:repos\"\n",[167,749,750,769,796,819],{"__ignoreMap":169},[199,751,752,754,757,760,763,766],{"class":201,"line":202},[199,753,510],{"class":205},[199,755,756],{"class":209}," login",[199,758,759],{"class":209}," --idp",[199,761,762],{"class":209}," https://id.openape.at",[199,764,765],{"class":209}," --key",[199,767,768],{"class":209}," ~/.ssh/id_ed25519\n",[199,770,771,773,776,779,781,784,786,789,791,794],{"class":201,"line":213},[199,772,510],{"class":205},[199,774,775],{"class":209}," request",[199,777,778],{"class":209}," --target",[199,780,230],{"class":216},[199,782,783],{"class":209},"api.github.com",[199,785,236],{"class":216},[199,787,788],{"class":209}," --permissions",[199,790,230],{"class":216},[199,792,793],{"class":209},"write:issues",[199,795,311],{"class":216},[199,797,798,800,803,806,808,811,813,816],{"class":201,"line":220},[199,799,510],{"class":205},[199,801,802],{"class":209}," run",[199,804,805],{"class":209}," escapes",[199,807,230],{"class":216},[199,809,810],{"class":209},"systemctl restart nginx",[199,812,236],{"class":216},[199,814,815],{"class":209}," --approval",[199,817,818],{"class":209}," once\n",[199,820,821,823,826,829,832,835,837,840],{"class":201,"line":242},[199,822,510],{"class":205},[199,824,825],{"class":209}," delegate",[199,827,828],{"class":209}," --to",[199,830,831],{"class":209}," agent@example.com",[199,833,834],{"class":209}," --with",[199,836,230],{"class":216},[199,838,839],{"class":209},"read:repos",[199,841,311],{"class":216},[171,843,844,845,689,848,689,851,689,854,689,857,689,860,689,863,689,866,689,869,689,872,689,875,689,878,689,881,884],{},"Key commands: ",[167,846,847],{},"login",[167,849,850],{},"logout",[167,852,853],{},"whoami",[167,855,856],{},"request",[167,858,859],{},"approve",[167,861,862],{},"deny",[167,864,865],{},"run",[167,867,868],{},"delegate",[167,870,871],{},"delegations",[167,873,874],{},"list",[167,876,877],{},"status",[167,879,880],{},"token",[167,882,883],{},"revoke",".",[886,887,888],"style",{},"html pre.shiki code .sBMFI, html code.shiki .sBMFI{--shiki-light:#E2931D;--shiki-default:#FFCB6B;--shiki-dark:#FFCB6B}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html pre.shiki code .sMK4o, html code.shiki .sMK4o{--shiki-light:#39ADB5;--shiki-default:#89DDFF;--shiki-dark:#89DDFF}html pre.shiki code .s2Zo4, html code.shiki .s2Zo4{--shiki-light:#6182B8;--shiki-default:#82AAFF;--shiki-dark:#82AAFF}html pre.shiki code .sTEyZ, html code.shiki .sTEyZ{--shiki-light:#90A4AE;--shiki-default:#EEFFFF;--shiki-dark:#BABED8}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .spNyl, html code.shiki .spNyl{--shiki-light:#9C3EDA;--shiki-default:#C792EA;--shiki-dark:#C792EA}html pre.shiki code .sbssI, html code.shiki .sbssI{--shiki-light:#F76D47;--shiki-default:#F78C6C;--shiki-dark:#F78C6C}html pre.shiki code .sHwdD, html code.shiki .sHwdD{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#546E7A;--shiki-default-font-style:italic;--shiki-dark:#676E95;--shiki-dark-font-style:italic}",{"title":169,"searchDepth":220,"depth":213,"links":890},[891,892,898,899],{"id":157,"depth":213,"text":158},{"id":181,"depth":213,"text":182,"children":893},[894,895,896,897],{"id":189,"depth":220,"text":190},{"id":320,"depth":220,"text":321},{"id":327,"depth":220,"text":328},{"id":485,"depth":220,"text":486},{"id":496,"depth":213,"text":497},{"id":735,"depth":213,"text":736},"The DDISA login flow and grant system explained.","md",null,{},true,{"title":34,"description":900},"9Ca1Z-5KyykVGp4IL5dEHHrYVzJF66jzb6_fuYG8gW0",[908,910],{"title":24,"path":25,"stem":26,"description":909,"children":-1},"Raw API reference for enrolling agents, requesting grants, and using AuthZ-JWTs.",{"title":38,"path":39,"stem":40,"description":911,"children":-1},"Set up what your agent can do — from read-only access to full automation.",1774221116104]