CrewAI SDK — Agent delegation
Before you write any code, two things need to exist in the AuthSec UI: an AI Agent client (gives your agent an identity) and a trust delegation (declares what that agent is allowed to do). Only then does the SDK have something to talk to.
Step 1 — Register the AI Agent
-
In the sidebar, go to Clients → MCP Servers / AI Agents.
-
Click Onboard New Client.
-
In the modal, select AI Agent.
-
Enter an AI Agent Name (e.g.,
Customer Support). -
Choose the Platform your agent runs on (e.g., Kubernetes).
-
Fill in the platform selectors that identify the workload at runtime:
Key Example value k8s:nsproductionk8s:sacustomer-support-sak8s:pod-label:appcustomer-supportk8s:container-nameagent -
Click + Onboard.
After onboarding, the client detail page shows the Client ID — copy it. You'll set it as AUTHSEC_AGENT_CLIENT_ID in your environment.
Step 2 — Create a trust delegation
Trust delegation tells AuthSec which roles and actions the agent may request tokens for.
- In the sidebar, click Trust Delegation.
- Click Create trust delegation.
- Define context:
- Set the Role the delegation applies to.
- Set Target Type to CrewAI AI agent.
- Under Client / Application, select the agent you just registered.
- Assign permissions: choose the Allowed Actions the agent can perform. You can select individual actions or use Select All.
- Set duration: enter a Maximum Duration and unit (e.g.,
1 Hour). Use the shortest window that fits your use case. - Click Create Trust Delegation. A successful save returns you to the Trust Delegation dashboard.
Step 3 — Install the SDK
pip install authsec-crewai
The package is on PyPI.
Verify:
python -c "from authsec_crewai import AuthSecSecureFetchTool; print('OK')"
Also install the required dependencies:
pip install "crewai>=0.1" "pydantic" "authsec-langchain-sdk" "requests"
Step 4 — Configure the client
import os
from authsec_crewai import AuthSecSecureFetchTool
secure_tool = AuthSecSecureFetchTool(
base_url=os.environ["AUTHSEC_BASE_URL"],
client_id=os.environ["AUTHSEC_AGENT_CLIENT_ID"], # from Step 1
downstream_url=os.environ["DOWNSTREAM_URL"],
)
The tool caches the delegation token internally and only hits the network on first call or after expiry.
Step 5 — Attach the tool to a CrewAI agent
Pass secure_tool in the tools list of any Agent that needs to call a protected API. The tool calls get_delegation_token() internally and passes the JWT as a Bearer token to the downstream URL.
from crewai import Agent, Task, Crew
analyst = Agent(
role="Data Analyst",
goal="Retrieve and summarise billing data",
backstory="You fetch secure data from protected APIs.",
tools=[secure_tool],
)
task = Task(description="Get billing records for customer 42.", agent=analyst)
crew = Crew(agents=[analyst], tasks=[task])
crew.kickoff()
Step 6 — Run the smoke test
export AUTHSEC_BASE_URL="https://your-authsec-server"
export AUTHSEC_AGENT_CLIENT_ID="your-client-id"
python examples/smoke_local.py
On Windows (PowerShell):
$env:AUTHSEC_BASE_URL = "https://your-authsec-server"
$env:AUTHSEC_AGENT_CLIENT_ID = "your-client-id"
python examples/smoke_local.py
How the delegation token endpoint works
The SDK calls one endpoint under the hood:
| Method | Path |
|---|---|
GET | /authsec/uflow/sdk/delegation-token?client_id=<id> |
Response:
{ "token": "<RS256 JWT>", "expires_at": "2026-05-21T07:25:36Z" }
Set base_url to your AuthSec server root — the SDK appends /authsec/... automatically.