NOMOS
Get started
Open source soon · MCP-native · v0.1.x beta

Agents need guardrails.
Not guesswork.

Scoped permissions, signed actions, replayable audit. Nomos is the control plane between your AI agents and the world — every action authorized, every scope narrowed, every decision witnessed. Open source on GitHub.

Start freeView on GitHubJoin Discord
No credit card1k decisions free/moSelf-host coming
24
integrations
SaaS · cloud · infra
283
brokered actions
schema-validated
<50ms
p99 decision
in-region PDP
13
npm packages
@auto-nomos/*
GIGitHub
SLSlack
STStripe
LILinear
NONotion
GOGoogle Drive
GMGmail
CACalendar
SHSheets
DODocs
TATasks
COContacts
AWAWS
AZAzure
GCGCP
POPostgres
SSSSH
FIFilesystem
DIDiscord
TETelegram
TWTwilio
DRDropbox
JIJira
SASalesforce
GIGitHub
SLSlack
STStripe
LILinear
NONotion
GOGoogle Drive
GMGmail
CACalendar
SHSheets
DODocs
TATasks
COContacts
AWAWS
AZAzure
GCGCP
POPostgres
SSSSH
FIFilesystem
DIDiscord
TETelegram
TWTwilio
DRDropbox
JIJira
SASalesforce
the mistake

A token in a prompt
is a token in a screenshot.

The default agent quickstart says: paste your OAuth token into the system message. It ends up in model traces, OTel spans, training caches, and the screenshot someone shares in Slack at 11pm.

don’t do this
const agent = createAgent({
  systemPrompt: `
    You are a release bot. Use this GitHub token to ship code:
    ghp_W7Yk2pNvZxQ8mHb4cFrJdT9eAuLqB1sR0gXi
  `,
});

await agent.run("ship v0.2.1");
// → token now in: model trace · langfuse span · cache · backup

Once a credential is in the context window, you have lost control of where it goes next. Rotation is reactive. Audit is best-effort. Blast radius is the lifetime of the token times every place a trace might land.

the answer

Three primitives.
One page of code.

Nomos doesn’t add another orchestration framework. It adds three primitives between your agent and its tools: a capability mint, a policy decision, and a signed audit. Use one. Use all three. Drop in tomorrow without rewriting your stack.

  1. 01

    Mint UCAN

    A capability token scoped to one resource, one action, expires in seconds. Agent holds the token; the secret stays with us.

    @auto-nomos/ucan
  2. 02

    Decide with Cedar

    AWS-grade policy language. Deterministic, formally verifiable, fail-closed. Visual builder round-trips to the same text.

    @auto-nomos/cedar
  3. 03

    Record on chain

    Every decision hashed into a prev-linked chain. Daily roots Ed25519-signed. Verify offline with our CLI, forever.

    @auto-nomos/audit-verify
per-call decision

One guard().
Every tool call.

Drop the SDK into your agent. Every external call routes through one function. Allow, deny, or step-up in under fifty milliseconds — and fail-closed by default if the PDP is unreachable, so a network blip never opens the gate.

  • languageTypeScript · Python
  • p99 decision<50ms
  • default on outagedeny
apps/agent/src/release-bot.ts
import { createAuthGuard } from '@auto-nomos/sdk';

const guard = createAuthGuard({
  apiKey: process.env.NOMOS_API_KEY!,
  agent: 'release-bot',
});

const decision = await guard.authorize({
  command: 'github.create_pr',
  resource: 'auto-nomos/nomos',
  payload: { title, body, head, base },
});

if (decision.decision !== 'allow') throw decision;
await guard.exec(decision);   // proxied, audited, signed
allow
proxy + audit
step-up
passkey, then retry
deny
reason + receipt-id
live audit

Every decision,
signed and chained.

Each PDP decision is hashed against the previous one. A daily root signs the whole window with our Ed25519 key. Hand any signed root to our CLI and walk the chain back to genesis. Forever. Offline.

$ npx @auto-nomos/audit-verify \
    --bundle audit-2026-05-23.tar.gz
  ✓ 14,922 events verified
  ✓ root signature valid (kid 0x4d2c)
  ✓ chain head: 09f4·1c7b·ae71
chain · last 3 events
event N-1                      hash 09f4ab21…
├─ ts        14:22:06.182 UTC
├─ agent     fin-bot
├─ command   stripe.refund_charge
├─ decision  deny · policy: refund_above_threshold
└─ prev      e7c0…
                              │
                              ▼
event N                        hash 1c7b9d04…
├─ ts        14:22:07.001 UTC
├─ agent     support-bot
├─ command   slack.post_message
├─ decision  allow
└─ prev      09f4ab21…
                              │
                              ▼
event N+1                      hash ae7142f9…
├─ ts        14:22:08.214 UTC
├─ agent     release-bot
├─ command   github.transfer_repo
├─ decision  step-up · passkey required
└─ prev      1c7b9d04…

─────────────────────────────────────────────
daily root  2026-05-23  sig 7f3a…  kid 0x4d2c
step-up approval

For the calls
that matter.

