Tessera Guard verifies human-delegated permissions for email, payments, shell, and publishing at execution time.
The Roman tessera hospitalis was a token split between two strangers. Reuniting the pieces proved trust across distance.
Agents can already act across tools and services. What is missing is a portable runtime check for who authorized them, what they can do, and whether that authority is still valid.
If an agent has a token or tool handle, it can often act with no further authorization check. That works for demos and fails for real systems.
Asking the human to approve every step avoids some risk, but it also destroys the utility of autonomy. Delegation needs to be bounded, not constant.
Every runtime reinvents authorization differently. There is still no standard execution-time permission layer for agent actions.
Tessera Guard blocks sensitive agent actions unless a valid human-delegated credential authorizes them. It verifies scope, expiry, and revocation at execution time.
message.send, payment.intent, exec.shell, and content.publish are the first protected classes.
Guard evaluates the request at the moment the action executes, not from stale login state or ambient tool access.
When an action is blocked, the runtime gets a reason and a suggestion that the agent can surface directly to the user.
import { createGuard } from '@tessera-protocol/openclaw'; const guard = createGuard({ credential: process.env.TESSERA_AGENT_CREDENTIAL, trustedIssuerKeys: [process.env.TESSERA_ISSUER_PUBLIC_KEY], offlineMode: false, issuerUrl: 'http://localhost:3001', }); const result = await guard.check('email.send', { recipientCount: 5, recipientDomains: ['example.com'], }); if (!result.allowed) { console.error(result.reason); console.error(result.suggestion); return; } // Safe to proceed with the sensitive action.
Guard is the product surface. The protocol underneath is intentionally small: human root credential, agent identity, scoped delegation, execution-time verification, and revocation.
A human principal obtains a root credential from an issuer. Verifiers do not need civil identity at runtime; they need to know the delegator is valid.
Each agent has its own public key and stable identifier. The agent becomes a cryptographic subject rather than a session with ambient access.
The human signs a delegation covering action classes, limits, expiry, and revocation. No child delegation may exceed the permissions of its parent.
At runtime, Tessera checks signature integrity, scope match, expiry, revocation, and policy constraints before allowing the action to execute.
OpenClaw is the first wedge because it already exposes sensitive tool calls and gives Tessera a fast product-feedback loop. The long-term direction is broader runtime and gateway infrastructure.
Tessera Guard already maps OpenClaw tools to guarded action classes and provides human-legible denials inside the agent conversation.
The same model extends to MCP servers, gateways, coding agents, workflow runtimes, and API platforms that need execution-time authorization for agent actions.
Start with the OpenClaw integration today, then carry the same authorization model into the rest of your agent stack.