[{"data":1,"prerenderedAt":550},["ShallowReactive",2],{"navigation":3,"\u002Fgetting-started\u002Fhow-it-works":89,"\u002Fgetting-started\u002Fhow-it-works-surround":545},[4,40,63,76],{"title":5,"path":6,"stem":7,"children":8,"icon":39},"Getting Started","\u002Fgetting-started","1.getting-started\u002F1.index",[9,11,15,19,23,27,31,35],{"title":10,"path":6,"stem":7},"Introduction",{"title":12,"path":13,"stem":14},"Quick Start: Service Provider","\u002Fgetting-started\u002Fquickstart-sp","1.getting-started\u002F2.quickstart-sp",{"title":16,"path":17,"stem":18},"Quick Start: Identity Provider","\u002Fgetting-started\u002Fquickstart-idp","1.getting-started\u002F3.quickstart-idp",{"title":20,"path":21,"stem":22},"Quick Start: Agent","\u002Fgetting-started\u002Fquickstart-agent","1.getting-started\u002F4.quickstart-agent",{"title":24,"path":25,"stem":26},"Quick Start","\u002Fgetting-started\u002Finstallation","1.getting-started\u002F5.installation",{"title":28,"path":29,"stem":30},"How It Works","\u002Fgetting-started\u002Fhow-it-works","1.getting-started\u002F6.how-it-works",{"title":32,"path":33,"stem":34},"For Service Providers","\u002Fgetting-started\u002Ffor-service-providers","1.getting-started\u002F7.for-service-providers",{"title":36,"path":37,"stem":38},"CLI (apes & ape-shell)","\u002Fgetting-started\u002Fcli","1.getting-started\u002F8.cli",false,{"title":41,"path":42,"stem":43,"children":44,"icon":39},"Ecosystem","\u002Fecosystem","2.ecosystem\u002F1.index",[45,47,51,55,59],{"title":46,"path":42,"stem":43},"Overview",{"title":48,"path":49,"stem":50},"OpenApe Auth","\u002Fecosystem\u002Fauth","2.ecosystem\u002F2.auth",{"title":52,"path":53,"stem":54},"OpenApe Grants","\u002Fecosystem\u002Fgrants","2.ecosystem\u002F3.grants",{"title":56,"path":57,"stem":58},"nuxt-auth-sp","\u002Fecosystem\u002Fnuxt-auth-sp","2.ecosystem\u002F4.nuxt-auth-sp",{"title":60,"path":61,"stem":62},"escapes","\u002Fecosystem\u002Fescapes","2.ecosystem\u002F5.escapes",{"title":64,"icon":39,"path":65,"stem":66,"children":67,"page":39},"Security","\u002Fsecurity","3.security",[68,72],{"title":69,"path":70,"stem":71},"Compliance","\u002Fsecurity\u002Fcompliance","3.security\u002F1.compliance",{"title":73,"path":74,"stem":75},"Threat Model","\u002Fsecurity\u002Fthreat-model","3.security\u002F2.threat-model",{"title":77,"icon":39,"path":78,"stem":79,"children":80,"page":39},"Guides","\u002Fguides","4.guides",[81,85],{"title":82,"path":83,"stem":84},"Capabilities & Grants","\u002Fguides\u002Fcapabilities","4.guides\u002F1.capabilities",{"title":86,"path":87,"stem":88},"Delegation","\u002Fguides\u002Fdelegation","4.guides\u002F2.delegation",{"id":90,"title":28,"body":91,"description":538,"extension":539,"links":540,"meta":541,"navigation":542,"path":29,"seo":543,"stem":30,"__hash__":544},"docs\u002F1.getting-started\u002F6.how-it-works.md",{"type":92,"value":93,"toc":528},"minimark",[94,98,103,114,123,127,130,135,262,266,269,273,276,427,431,438,442,447,483,521,524],[95,96,28],"h1",{"id":97},"how-it-works",[99,100,102],"h2",{"id":101},"login-flow-ddisa","Login Flow (DDISA)",[104,105,110],"pre",{"className":106,"code":108,"language":109},[107],"language-text","User enters email at SP\n        ↓\nSP extracts domain → DNS lookup: _ddisa.example.com\n        ↓\nDiscovers IdP URL → Redirects to IdP \u002Fauthorize\n        ↓\nUser authenticates with Passkey (or Agent via Ed25519)\n        ↓\nIdP issues authorization code → Redirect back to SP\n        ↓\nSP exchanges code for signed JWT (backchannel)\n        ↓\nSP validates JWT (issuer, audience, signature, nonce, act)\n        ↓\nUser is logged in ✅\n","text",[111,112,108],"code",{"__ignoreMap":113},"",[115,116,117,118,122],"p",{},"This is a standard ",[119,120,121],"strong",{},"Authorization Code + PKCE"," flow, enhanced with DNS-based IdP discovery and Passkey-only authentication.",[99,124,126],{"id":125},"grant-flow-permissions","Grant Flow (Permissions)",[115,128,129],{},"When an agent needs to perform a privileged action:",[131,132,134],"h3",{"id":133},"_1-agent-requests-a-grant","1. Agent Requests a Grant",[104,136,140],{"className":137,"code":138,"language":139,"meta":113,"style":113},"language-bash shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","POST \u002Fapi\u002Fgrants\n{\n  \"requester\": \"agent@example.com\",\n  \"target\": \"prod-server\",\n  \"grant_type\": \"once\",\n  \"permissions\": [\"deploy\"],\n  \"reason\": \"Deploy hotfix #123\"\n}\n","bash",[111,141,142,155,162,184,201,218,240,256],{"__ignoreMap":113},[143,144,147,151],"span",{"class":145,"line":146},"line",1,[143,148,150],{"class":149},"sBMFI","POST",[143,152,154],{"class":153},"sfazB"," \u002Fapi\u002Fgrants\n",[143,156,158],{"class":145,"line":157},2,[143,159,161],{"class":160},"sMK4o","{\n",[143,163,165,168,172,175,178,181],{"class":145,"line":164},3,[143,166,167],{"class":149},"  \"requester\"",[143,169,171],{"class":170},"s2Zo4",":",[143,173,174],{"class":160}," \"",[143,176,177],{"class":153},"agent@example.com",[143,179,180],{"class":160},"\"",[143,182,183],{"class":153},",\n",[143,185,187,190,192,194,197,199],{"class":145,"line":186},4,[143,188,189],{"class":149},"  \"target\"",[143,191,171],{"class":170},[143,193,174],{"class":160},[143,195,196],{"class":153},"prod-server",[143,198,180],{"class":160},[143,200,183],{"class":153},[143,202,204,207,209,211,214,216],{"class":145,"line":203},5,[143,205,206],{"class":149},"  \"grant_type\"",[143,208,171],{"class":170},[143,210,174],{"class":160},[143,212,213],{"class":153},"once",[143,215,180],{"class":160},[143,217,183],{"class":153},[143,219,221,224,226,230,232,235,237],{"class":145,"line":220},6,[143,222,223],{"class":149},"  \"permissions\"",[143,225,171],{"class":170},[143,227,229],{"class":228},"sTEyZ"," [",[143,231,180],{"class":160},[143,233,234],{"class":153},"deploy",[143,236,180],{"class":160},[143,238,239],{"class":228},"],\n",[143,241,243,246,248,250,253],{"class":145,"line":242},7,[143,244,245],{"class":149},"  \"reason\"",[143,247,171],{"class":170},[143,249,174],{"class":160},[143,251,252],{"class":153},"Deploy hotfix #123",[143,254,255],{"class":160},"\"\n",[143,257,259],{"class":145,"line":258},8,[143,260,261],{"class":160},"}\n",[131,263,265],{"id":264},"_2-human-reviews","2. Human Reviews",[115,267,268],{},"The agent's owner or designated approver sees the request in the web UI (or via notification) and approves or denies