This project is not covered by Drupal’s security advisory policy.
NHI Guardian manages authentication, lifecycle, and audit governance for AI agents, CI/CD pipelines, and automated services connecting to your Drupal site. It gives non-human identities the same structured treatment - registered identities, scoped credentials, and tamper-evident audit trails - that Drupal has always given human users. Designed for organisations operating under FISMA, FedRAMP, OMB M-22-09 Zero Trust, and EU AI Act requirements.
Why NHI Guardian?
Most Drupal sites secure human logins carefully. As AI agents, automation scripts, and service accounts increasingly access Drupal infrastructure, those non-human identities need the same governance rigour. NHI Guardian provides it - without requiring a third-party IAM platform or custom middleware.
Features
- 9-stage inbound validation pipeline - Every request carrying agent headers passes through a deterministic, ordered pipeline: request identification,
alg:noneJWT rejection, token parsing, agent lookup, status check, credential validation, scope intersection, account switching, and audit logging. - Three credential methods - API Key (
X-Agent-Tokenheader or?api_keyquery param), Static Token (bearer), and IDP-Based (JWT verified against a live JWKS endpoint from Okta, Azure AD, Keycloak, or any standards-compliant IDP). - Scope-based access control - Granted scopes are the intersection of token scopes and the agent's configured allowed scopes. Token scopes that exceed the agent's allowlist are silently dropped.
- FISMA AU-3 compliant audit log - Every authentication event (success or failure) is recorded with agent ID, Drupal UID, action, token SHA-256 hash (never plaintext), IP address, request URI, scopes requested, scopes granted, HTTP status, and metadata. Configurable retention with automated purge.
- Multi-step agent registration wizard - Administrators register agents manually (label, agent ID, scopes, validation method, credential) or provision them directly from a connected Identity Provider via an OAuth popup flow.
- IDP client management - Register external Identity Providers with JWKS URI, client ID/secret, and user identity mapping. A built-in test tool validates the IDP connection before agents are linked.
- Enable / suspend agents - Inactive agents are blocked immediately without deleting the entity or its audit history.
- Drupal permission integration - Authentication and administration are governed by Drupal's standard role-based permission system. No parallel access model to maintain.
- Zero Trust enforcement middleware - A Symfony HTTP middleware layer intercepts requests before they reach Drupal, enforcing agent authentication at the outermost boundary. Can be toggled on/off from the settings page.
Compliance targets: FISMA AU-3 · NIST AC-2(g) · OMB M-22-09 · Zero Trust · EU AI Act · FedRAMP-aligned
Post-Installation
After enabling the module:
- Navigate to
Administration > Configuration > NHI Guardian > Agents(/admin/config/nhi-guardian/agents) to manage registered agents. - If using IDP-based validation, first add an Identity Provider at
/admin/config/nhi-guardian/idp-clients/add. Use the built-in test tool to confirm the JWKS endpoint is reachable. - Register your first agent using the Register Agent wizard. Choose Manual (API Key, Static Token, or IDP-Based) or Provision from IDP.
- Enable enforcement at
/admin/config/nhi-guardian/settings. Once enabled, requests carrying agent headers (X-Agent-Identity,X-Agent-Token, orAuthorization: Bearer) will be validated by the pipeline before reaching Drupal. - Review the audit log at
/admin/config/nhi-guardian/audit-logto confirm authentication events are being recorded.
Additional Requirements
- Drupal core 10.x or 11.x - No earlier versions supported.
- PHP 8.1+
- No third-party PHP packages beyond those bundled with Drupal core.
- IDP-based validation requires an external Identity Provider with a publicly accessible JWKS endpoint (Okta, Azure AD, Keycloak, or equivalent).
Recommended modules/libraries
- MO MCP Server - If you are exposing a Model Context Protocol endpoint on the same Drupal site, NHI Guardian provides the authentication layer for AI agents connecting to that endpoint.
Similar projects
No Drupal module currently addresses non-human identity governance as a first-class concern. General API authentication modules (Key, Simple OAuth, JSON:API) provide credential storage or token issuance for human-facing API consumers but do not offer agent lifecycle management, scope intersection policies, FISMA-aligned audit logging, or IDP provisioning flows targeted at non-human identities.
Supporting this Module
NHI Guardian is developed and maintained by miniOrange. For enterprise support, custom integrations, or SLA-backed plans, contact us at miniorange.com.
Helpful Links -
- The rest of our Drupal Arsenal.
- Dedicated Slack Channel for round the clock support.
Project information
- Project categories: Access control, Artificial Intelligence (AI)
- Created by vengat_the_wizard on , updated
This project is not covered by the security advisory policy.
Use at your own risk! It may have publicly disclosed vulnerabilities.
