oakallow
Security infrastructure for AI agents. Permissions, approvals, tokens, and audit trails so your AI asks before it acts.
What is oakallow?
oakallow is a hosted API that provides security infrastructure for AI agent tool execution. Instead of building your own permission system, token minting, approval workflows, and audit trails, you integrate with oakallow's API and get production-grade security in minutes.
Whether you're building AI agents for your customers or your own team, oakallow ensures that every tool execution is governed. Every action is checked against permission rules, approved by a human when needed, signed with a cryptographic token, and logged for complete auditability.
Our Mission
Make AI agent execution safe and auditable for every developer, without requiring them to build security infrastructure from scratch.
How oakallow Works
oakallow sits between your AI agent and the tools it wants to execute. Your agent registers its tools with the API, and you define permission rules that control what each tool is allowed to do, for which tenants, and on which resources.
At runtime, before your agent executes a tool, it calls the permission check endpoint. The check happens at the edge via Cloudflare Workers for sub-millisecond decisions. The result is one of three outcomes: allowed, requires approval, or disabled.
If the tool is allowed, your agent mints a single-use HMAC-signed execution token, runs the tool, and logs the result. If approval is required, the request is routed to a human decision-maker. If disabled, the tool does not execute. Every step is logged with a complete audit trail.
- Permission resolution. A 12-level resolution chain evaluates tenant, org, resource, tool, method, and category rules to produce a definitive permission decision.
- Approval workflows. When a tool requires human review, the approval request is created and can be decided via the dashboard. Approvals have configurable timeouts.
- Cryptographic tokens. Each execution is signed with an HMAC token containing a single-use nonce. The token proves the tool was authorized and can never be replayed.
- Audit trail. Every permission check, approval decision, and tool execution is logged. You have complete visibility into what your AI agent did, when, and why it was allowed.
Where oakallow Comes From
oakallow was born from production security code built for VixPro AI, an AI companion engineer for server infrastructure. The permission resolution, token signing, approval workflows, and audit logging that keep VixPro AI safe have been extracted, generalized, and made available as a standalone API for any developer building AI agents.
This isn't a hypothetical security layer. It's battle-tested infrastructure running in production, governing real AI tool execution on real servers.
Security Is Foundational
- ✓ Permission resolution at the edge with sub-millisecond decisions
- ✓ API keys SHA-256 hashed. Raw keys are never stored.
- ✓ HMAC-signed single-use tokens with nonce replay protection
- ✓ 12-level permission resolution chain (tenant → org → tool → category → fail-safe)
- ✓ Complete audit trail for every permission check and tool execution
- ✓ Row Level Security on all database tables
About Islemonics Studios LLC
oakallow is built and operated by Islemonics Studios LLC, a software company based in Pleasanton, California. We build products at the intersection of AI, infrastructure, and security.
Address
Islemonics Studios LLC
3020 Bernal Ave Ste 1103014
Pleasanton, CA 94566
General Inquiries
hello@oakallow.ioSecurity
security@oakallow.io