Authenticated Context
Application state is protected with session-bound signatures. Every read and write is audit-logged with principal identity. Enables multi-user isolation, safe delegation, and tamper-evident state management in agentic workflows.
Context Vault
The Context Vault is a principal-bound key-value store. Every operation is audit-logged with the caller's identity, and values are protected with cryptographic integrity checks.
- •Every
get()andset()is logged - •Hash chain ensures tampering is detectable
- •Session isolation via
session_id - •Automatic expiration via time_to_live
from macaw_client import MACAWClient
client = MACAWClient(app_name="my-app")
client.register()
# Store a value (audit-logged with your identity)
client.context_set("last_query", "SELECT * FROM sales")
# Retrieve a value (also audit-logged)
query = client.context_get("last_query")
# Values are bound to your session
# Other sessions cannot access this dataSession Management
Sessions bridge external identity (from your IDP) with cryptographic verification. Each session receives a unique keypair and can sign invocations independently.
External Authentication
User authenticates with your IDP (Okta, Keycloak, etc.)
Session Creation
MACAW generates keypair, registers with Agent Registry
Identity Binding
JWT claims mapped to MACAW attributes for policy
Session Expiration
Sessions expire automatically via time_to_live, keys are revoked
from macaw_client import MACAWClient, RemoteIdentityProvider
# Authenticate with enterprise IDP
idp = RemoteIdentityProvider()
result = idp.login("alice@company.com", password)
# Create client with user's identity
client = MACAWClient(
app_name="sales-assistant",
agent_type="user",
iam_token=result["access_token"]
)
client.register()
# All operations now carry Alice's identity
# Context is isolated to her session
client.context_set("user_preference", "dark_mode")Multi-Tenancy
For SaaS applications serving multiple organizations, MACAW provides built-in tenant isolation. Each tenant has a separate namespace with its own resources, users, and policies.
| Isolation Layer | Guarantee |
|---|---|
| Resource scoping | All resources scoped to tenant; cross-tenant access requires explicit policy |
| Policy inheritance | Tenant policies compose with org policies; more restrictive wins |
| Audit separation | Each tenant sees only their own activity in audit logs |
| Key separation | Each tenant can have its own key hierarchy; cross-tenant signatures don't verify |
Tenant
Organizational isolation unit with its own configuration, users, and API keys.
tier: "enterprise"
Tenant User
User associated with a tenant, with role-based permissions.
role: "analyst"
Integration
For multi-user applications, use bind_to_user() to associate a service client with a specific user's identity.
The user's JWT flows through for policy evaluation, and audit logs attribute actions to the actual user.
from macaw_client import MACAWClient
from macaw_adapters.openai import SecureOpenAI
# Service client (created once at startup)
service = SecureOpenAI(app_name="my-service")
# Per-user client with their identity
user = MACAWClient(
user_name="alice",
iam_token=jwt_token,
agent_type="user"
)
user.register()
# Bind user to service
user_client = service.bind_to_user(user)
# Same API, but with Alice's identity for policy
response = user_client.chat.completions.create(...)
# Cleanup when session ends
user_client.unbind()Security Properties
Context Integrity
Hash chain ensures any modification to context is detectable. Attackers can't inject or modify session state.
Ephemeral Keys
Each session gets a unique keypair. Key compromise is limited to a single session with bounded lifetime.
Identity Binding
Sessions are bound to external identities. All actions are attributable to the authenticated user.
Delegated Authorization
Safe patterns for one agent to act on behalf of another with explicit, bounded permissions.