You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Aligns the dev guide with the README and getting-started polish,
promotes a real SDK limitation from a buried sub-clause to a proper
callout, and tightens informal headings.
- Frontmatter cross-links to README Prerequisites
- Basic Pattern uses agent.bearer_header accessor
- Long-Running Tasks: hedge note on broker lifetime cap
- Single-Hop Delegation: document delegate(ttl=N) keyword
- Multi-Hop: promote registration-token constraint to blockquote
- Rename "What We Learned About Delegation" → "Delegation Behavior"
- Rename "Garbage Tokens" → "Invalid Tokens"
- Fix result.claims.iss comment — broker-configured, not fixed
- Next Steps: add Testing Guide and MedAssist Demo rows
Refs devonartis/agentwrit#31
Generated with Claude Code
Copy file name to clipboardExpand all lines: docs/developer-guide.md
+18-9Lines changed: 18 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,6 +1,6 @@
1
1
# Developer Guide
2
2
3
-
Patterns for building real applications with the AgentWrit SDK. This guide assumes you've read [Getting Started](getting-started.md) and [Concepts](concepts.md).
3
+
Patterns for building real applications with the AgentWrit SDK. This guide assumes you've read [Getting Started](getting-started.md) and [Concepts](concepts.md), and that you've completed [Prerequisites](../README.md#prerequisites) — broker reachable, app credentials provisioned, env vars set.
4
4
5
5
---
6
6
@@ -28,8 +28,9 @@ agent = app.create_agent(
28
28
)
29
29
30
30
try:
31
-
# Do work with the agent's token
32
-
process_order(agent.access_token)
31
+
# Do work with the agent's token. For HTTP calls, agent.bearer_header
32
+
# gives you {"Authorization": "Bearer <token>"} in one shot:
> The broker may enforce a maximum total agent lifetime independent of per-token TTL. If `renew()` starts failing on long-running agents, check your broker's session policy.
69
+
67
70
### Short-Lived Tasks with Custom TTL
68
71
69
72
For quick tasks, set a short TTL to minimize exposure:
@@ -132,6 +135,8 @@ delegated = agent_a.delegate(
132
135
# delegated.delegation_chain records the hop
133
136
```
134
137
138
+
Pass `ttl=N` to override the delegation lifetime: `agent_a.delegate(delegate_to=..., scope=..., ttl=300)`. Omit it to take the broker's default (60s).
139
+
135
140
Always validate the delegated token to confirm the broker actually narrowed it:
To build a real chain where each hop narrows further, the second hop must use the delegated token directly. The SDK's `agent.delegate()` always uses the agent's registration token, not a received delegated token:
153
+
> **SDK limitation:**`agent.delegate()` only signs with the agent's own *registration* token. To extend a chain — i.e., delegate from a token you *received* — you currently have to call `POST /v1/delegate` directly, as shown below. A future release may add `DelegatedToken.delegate()` to remove this escape hatch.
154
+
155
+
To build a real chain where each hop narrows further, the second hop has to bypass the SDK and hit the broker endpoint with the delegated token:
149
156
150
157
```python
151
158
import httpx
@@ -209,9 +216,9 @@ except AuthorizationError as e:
Verified against a live broker via the acceptance suite:
215
222
216
223
1.**Same-scope delegation is allowed.** The broker treats equal as a valid subset. If A has `["read:data:partition-7"]` and delegates `["read:data:partition-7"]` to B, the broker accepts it.
217
224
@@ -344,9 +351,9 @@ except AgentWritError as e:
344
351
print(e) # "agent has been released and cannot delegate"
345
352
```
346
353
347
-
### Garbage Tokens
354
+
### Invalid Tokens
348
355
349
-
If someone sends a faketoken to your app, `validate()` handles it gracefully:
356
+
If someone sends a fake, malformed, or expired token to your app, `validate()` handles it gracefully — it returns a result instead of raising:
350
357
351
358
```python
352
359
from agentwrit import validate
@@ -409,7 +416,7 @@ Same behavior, but uses the app's broker URL and timeout.
409
416
result = validate(app.broker_url, agent.access_token)
0 commit comments