it.",[131,270,272],{"id":271},"_3-agent-receives-authz-jwt","3. Agent Receives AuthZ-JWT",[115,274,275],{},"On approval, the agent can request a signed AuthZ-JWT:",[104,277,281],{"className":278,"code":279,"language":280,"meta":113,"style":113},"language-json shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","{\n  \"sub\": \"agent@example.com\",\n  \"act\": \"agent\",\n  \"aud\": \"prod-server\",\n  \"grant_type\": \"once\",\n  \"permissions\": [\"deploy\"],\n  \"decided_by\": \"alice@example.com\",\n  \"exp\": 1234567890\n}\n","json",[111,282,283,287,308,328,347,366,387,407,422],{"__ignoreMap":113},[143,284,285],{"class":145,"line":146},[143,286,161],{"class":160},[143,288,289,292,296,298,300,302,304,306],{"class":145,"line":157},[143,290,291],{"class":160},"  \"",[143,293,295],{"class":294},"spNyl","sub",[143,297,180],{"class":160},[143,299,171],{"class":160},[143,301,174],{"class":160},[143,303,177],{"class":153},[143,305,180],{"class":160},[143,307,183],{"class":160},[143,309,310,312,315,317,319,321,324,326],{"class":145,"line":164},[143,311,291],{"class":160},[143,313,314],{"class":294},"act",[143,316,180],{"class":160},[143,318,171],{"class":160},[143,320,174],{"class":160},[143,322,323],{"class":153},"agent",[143,325,180],{"class":160},[143,327,183],{"class":160},[143,329,330,332,335,337,339,341,343,345],{"class":145,"line":186},[143,331,291],{"class":160},[143,333,334],{"class":294},"aud",[143,336,180],{"class":160},[143,338,171],{"class":160},[143,340,174],{"class":160},[143,342,196],{"class":153},[143,344,180],{"class":160},[143,346,183],{"class":160},[143,348,349,351,354,356,358,360,362,364],{"class":145,"line":203},[143,350,291],{"class":160},[143,352,353],{"class":294},"grant_type",[143,355,180],{"class":160},[143,357,171],{"class":160},[143,359,174],{"class":160},[143,361,213],{"class":153},[143,363,180],{"class":160},[143,365,183],{"class":160},[143,367,368,370,373,375,377,379,381,383,385],{"class":145,"line":220},[143,369,291],{"class":160},[143,371,372],{"class":294},"permissions",[143,374,180],{"class":160},[143,376,171],{"class":160},[143,378,229],{"class":160},[143,380,180],{"class":160},[143,382,234],{"class":153},[143,384,180],{"class":160},[143,386,239],{"class":160},[143,388,389,391,394,396,398,400,403,405],{"class":145,"line":242},[143,390,291],{"class":160},[143,392,393],{"class":294},"decided_by",[143,395,180],{"class":160},[143,397,171],{"class":160},[143,399,174],{"class":160},[143,401,402],{"class":153},"alice@example.com",[143,404,180],{"class":160},[143,406,183],{"class":160},[143,408,409,411,414,416,418],{"class":145,"line":258},[143,410,291],{"class":160},[143,412,413],{"class":294},"exp",[143,415,180],{"class":160},[143,417,171],{"class":160},[143,419,421],{"class":420},"sbssI"," 1234567890\n",[143,423,425],{"class":145,"line":424},9,[143,426,261],{"class":160},[131,428,430],{"id":429},"_4-target-verifies","4. Target Verifies",[115,432,433,434,437],{},"The target system validates the AuthZ-JWT: signature, audience, expiry, permissions, and optionally ",[111,435,436],{},"cmd_hash"," for exact command binding.",[99,439,441],{"id":440},"escapes-privilege-elevation-for-agents","escapes — Privilege Elevation for