Security2026-07-02·4 min read·Permisyn
Authorization Headers Are the Governance Contract
Agent identity, user, team, purpose, risk label, and budget controls become the allow/deny contract for every model request.
Headers make authorization explicit
Permisyn treats authorization context as part of the request contract. That makes the allow/deny decision reviewable, testable, and independent of a programming language or framework.
| Header | Purpose |
|---|---|
| X-Permisyn-Agent | Agent attribution and dashboard grouping |
| X-Permisyn-User | Accountable human user |
| X-Permisyn-Team | Team/department attribution and usage rollups |
| X-Permisyn-Risk | Declarative risk label, recorded in the receipt |
| X-Permisyn-Purpose | Business context in signed evidence |
| X-Permisyn-Max-Cost-USD | Pre-call budget enforcement |
#headers#policy#security
Route your agent through Permisyn
Change the model base URL. Keep your existing client. Agent passports, kill switch, signed audit trail, cost cap.
OPENAI_BASE_URL=https://api.permisyn.com/v1 OPENAI_API_KEY=$YOUR_PROVIDER_KEY X-Permisyn-Key: psyn_live_... X-Permisyn-Agent: production-agent