(no title)
ashwinr2002 | 1 month ago
How would you build such an authz scheme? When claude asks permissions to access a new endpoint, if the user allows it, then reissue the macaroons?
ashwinr2002 | 1 month ago
How would you build such an authz scheme? When claude asks permissions to access a new endpoint, if the user allows it, then reissue the macaroons?
dtkav|1 month ago
1. You can issue your own tokens which means you can design your own authz in front of the upstream API token.
2. Macaroons can be attenuated locally.
So at the time that you decide you want to proxy an upstream API, you can add restrictions like endpoint path to your scheme.
Then, once you have that authz scheme in place, the developer (or agent) can attenuate permissions within that authz scheme for a particular issued macaroon.
I could grant my dev machine the ability to access e.g. /api/customers and /api/products. If i want to have claude write a script to add some metadata to my products, I might attenuate my token to /api/products only and put that in the env file for the script.
Now claude can do development on the endpoint, the token is useless if leaked, and Claude can't read my customer info.
Stripe actually does offer granular authz and short lived tokens, but the friction of minting them means that people don't scope tokens down as much.
ashwinr2002|1 month ago
For example, how do you collect all the endpoints that have access to customer info per your example.
Thought about it and couldn't find a way how