Comparison · No broker
A token in a prompt is a token in a screenshot.
Putting an OAuth token in the agent's context window means it ends up in traces, logs, training sets, and the screenshot someone shares in Slack. Nomos issues a one-shot capability instead.
The default everyone starts with. The default no one keeps.
the receipts
Feature by feature.
No hedging.
Every row is a thing your agent will actually do. If we marked a cell wrong, tell us in Discussions — we’ll fix it the same week.
| feature | Raw OAuth tokens | Nomos |
|---|---|---|
| Capability tokens (UCAN) | ||
| Per-call policy decision | ||
| Cryptographic audit chain | ||
| MCP-native server | ||
| Self-hostable | soon | |
| Open source | soon | |
| Step-up passkey approval | ||
| Schema-validated tool calls | ||
| Multi-agent UCAN delegation | ||
| Multi-tenant org RBAC |
honest questions
What people actually ask.
- But the token is short-lived…
- Short-lived means minutes-to-hours. A leaked screenshot, an OTel span, a model cache replay — all faster than rotation.
- Is this just a proxy?
- A proxy that mints UCANs, evaluates Cedar policy, signs an audit chain, validates the request schema, and offers step-up passkey approval. So: yes, the way a kitchen is just a stove.
Try Nomos. It’s free.
Open beta. No credit card. Plug an agent in, see your first audited decision in minutes. Self-host on the waitlist when you’re ready.
more comparisons