Detect a high-impact action at policy time, push to your device, wait for a passkey signature, then mint a cosigner UCAN. One tap covers an envelope of actions — the next ten calls in the same intent silent-mint until the envelope expires.

  • repo transfers · prod deletes · refunds
  • new resource · novel scope · denied retry
  • anything you flag in Cedar
approval · pending
expires in 02:14
release-bot wants to transfer a repo

Command github.transfer_repo on auto-nomos/nomos. Once approved, this envelope covers the next 3 actions in the same intent.

envelope
3 actions
cosigner ttl
120s
audit
recorded
mcp-native

One npx.
In your editor.

Nomos ships as an MCP server. Point Claude Desktop, Cursor, or Claude Code at it and every tool call your agent makes — across all 24 integrations — is gated, proxied, and chained. No code in your editor.

$ npx -y @auto-nomos/mcp-server \
    --config ./nomos.json
  ✓ connected to PDP
  ✓ 24 integrations available
  → ready for tool calls
supported clients
  • Claude Desktop
    ~/Library/Application Support/Claude/claude_desktop_config.json
    shipped
  • Cursor
    ~/.cursor/mcp.json
    shipped
  • Claude Code
    claude mcp add nomos
    shipped
  • Windsurf
    ~/.codeium/windsurf/mcp_config.json
    beta
open source

Open source.
Read every line.

Thirteen packages live on npm under @auto-nomos/*, and the full control-plane and dashboard source is public too — all under Apache-2.0. Read every line, open an issue, send a PR.

View on GitHubWatch releasesThe full roadmap
npmjs.com/org/auto-nomos
package
role
status
  • @auto-nomos/core
    PDP decide() engine
    on npm
  • @auto-nomos/cedar
    Policy evaluation
    on npm
  • @auto-nomos/ucan
    Capability tokens
    on npm
  • @auto-nomos/crypto
    DID + signing
    on npm
  • @auto-nomos/sdk
    TS SDK for agents
    on npm
  • @auto-nomos/mcp-server
    MCP server
    on npm
  • @auto-nomos/adapters
    YAML connectors
    on npm
  • @auto-nomos/schema-packs
    Tool-call validators
    on npm
  • @auto-nomos/policy-builder
    React Flow editor
    on npm
  • @auto-nomos/audit-verify
    Chain verify CLI
    on npm
  • @auto-nomos/cli
    nomos CLI
    on npm
  • @auto-nomos/ucan-cli
    nomos-ucan CLI
    on npm
  • @auto-nomos/shared-types
    Zod schemas
    on npm
  • nomos-sdk (PyPI)
    Python SDK for agents
    on npm
  • @auto-nomos/control-plane
    Hono + tRPC server
    source
  • @auto-nomos/dashboard
    Next.js operator UI
    source
license · Apache-2.016 packages
install in 30 seconds
  • TypeScript SDK
    npm i @auto-nomos/sdk
  • Python SDK
    pip install nomos-sdk
  • CLI
    npm i -g @auto-nomos/cli
  • MCP server
    npm i -g @auto-nomos/mcp-server
  • Self-host PDP (Helm)
    helm install pdp oci://ghcr.io/auto-nomos/charts/cb-pdp
community

Build with us.

Authorization for agents is a new category. We’d rather invent it in public with you than ship it from a closed room. Three doors in.

discord

Real-time chat

Office hours every Friday. Policy debugging, integration requests, weird-edge-case stories.

Join the server
discussions

RFC-style proposals

Where new integrations, schema changes, and policy primitives get argued before they ship.

Open Discussions
contributors

Send a PR

Adapters are YAML. Schema packs are TypeScript. The bar to first commit is one file. Be commit #001.

Read CONTRIBUTING.md
the comparison

Why not just X?

We get asked this every week. Here’s the honest answer. Read the full breakdown for any cell that surprises you — we link the deep dive under the table.

featureAuth0HashiCorp VaultPermit.ioRaw OAuth tokensNomos
Capability tokens (UCAN)
Per-call policy decision
Cryptographic audit chainlogs
MCP-native server
Step-up passkey approvalenterprisesoon
Multi-agent UCAN delegationOPALsoon
Schema-validated tool calls
Self-hostable
Open source

Give your agents
shoulders to
stand on.

Two ways in. Free during open beta on both. Pick what fits — your operators can switch later without a migration.

Or browse the repo on GitHub first
hosted

Use Nomos cloud.

  1. 1. Create a workspace
  2. 2. Connect a SaaS or cloud
  3. 3. Register your first App
  4. 4. Drop the SDK into your agent
Start free
self-host

Run it on your iron.

  1. 1. Join the waitlist
  2. 2. Get the helm chart on flip
  3. 3. Bring your own Ed25519 key
  4. 4. Same SDK, same dashboard
Join waitlist