THE DELEGATION LAYER FOR AI AGENTS

Consent infrastructure for AI builders

Three lines of SDK. A hosted consent screen your users trust. Signed tokens your agent can verify.

Start free → View docs

Keys hashed on arrival bcrypt, never reversible

No user credentials zero passwords stored

Per-agent isolation breach stays contained

BUILDER DASHBOARD

app.permitly.dev/dashboard

Overview

Consent Requests

1,247

Approval Rate

94%

Active Consents

482

Webhook Success

99.8%

Recent Activity

● Approved CalendarBot 2m ago

● Token Verified EmailAgent 5m ago

● Approved ScheduleBot 12m ago

⇄

Permitly

permitly.dev/c/cr_a1b2c3d4

CalendarBot

is requesting permission to:

📅 Book appointments LOW

📖 Read calendar MED

END USER CONSENT

01 · CONSENT PAGE

Your users see a screen they can trust

Hosted, clean, mobile-first. Every permission explained in plain language. Risk level on every scope — low, medium, or high. One tap to approve or decline.

Risk badges High-risk warning Mobile-first Zero JS required

permitly.dev/c/cr_7f8e9d

CalendarBot

is requesting permission to:

📅 Book appointments LOW

📖 Read availability MED

📧 Send meeting invites MED

02 · BUILDER DASHBOARD

Full visibility into every consent

Requests, approvals, active consents, webhook health — all with sparklines for the last 7 days. Know exactly how your agents are performing.

Live metrics 7-day sparklines Multi-agent

app.permitly.dev/dashboard

Overview

Consent Requests

1,247

↑ 12% this week

Approval Rate

94%

↑ 2% vs last week

Active Consents

482

↑ 8% this week

Webhook Success

99.8%

All systems nominal

Recent Activity

● Approved CalendarBot 2m ago

● Token Verified EmailAgent 5m ago

● Approved ScheduleBot 12m ago

● Revoked DataBot 1h ago

● Approved CalendarBot 2h ago

03 · AUDIT LOG

Immutable audit trail, built in

Every request, approval, decline, revocation, and token verification — logged with actor, IP, and timestamp. Filter by agent or event type. Ready for compliance.

HMAC-signed events IP + user-agent Filter by type

app.permitly.dev/audit-log

Audit Log

EVENTAGENTACTORWHEN

● consent.approved CalendarBot user_123 2m ago

● token.verified EmailAgent system 5m ago

● consent.approved ScheduleBot user_456 12m ago

● consent.revoked DataBot user_789 1h ago

● consent.approved CalendarBot user_321 2h ago

04 · WEBHOOKS

Instant notifications, retry built-in

HMAC-signed payloads fired on every consent event. Automatic retry with exponential backoff (1m → 5m → 30m → 2h → 8h). Test delivery from your dashboard in one click.

HMAC-signed 5 retries Test from dashboard

app.permitly.dev/agents/calendarbot

Webhook Deliveries

✓ consent.approved 200 2s ago

✓ consent.approved 200 5m ago

✓ consent.revoked 200 1h ago

✗ consent.approved retrying 1/5

05 · SECURITY

Nothing worth stealing

No user passwords. No payment data. API keys are bcrypt-hashed on arrival — we can never read them, and neither can attackers. Even a full database dump reveals only consent metadata.

Zero plaintext secrets Per-agent key isolation

Simulated breach · Database dump

⚠ ATTACKER OBTAINS FULL DATABASE

✗ NOT PRESENT

User passwords

Payment data

API keys plaintext

OAuth tokens

Private keys plaintext

✓ WHAT THEY GET

Consent metadata

Who approved what

Timestamps

Scope names

Bcrypt hashes

Nothing actionable. Nothing exploitable. No users harmed.

SDK

Three lines to ship consent

Drop in. Redirect. Done.

pip install permitly

from permitly import PermitlyClient, ScopeTemplates

# 1. Initialize
client = PermitlyClient("sk_live_...")

# 2. Request consent
result = client.consent.request({
    "end_user_ref": "user_123",
    "scopes": [ScopeTemplates.send_email()],
    "redirect_url": "https://yourapp.com/done"
})

# 3. Redirect user to hosted consent screen
return redirect(result.consent_url)