Core Concepts
SilentAuth is built around four primitives: Intents, Policies, Human Verification, and Permits. Understanding how they interact is the key to integrating SilentAuth effectively.
The core flow: Your system declares an Intent → SilentAuth evaluates it against your Policies → If required, a human verifies and approves → A signed Permit is issued → Your system validates the Permit before executing.
Intents
An Intent is a declared desire to perform a sensitive action. Before your AI agent, pipeline, or script can execute a high-risk operation, it first declares an Intent — what it wants to do, with what parameters, and who should approve it. Intents are immutable once created and are stored in the audit log forever.
Policies
Policies are rules that determine which actions require human approval and under what conditions. You configure policies per-project and per-action. Policies can require approval from specific individuals, teams, or roles. They can also whitelist low-risk patterns (e.g., staging deploys) while requiring approval for production.
Human Verification
When an Intent matches a policy that requires human approval, SilentAuth sends an approval request to the designated approvers via email, Slack, or a dashboard notification. The approver reviews the intent parameters and signs the approval using a passkey, WebAuthn, or MFA — producing cryptographic proof of presence.
Permits
A Permit is a short-lived, cryptographically signed JWT issued after a human approves an Intent. Your system validates the permit before executing the action. Permits are bound to the exact action, parameters, and approver — they cannot be reused, replayed, or tampered with. Offline validation is supported via RSA public keys.