LangChain + human-in-the-loop attestation
LangChain has a robust callback system but no native identity layer. Drop Manav delegations into your chain in 14 lines and your audit log carries the human all the way through.
The integration pattern
from langchain.agents import AgentExecutor
from manav.langchain import ManavCallback, ManavTools
callback = ManavCallback(human_did=os.getenv("MANAV_HUMAN_DID"),
scope=["repos:read", "stripe:invoice:write"],
spend_cap=("USD", 500),
ttl="8h",)
tools = ManavTools.wrap(your_existing_tools, callback=callback)
executor = AgentExecutor.from_agent_and_tools(agent=your_agent,
tools=tools,
callbacks=[callback],)
executor.invoke({"input": "Reconcile yesterday's invoices."})
The wrapper does five things: signs every tool call with the human's delegation, enforces scope, decrements spend cap atomically, logs to the tamper-evident audit, and exposes a revocation hook for incident response.
What the audit log looks like
Each tool call leaves a structured record showing the human DID, the agent run, the delegation chain, the scope, the parameters hash, and the outcome. The format matches the audit-trail design we publish — see the reference template.
Common patterns
Per-tool delegation. Wrap risky tools (payments, deletions, data exports) with stricter delegations than read-only tools. The callback supports tool-specific scope.
Multi-step approval. For Article 14 critical-system flows, the callback can require a second human approval before the tool executes. Both signatures land in the audit log.
Memory propagation. Manav delegations persist across the chain's memory window. Sub-chains and tool-using sub-agents inherit a constrained delegation, never broader than the parent.
Performance
The wrapper adds 4–8 ms per tool call. For most chains the LLM call dominates latency; the identity layer is invisible.
Why this matters for production
LangChain shipped fast and made agents possible for thousands of teams. The gap was always identity. Without it, audit logs read "the chain did it." With Manav, every action traces to the human who authorized it. SOC 2, Article 14, customer trust — all become demonstrable rather than asserted.
Common objections
Engineers push back on three things. Latency — the cache makes verification 18 µs hot-path, fine for any production system. Vendor lock-in — the protocol is open, the spec is published, the reference implementation is forkable. Adding another auth dance — the integration is twelve lines and middleware, not a new platform to manage.
Frequently asked questions
What is the runtime cost? Single-digit milliseconds per tool call when the verification cache is warm. Cold verification is 1–2 ms. Both numbers are small relative to the LLM round-trip the agent is already paying.
Does it work with our existing agent framework? Yes. The protocol is host-agnostic. SDKs ship for Python, Go, Node, Rust, and TypeScript; integrations exist for LangChain, CrewAI, AutoGen, and the Claude Agent SDK. Anything that calls a tool can present a delegation.
What happens to delegations when an engineer leaves? They die at the human's offboarding. The IdP de-provisions the human; the device key is rotated; every active delegation that human signed is invalidated within 200 ms. No service-account graveyard for the new owner to clean up six months later.
Where to start
Hands-on next: mcp identity 12 lines ships in twelve lines; delegation tokens explained adds the operational layer once you have the basics. Both link to working repos; clone, integrate, run the bench.
Adjacent reading
For the integration path, start with MCP + Identity in 12 lines, then the cross-platform reference architecture. For the operational surface, see webhooks not polls and performance at 100k RPS. Each of those is a working repo; the integration takes a coffee break, the production hardening takes a sprint.
What changes inside a LangChain chain
The callback runs before each tool execution and after each tool return. Before: it verifies the delegation against the human's public key, checks scope and magnitude, and either lets the call through or rejects it with a structured reason. After: it writes a tamper-evident record to the audit log — human DID, agent step, tool call, parameters hash, outcome.
The chain itself does not need to know any of this. The callback is registered once at agent construction; everything downstream inherits the audit shape. The cost is a 4–8 ms middleware call per tool execution, dominated by the LLM round trip the chain is already paying.
The line LangChain devs add most often
In LangChain integrations across the ecosystem, the same five lines of code appear in nearly every Manav-bound deployment. The lines hook into the agent's tool-calling boundary, intercept the proposed action, look up the active delegation, validate the action against the scope and magnitude, and produce the audit row. The pattern is so consistent that we have proposed it as a LangChain middleware. The proposal is in review. The reason this is the line developers add most often is that it sits at exactly the abstraction layer where authority belongs — between the agent's decision and the tool's execution. Adding it earlier loses information about what the agent decided; adding it later loses the ability to refuse the action. The five lines are the architectural correct answer, discovered by integrators independently and now codified into the framework as the recommended integration pattern. We did not invent the pattern. The community did. We standardized it.
If LangChain made agents possible, identity makes them deployable.