MachineAuth: Ditching Hardcoded API Keys
MachineAuth kills the nightmare of embedding long-lived API keys in AI agent codebases like OpenClaw or Claude bots. Developers waste hours rotating leaked keys or chasing token sprawl in machine-to-machine calls. This self-hosted OAuth server hands out short-lived JWT access tokens instead, with configurable expiry and refresh logic baked in.
Under the Hood: OAuth 2.0 Client Credentials Flow
MachineAuth implements the OAuth 2.0 client credentials grant purely in Go, storing agent creds in an in-memory map or optional SQLite DB—no external deps like PostgreSQL. Agents POST to /oauth/token with client_id and client_secret to fetch JWT access tokens signed with HS256, introspectable at /oauth/introspect. Revocation hits /oauth/revoke, and CORS headers enable frontend agent orchestration. Metrics endpoint exposes Prometheus-ready stats on token issuance and expiry.
The React dashboard on port 3000 queries the Go server via HTTP, rendering agent lists and rotation UI with TailwindCSS—no state management bloat like Redux.
The Good & The Bad
Pros:
- Runs in seconds with
go run server-main.go—zero DB setup, pure HTTP server on :8081. - Client credentials flow spits out tokens under 1s latency, perfect for high-throughput AI agents hammering APIs.
- Built-in admin dashboard lists agents, scopes, and metrics without extra tooling.
- Token revocation and rotation via API endpoints prevent key compromise fallout.
- Docker Compose deploys server + Nginx reverse proxy out-of-box.
- MIT licensed, forkable for custom scopes or JWT claims.
Cons:
- In-memory storage vanishes on restart unless you wire SQLite—fine for dev, risky for prod without persistence.
- Default admin creds (
admin/admin) scream "change me," but prod hardening needs env vars for secrets. - No PKCE or authorization code flow—strictly machine-to-machine, useless for user-facing apps.
- Metrics are basic Prometheus format; no Grafana dashboards or alerting hooks.
- Go binary bloats to 20MB+; strip it or multi-arch Docker if targeting edge devices.
Quickstart
git clone https://github.com/mandarwagh9/MachineAuth.git
cd MachineAuth
go run server-main.go
Server spins up on http://localhost:8081. Hit the root / for a hello, then POST to /api/agents with {"name":"test-agent","scopes":["read"]} to generate client_id/client_secret. Exchange for token at /oauth/token and verify with Authorization: Bearer <token> on /api/verify. Expect JSON responses with expiry times and secret codes—no hallucinations here.
For the dashboard:
cd web
npm install
npm run dev
Browse http://localhost:3000, log in as admin/admin, and manage agents visually.
Who Should Use This (and Who Shouldn't)
Use it if: You're wiring AI agents like OpenClaw or bots calling internal APIs and hate key rotation scripts. Ideal for indie hackers prototyping agent swarms on localhost or Docker. Pairs with Go microservices needing quick auth layers.
Skip it if: You run enterprise-scale with millions of clients—lacks Redis clustering or HA setups. Avoid if agents need user delegation flows; stick to full OIDC providers. Wrong for public-facing apps demanding battle-tested compliance like SOC2.
Alternatives & When to Switch
If you need user logins and social providers, fire up Keycloak—it's heavier but handles OIDC properly for hybrid apps. Ory Hydra crushes MachineAuth on scalability with Postgres backends and federation, pick it for 10k+ daily agents. For simpler API key management without OAuth overhead, use enveil if envelope encryption fits your stack better.
MachineAuth shines in MachineAuth tutorial scenarios for how to use MachineAuth in MachineAuth Go integration, but scale demands Ory. MachineAuth vs Keycloak boils down to self-hosting purity versus feature bloat—test token throughput yourself. Best OAuth Servers 2026? This edges locals, but watch Ory's updates. Command-line agent auth? Curl the endpoints directly in shell scripts, or chain with terminal tools for automation. Compared to Vercel auth, it's pure server-side without vendor lock-in. MachineAuth for AI Agent Developers replaces Makefiles juggling keys, works with Rust agents via std::reqwest too.
