Skip to main content
Grantex is built on top of OAuth 2.0 — not as a replacement, but as a purpose-built authorization layer for AI agents. This page explains the key differences and when each approach is the right fit.

Side-by-Side Comparison

DimensionOAuth 2.0Grantex
Identity modelHuman users and client applicationsAgents, principals (humans), and developers — first-class entities
DelegationLimited — no standard for sub-delegationAgent-to-agent delegation with depth tracking and parent grant chaining (SPEC §9)
RevocationRevoke individual tokensRevoke grants (all tokens under a grant cascade-revoke), plus principal self-service revocation
AuditNot built in — requires external loggingTamper-evident, hash-chained audit log with compliance exports (SOC 2, HIPAA, GDPR)
Scope modelFlat string scopesHierarchical scopes with a registry, scope constraints in policies, and time-bound restrictions
Agent-to-agent authNot addressedSub-agent delegation with parentAgt, parentGrnt, and delegationDepth JWT claims
ComplianceBolted onBuilt in — anomaly detection, policy engine, evidence packs
Offline verificationRequires introspection endpointJWT-based with JWKS — verify tokens without network calls

When to Use OAuth 2.0

OAuth 2.0 is the right choice when:
  • You are building human-facing login flows (social login, SSO)
  • Your application follows the traditional client → resource server model
  • You need broad ecosystem compatibility with existing OAuth providers (Google, GitHub, Okta)
  • Agents are not part of your authorization model
Grantex does not replace your identity provider. Use OAuth 2.0 / OIDC for authenticating humans, and Grantex for authorizing what agents can do on their behalf.

When to Use Grantex

Grantex is the right choice when:
  • AI agents act on behalf of users and need verifiable, revocable permissions
  • Agents delegate to sub-agents and you need to track the delegation chain
  • You need a tamper-evident audit trail of every action agents take
  • Compliance requirements (SOC 2, HIPAA, GDPR) demand structured evidence of agent activity
  • Users need to review and revoke agent permissions through a self-service dashboard
  • You want offline token verification without hitting an introspection endpoint on every request

Using Both Together

A common architecture is:
  1. OAuth 2.0 / OIDC handles user authentication (login with Google, Okta, etc.)
  2. Grantex handles agent authorization (what the agent can do, audit trail, revocation)
User ──[OIDC login]──▶ Your App ──[Grantex authorize]──▶ Agent


                                                    Sub-Agent (delegated)
The Grantex principalId maps to your user’s identity from the OAuth provider. Your app initiates a Grantex authorization request, the user consents, and the agent receives a grant token scoped to exactly what it needs.

Further Reading