What the Gateway Does
The gateway sits between agents and service providers, enforcing the trusted handshake:- Agent Registry — Verifies agent identity, manages per-agent capability policies
- OAuth Bridge — Orchestrates OAuth 2.0 authorization flows with PKCE (RFC 7636)
- Scope Intersection — Computes effective permissions from agent approvals, user consent, and requested scopes
- API Proxy — Validates ATH tokens and forwards requests to upstream services
- Audit Logging — Records all authorization decisions
Reference Implementation
The official reference gateway is available at:ATH Gateway
TypeScript reference implementation (Hono + Node.js) — includes setup guide, configuration reference, and Docker deployment.
OAuth Bridge Modes
The reference gateway supports two OAuth bridge modes:| Mode | When to use |
|---|---|
| Direct OAuth | Connect to any OAuth2 provider (GitHub, Google, etc.) |
| Mock | Built-in mock for testing without external dependencies |
In direct OAuth mode, the gateway automatically generates a PKCE pair —
code_challenge (S256) is sent to the authorization server, and code_verifier is stored on the session and sent during token exchange. No agent-side action is required.resource parameter (RFC 8707) to indicate the target resource server.
Approval Policy
The gateway’s approval policy controls which agents are approved for which scopes. In production, you would:- Review agent registrations before approving
- Restrict scopes per agent (e.g., agent X can read emails but not send them)
- Monitor audit logs for unusual access patterns
- Revoke agent access if it misbehaves
Next Steps
Build an Agent
Use the ATH Client SDK to connect your agent to a gateway
API Specification
See the complete API endpoint specification