What is may_act_grants and how does delegation work?

SharkAuth expresses delegation policy as structured data. Every grant is scoped to specific actions, resources, and time windows, and can be revoked or expired automatically when conditions change.

How does DPoP protect against token theft?

Every access token is cryptographically bound to the agent's private key via RFC 9449 DPoP. A stolen token is useless without the key, making replay attacks impossible by design.

What is act chain depth and why does it matter?

SharkAuth preserves the complete delegation chain across every agent hop. When agent A delegates to B who calls API C, the full provenance is surfaced in token introspection, eliminating 'the agent did it' dead ends.

How fast is cascade revocation?

Revoke any grant and every downstream token invalidates automatically. The change is indexed by grant_id and propagated through introspection in under 12 ms p99.

Can SharkAuth run offline or on edge devices?

Yes. It ships as a single static Go binary with embedded SQLite WAL. Deploy it next to your app, in a container, on a corporate VM, or an air-gapped edge. Or drop it on a $5 VPS. Backup is a single file copy.

What audit capabilities does SharkAuth provide?

Structured JSON audit logs, indexed by grant_id, subject, actor, and grant. Stream directly to your SIEM via events websocket. Compliance-ready out of the box.

Documentation

Errors and retries

Exception hierarchy, what each one means, and the retry strategy you actually want.

Exception tree

Both SDKs share the same conceptual hierarchy.

Python

SharkAuthError
├── DPoPError              # constructing or signing DPoP proof
├── DeviceFlowError        # RFC 8628 errors
├── VaultError             # vault HTTP failures (status_code attr)
├── TokenError             # decoding / verifying agent JWTs
├── OAuthError             # OAuth token endpoint 4xx/5xx (RFC 6749 fields)
└── SharkAPIError          # generic admin-API failures (code, status attrs)

TypeScript

SharkAuthError
├── DPoPError
├── DeviceFlowError
├── VaultError
├── TokenError
└── SharkAPIError          # admin-API failures

The TypeScript SDK does not yet export a dedicated OAuthError type — TokenError covers the token-endpoint cases. (Parity gap; tracked in sdk/HANDOFF.md.)

OAuthError fields (Python)

python

try:
    oauth.token_exchange(...)
except OAuthError as e:
    print(e.error)              # RFC 6749 error code, e.g. "invalid_scope"
    print(e.error_description)  # human-readable
    print(e.status_code)        # HTTP status

VaultError fields

python

try:
    vault.fetch_token(provider="google_gmail", bearer_token=t, prover=p)
except VaultError as e:
    if e.status_code == 401:
        # token expired — refresh and retry once
    elif e.status_code == 403:
        # missing vault:read scope — fail loud
    elif e.status_code == 404:
        # no connection — prompt user to connect

SharkAPIError fields

python

from shark_auth.proxy_rules import SharkAPIError

try:
    c.organizations.create(name="...")
except SharkAPIError as e:
    print(e.code, e.status, str(e))

typescript

try {
  await c.organizations.create("...");
} catch (e) {
  if (e instanceof SharkAPIError) {
    console.log(e.code, e.status);
  }
}

Retry strategy

The SDKs do not retry automatically (except VaultClient.exchange / fetch_token via the onRefresh callback in TypeScript). You decide.

What to retry

Status	Retry?	How
200 / 2xx	n/a	-
400	No	Caller bug
401	Yes (once)	Refresh token, retry
403	No	Missing scope / wrong principal
404	No	Resource gone
409	Maybe	Idempotent operation? Re-fetch state
422	No	Validation error
429	Yes (with backoff)	Honor `Retry-After`
5xx	Yes (with backoff)	Exponential, capped at ~3 attempts
Network	Yes (with backoff)	Same

Backoff

A reasonable default: exponential with jitter, capped.

python

import time, random
from shark_auth.errors import SharkAuthError

def with_retry(fn, attempts=3, base=0.5):
    for i in range(attempts):
        try:
            return fn()
        except SharkAuthError as e:
            status = getattr(e, "status_code", 0) or getattr(e, "status", 0)
            if status in (401, 429) or 500 <= (status or 0) < 600:
                if i == attempts - 1:
                    raise
                time.sleep(base * (2 ** i) + random.random() * 0.1)
            else:
                raise

typescript

async function withRetry<T>(fn: () => Promise<T>, attempts = 3): Promise<T> {
  for (let i = 0; i < attempts; i++) {
    try {
      return await fn();
    } catch (e: any) {
      const status = e?.status ?? e?.statusCode ?? 0;
      const retryable = status === 401 || status === 429 || (status >= 500 && status < 600);
      if (!retryable || i === attempts - 1) throw e;
      await new Promise(r => setTimeout(r, 500 * 2 ** i + Math.random() * 100));
    }
  }
  throw new Error("unreachable");
}

What not to retry

Token revocation (oauth.revoke_token) — server returns 200 even if token didn't exist; failures are network-only and OK to retry.
Audit purge — guard with dry_run=True first.
DPoP key rotation — irreversible.
Webhook test fire — duplicates are fine, but pile up in delivery logs.

DPoP-specific failures

DPoPError from make_proof / createProof usually means one of:

The keypair is malformed (caller passed a non-P-256 PEM).
htu URL is malformed.
Signing failed in Web Crypto (TypeScript) — typically permission/CSP issue in a browser.

All four cases are programmer error, not transient — do not retry.

Surfacing errors to users

The server returns RFC 6749 / 7807 style bodies:

json

{ "error": "invalid_scope", "error_description": "scope exceeds parent grant" }

The SDK lifts these into the exception message. Log error_description (when present) — it's the user-facing copy.

Errors and retries

Exception tree

Python

TypeScript

OAuthError fields (Python)

VaultError fields

SharkAPIError fields

Retry strategy

What to retry

Backoff

What not to retry

DPoP-specific failures

Surfacing errors to users

See also