Agents",[115,443,444,446],{},[111,445,60],{}," is a Rust binary that brings the grant flow to local privilege elevation. It supports multiple agents per machine, each with their own user-owned Ed25519 keypair.",[104,448,450],{"className":137,"code":449,"language":139,"meta":113,"style":113},"escapes --grant \u003Cjwt> -- systemctl restart nginx\n",[111,451,452],{"__ignoreMap":113},[143,453,454,456,459,462,465,468,471,474,477,480],{"class":145,"line":146},[143,455,60],{"class":149},[143,457,458],{"class":153}," --grant",[143,460,461],{"class":160}," \u003C",[143,463,464],{"class":153},"jw",[143,466,467],{"class":228},"t",[143,469,470],{"class":160},">",[143,472,473],{"class":153}," --",[143,475,476],{"class":153}," systemctl",[143,478,479],{"class":153}," restart",[143,481,482],{"class":153}," nginx\n",[484,485,486,494,497,500,503,506,509,515],"ol",{},[487,488,489,490,493],"li",{},"Loads config (as root), then ",[119,491,492],{},"drops privileges"," to real user",[487,495,496],{},"Loads private key from configured path (as user), derives public key",[487,498,499],{},"Matches public key against registered agents in config",[487,501,502],{},"Authenticates to the matched agent's IdP via Ed25519",[487,504,505],{},"Creates a grant request (with SHA-256 hash of the command)",[487,507,508],{},"Waits for human approval",[487,510,511,512,514],{},"Receives AuthZ-JWT, verifies ",[111,513,436],{}," matches",[487,516,517,520],{},[119,518,519],{},"Re-elevates"," to root, sanitizes environment, executes command",[115,522,523],{},"The binary runs with the setuid bit — it starts as root, drops privileges before key loading, and only re-elevates after JWT verification.",[525,526,527],"style",{},"html pre.shiki code .sBMFI, html code.shiki .sBMFI{--shiki-light:#E2931D;--shiki-default:#FFCB6B;--shiki-dark:#FFCB6B}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html pre.shiki code .sMK4o, html code.shiki .sMK4o{--shiki-light:#39ADB5;--shiki-default:#89DDFF;--shiki-dark:#89DDFF}html pre.shiki code .s2Zo4, html code.shiki .s2Zo4{--shiki-light:#6182B8;--shiki-default:#82AAFF;--shiki-dark:#82AAFF}html pre.shiki code .sTEyZ, html code.shiki .sTEyZ{--shiki-light:#90A4AE;--shiki-default:#EEFFFF;--shiki-dark:#BABED8}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .spNyl, html code.shiki .spNyl{--shiki-light:#9C3EDA;--shiki-default:#C792EA;--shiki-dark:#C792EA}html pre.shiki code .sbssI, html code.shiki .sbssI{--shiki-light:#F76D47;--shiki-default:#F78C6C;--shiki-dark:#F78C6C}",{"title":113,"searchDepth":146,"depth":157,"links":529},[530,531,537],{"id":101,"depth":157,"text":102},{"id":125,"depth":157,"text":126,"children":532},[533,534,535,536],{"id":133,"depth":164,"text":134},{"id":264,"depth":164,"text":265},{"id":271,"depth":164,"text":272},{"id":429,"depth":164,"text":430},{"id":440,"depth":157,"text":441},"The DDISA login flow and grant system explained.","md",null,{},true,{"title":28,"description":538},"yRu41_s1hVV3gDVOIccqWZF3gSJSzrpcOYazVphB-Pk",[546,548],{"title":24,"path":25,"stem":26,"description":547,"children":-1},"Get OpenApe running in minutes.",{"title":32,"path":33,"stem":34,"description":549,"children":-1},"Add authentication to your Nuxt app in 3 steps.",1776885317056]