Skip to main content
Hexr automatically detects whichever Python agent framework you use — CrewAI, LangChain, AutoGen, Strands, OpenAI Swarm, or plain Python — and assigns a unique SPIFFE cryptographic identity to each agent process or role. This means a CrewAI researcher and writer each get separate cloud permissions, separate cost attribution, and separate audit logs, all without any changes to your framework code.

Supported frameworks

FrameworkDetectionPer-process identity
CrewAIfrom crewai import ...Each crew role gets a SPIFFE ID
LangChainfrom langchain import ...Agent chains get identity
AutoGenfrom autogen import ...Each AutoGen agent gets identity
Strandsfrom strands import ...Agent strands get identity
OpenAI Swarmfrom swarm import ...Swarm agents get identity
Pure PythonNo framework importsSingle identity per agent

Steps

1

Choose your framework and write your agent

Use your preferred framework. Hexr wraps it with the @hexr_agent decorator — no other changes needed.
from crewai import Agent, Task, Crew
from hexr import hexr_agent, hexr_tool, hexr_llm

@hexr_agent(name="content-crew", tenant="acme-corp", framework="crewai")
def main():
    researcher = Agent(
        role="researcher",
        goal="Find latest AI news",
        backstory="Senior research analyst",
    )

    writer = Agent(
        role="writer",
        goal="Write engaging articles",
        backstory="Content strategist",
    )

    research_task = Task(
        description="Research the latest developments in AI agents",
        agent=researcher,
    )

    write_task = Task(
        description="Write a blog post based on the research",
        agent=writer,
    )

    crew = Crew(
        agents=[researcher, writer],
        tasks=[research_task, write_task],
    )

    result = crew.kickoff()
    print(result)

if __name__ == "__main__":
    main()
2

Build — framework is auto-detected

Run hexr build and it will detect the framework from your imports:
hexr build content_crew.py --tenant acme-corp
Expected output
Analyzing content_crew.py...
  Framework: crewai (detected from imports)
  Agents: 2 (researcher, writer)
  ...
If auto-detection picks the wrong framework, override it with --framework:
hexr build agent.py --tenant acme --framework langchain
3

Push and deploy

hexr push && hexr deploy
Each framework role receives its own SPIFFE identity at deploy time. For the CrewAI example above:
  • researcherspiffe://hexr.cloud/agent/acme-corp/content-crew/researcher
  • writerspiffe://hexr.cloud/agent/acme-corp/content-crew/writer
Each role gets separate cloud credentials and cost attribution automatically — no code changes required.

What just happened?

When you deployed the CrewAI crew, Hexr issued a unique SPIFFE identity to each role. Those identities control which cloud services each role can access, and every LLM call is attributed to the specific role that made it. You can view per-role token usage and costs in the Grafana dashboard.
OPA policies enforce role-level cloud access scoping. A writer role cannot access resources granted only to researcher, even within the same agent deployment.

Next steps

Multi-cloud tools

Grant each framework role different AWS, GCP, or Azure permissions.

LLM observability

View per-role token usage, cost attribution, and latency in Grafana.

Agent-to-agent communication

Connect your CrewAI crew to other agents for task delegation.

SDK reference

Full API reference for the @hexr_agent decorator and framework options.