Skip to content

Temporal Permission Windows

Temporal Permission Windows

Grant time-bounded permissions to AI agents that auto-expire. Modeled after Just-In-Time (JIT) access patterns in human IAM, AWS STS temporary credentials, CyberArk JIT provisioning, HashiCorp Vault dynamic secrets, but purpose-built for AI agent authorisation.

Info

No standing access. An agent gets exactly the permissions it needs, for exactly the duration of its workflow, and those permissions auto-revoke when the window closes. Every lifecycle event (creation, use, extension, revocation) is anchored in the Provenance Vault. | | | | --- | --- | | Concept | Description | | TemporalPermissionWindow | A time-bounded authorisation grant with scopes, action types, constraints, and auto-expiry. | | Duration | 1 minute to 24 hours. Configurable per window. | | Scopes | Same scope system as credentials, trade:write, db:read, etc. | | Max Uses | Optional limit on how many times the window can be used within its time boundary. | | Extensions | Windows can be extended up to max_extensions times (default: 3). Each extension is vault-recorded. | | Workflow Binding | Optional workflow_id ties the window to a specific workflow execution. | | Lazy Expiry | No background sweeper, expiry is checked at intercept time for zero overhead. |

Create a Temporal Permission Window

import requests

BASE = "https://xybern.com/api/v1"
HEADERS = {"Authorization": "Bearer xb_your_key"}

resp = requests.post(f"{BASE}/enforce/temporal-windows", headers=HEADERS, json={
    "agent_id": "agent_finance_01",
    "scopes": ["payments.read", "payments.execute", "db:read"],
    "duration_minutes": 30,
    "action_types": ["execute_trade", "query_database"],
    "constraints": {"max_amount": 50000},
    "reason": "Processing customer order #4821",
    "workflow_id": "wf_order_4821",
    "max_uses": 10,
    "max_extensions": 2
})

window = resp.json()["window"]
# window["window_id"]         → "tw_a1b2c3d4e5f6"
# window["expires_at"]        → "2026-04-01T14:30:00Z"
# window["remaining_seconds"] → 1800
# window["is_active"]         → True

How It Works at Intercept Time

When an agent makes a request through POST /v1/enforce/intercept, the control plane automatically checks for active temporal windows. If the agent has an active window that covers the requested action, the response includes a temporal_window field:

{
  "decision": "allow",
  "decision_id": "enf_abc123",
  "temporal_window": {
    "window_id": "tw_a1b2c3d4e5f6",
    "remaining_seconds": 1247,
    "reason": "Temporal window 'tw_a1b2c3d4e5f6' grants access (expires in 1247s)"
  }
}

Extend a Window

If a workflow is still running and needs more time, extend the window (up to max_extensions):

resp = requests.post(
    f"{BASE}/enforce/temporal-windows/{window_id}/extend",
    headers=HEADERS,
    json={
        "additional_minutes": 15,
        "reason": "Workflow still processing batch"
    }
)
# resp.json()["window"]["extensions"]      → 1
# resp.json()["window"]["remaining_seconds"] → updated

Revoke a Window

Immediately terminate a window before it expires:

resp = requests.post(
    f"{BASE}/enforce/temporal-windows/{window_id}/revoke",
    headers=HEADERS,
    json={"reason": "Workflow completed early"}
)
# resp.json()["window"]["status"] → "revoked"

Pre-flight Check

Check if an agent has an active window without consuming a use:

resp = requests.post(f"{BASE}/enforce/temporal-windows/check", headers=HEADERS, json={
    "agent_id": "agent_finance_01",
    "action_type": "execute_trade",
    "metadata": {"amount": 25000}
})
# resp.json()["has_active_window"] → True
# resp.json()["remaining_seconds"] → 847

List & Stats

# List all windows (filter by agent, status, workflow)
requests.get(f"{BASE}/enforce/temporal-windows?active_only=true", headers=HEADERS)

# Agent-specific windows
requests.get(f"{BASE}/enforce/agents/{agent_id}/temporal-windows", headers=HEADERS)

# Aggregate stats
requests.get(f"{BASE}/enforce/temporal-windows/stats", headers=HEADERS)
# → { active_windows, expired_windows, revoked_windows, total_uses, avg_duration_minutes, ... }

Dashboard

The Authorisation Layer dashboard includes a dedicated Temporal Windows tab showing:

  • Active windows with real-time countdown timers, scope badges, and one-click extend/revoke
  • Window history, expired and revoked windows with usage stats
  • Aggregate stats, active count, total uses, average duration, agents with active windows