TwigBush – Grant Negotiation Engine for AI Agents

1 month ago 7

TwigBush is an early-stage, experimental implementation of the Grant Negotiation and Authorization Protocol (GNAP, RFC 9635) and its Resource Server Connections extension (RFC 9767). It is written in Go and aims to provide a cloud-native GNAP Authorization Server (AS) and supporting libraries for Resource Servers (RS).

This project is not production-ready. It is published to encourage feedback, experimentation, and contributions from the community.

GNAP Authorization Server: Manages grant lifecycle and token issuance
Proof-of-Possession Tokens: DPoP, mTLS, detached JWS, and HTTP message signatures
Short-Lived, Key-Bound Tokens: Configurable TTL, audience, and constraints
Resource Server Toolkit: RS discovery, introspection, and resource registration (per RFC 9767)
Policy Integration: Adapters for OpenFGA or other policy engines (Zanzibar-style graphs)
Security First: Key rotation, audit logging, revocation, and step-up authentication flows

gnap-go/ cmd/ as/ # GNAP authorization server client/ # Example client integration demo/ # Interactive demo server internal/ # Core engine: grants, tokens, signing, storage, policy web/ # Web client code for demo

Go 1.22+
Docker (for Postgres/OpenFGA integration)

Run the Authorization Server

git clone https://github.com/TwigBush/TwigBush.git cd TwigBush go mod download go run ./cmd/as

The AS listens on :8085 by default.

The demo listens on http://localhost:8089/playground by default.

Run the Resource Server Command Line Client Example

This example validates GNAP proof-of-possession tokens against the AS.

POST /grant – Create a new grant and access token
POST /continue – Continue a grant interaction
POST /introspect – RS token introspection (RFC 9767 §3.3)
GET /.well-known/jwks.json – JWKS for token validation
GET /.well-known/gnap-as-rs – RS-facing AS discovery (RFC 9767 §3.1)

Full DPoP support
Advanced RS–AS coordination (RFC 9767 resource registration & downstream tokens)
Policy adapters (OpenFGA/Zanzibar)
CLI tooling for administration and debugging
Helm charts and container images

See Issues for active work.

TwigBush exists to provide a cloud-native, open source reference implementation of GNAP (RFC 9635) and its extensions (e.g., RFC 9767 for RS connections). The project’s goal is to make key-bound, just-in-time access control practical for modern workloads, including multi-cloud environments, microservices, and AI/agent-driven systems.

TwigBush is focused on:

A Go-based Authorization Server (AS) that implements GNAP grant flows
Resource Server (RS) libraries and examples for GNAP validation, introspection, and registration
Pluggable policy adapters (OpenFGA, Zanzibar-style graphs)
Developer tooling (CLI, SDKs, container images, Helm charts)
Standards alignment and interoperability with IETF GNAP work

Out of scope:

Non-standard extensions not discussed in GNAP drafts
Proprietary connectors or commercial integrations (to be maintained outside the core repo)

TwigBush follows an open governance model:

Decisions are made in public via GitHub issues and discussions
Maintainers are listed in CONTRIBUTORS.md
New maintainers are nominated and approved by existing maintainers through documented consensus
Community involvement from implementers, operators, and researchers is strongly encouraged

TwigBush aligns with CNCF Sandbox goals:

Early-stage and experimental: intended to validate GNAP implementations and gather feedback
Cloud-native focus: written in Go, containerized, with Kubernetes-ready packaging
Standards-first: directly aligned with GNAP RFCs (9635, 9767) for interoperability
Open collaboration: seeking contributors across security, identity, payments, and AI/agent ecosystems

TwigBush is at a proof-of-concept stage. Breaking changes should be expected. We welcome feedback, issue reports, and contributions.