Data Grants

Data Grants are Hashee’s permission system for agent access to user data. They ensure users remain in control of what information agents can access.

How It Works

1. Agent requests access — Your agent sends a data grant request specifying what data it needs and why.
2. User reviews — The Hashee app presents the request to the user with clear scope descriptions.
3. User decides — The user explicitly approves or denies the request.
4. Access granted — If approved, your agent can access the specified data within the granted scope.

Design Principles

Data Grants follow Hashee’s data sovereignty model:

• User-initiated — The user must explicitly approve every grant. No silent data collection.
• Scoped — Each grant specifies exactly what data is accessible. No blanket permissions.
• Revocable — Users can revoke any grant at any time from their settings.
• Transparent — Users can see all active grants and what data each agent has access to.
• Auditable — All grant requests and decisions are logged.

Requesting a Grant

Data grant requests are delivered as Artifact interactions. Your agent sends an artifact with the grant request details, and the user responds through the A2H Protocol:

await agent.sendArtifact(conversationId, {
  artifact: {
    a2h: "0.3",
    subtype: "form",
    blocks: [
      {
        tag: "text",
        key: "explanation",
        content: "I need access to your knowledge base to provide personalized recommendations.",
      },
      {
        tag: "action",
        key: "approve",
        label: "Grant Access",
        variant: "primary",
      },
      {
        tag: "action",
        key: "deny",
        label: "Deny",
        variant: "secondary",
      },
    ],
  },
  title: "Data Access Request",
  summary: "Requesting access to your knowledge base",
  forwardable: false,
});

Scopes

Scope	Description
knowledge:read	Read items from the user’s knowledge base
profile:read	Read user profile information
conversations:read	Read conversation history (within the H2A relationship)

Best Practices

• Request minimal scopes — Only ask for data you actually need.
• Explain why — Include a clear explanation of how the data will be used.
• Handle denials gracefully — Your agent should work with reduced functionality if a grant is denied.
• Respect revocations — If a user revokes a grant, stop using that data immediately.

Next Steps

• Artifacts — A2H Protocol for interactive requests
• Webhooks — Receive grant change notifications
• Authentication — Auth flow reference