Skip to main content
ABAC lets you assign owners (users, teams, or service accounts) to agents with fine-grained permissions. This establishes clear accountability for every agent in your organization and controls who can perform actions on each agent.

Owner Types

TypeDescriptionExample
userAn individual useralice@company.com
teamA team or departmentml-platform-team
service_accountA machine identityci-cd-pipeline

Permissions

Each owner assignment includes a permissions object:
PermissionDescriptionDefault
can_invokeCan send requests through the proxy as this agenttrue
can_configureCan update agent metadata, policies, and risk classificationfalse
can_deleteCan delete the agentfalse

Assign an Owner

curl -X POST https://api.meshai.dev/agents/agt_abc123/owners \
  -H "Authorization: Bearer msh_YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "owner_type": "team",
    "owner_id": "ml-platform-team",
    "owner_name": "ML Platform Team",
    "permissions": {
      "can_invoke": true,
      "can_configure": true,
      "can_delete": false
    }
  }'

{
  "success": true,
  "data": {
    "id": 1,
    "agent_id": "agt_abc123",
    "owner_type": "team",
    "owner_id": "ml-platform-team",
    "owner_name": "ML Platform Team",
    "permissions": {
      "can_invoke": true,
      "can_configure": true,
      "can_delete": false
    },
    "created_at": "2026-03-18T14:30:00Z"
  }
}

List Agent Owners

curl https://api.meshai.dev/agents/agt_abc123/owners \
  -H "Authorization: Bearer msh_YOUR_API_KEY"

{
  "success": true,
  "data": [
    {
      "id": 1,
      "agent_id": "agt_abc123",
      "owner_type": "team",
      "owner_id": "ml-platform-team",
      "owner_name": "ML Platform Team",
      "permissions": { "can_invoke": true, "can_configure": true, "can_delete": false }
    },
    {
      "id": 2,
      "agent_id": "agt_abc123",
      "owner_type": "user",
      "owner_id": "alice@company.com",
      "owner_name": "Alice Chen",
      "permissions": { "can_invoke": true, "can_configure": false, "can_delete": false }
    }
  ]
}

Remove an Owner

curl -X DELETE https://api.meshai.dev/agents/agt_abc123/owners/1 \
  -H "Authorization: Bearer msh_YOUR_API_KEY"

List Agents by Owner

Find all agents owned by a specific user, team, or service account: 
curl https://api.meshai.dev/owners/ml-platform-team/agents \
  -H "Authorization: Bearer msh_YOUR_API_KEY"

{
  "success": true,
  "data": [
    {
      "agent_id": "agt_abc123",
      "agent_name": "production-summarizer",
      "permissions": { "can_invoke": true, "can_configure": true, "can_delete": false }
    },
    {
      "agent_id": "agt_def456",
      "agent_name": "support-bot",
      "permissions": { "can_invoke": true, "can_configure": true, "can_delete": true }
    }
  ]
}

Audit Trail

All ABAC actions emit audit events:
Event TypeDescription
agent.owner_assignedAn owner was assigned to an agent
agent.owner_removedAn owner was removed from an agent

Use Cases

  • Non-human identity management — Track the 144:1 ratio of NHIs to employees by assigning clear owners.
  • Team accountability — Every agent has at least one owner responsible for its behavior.
  • Least-privilege access — Grant can_invoke to runtime service accounts, can_configure to team leads only.
  • Compliance — EU AI Act Article 14 requires human oversight — ABAC documents who oversees each agent.
  • Offboarding — When a team member leaves, find all agents they own and reassign them.