Preview documentation. The full Arsenal reference — ACT wire format, broker API, policy engine — lands next docs release.

The model

1

Agent requests a capability

agent.credentialsFor('openai') asks the broker for an ACT scoped to openai:*:*.
2

Broker issues an ACT

Ed25519-signed token, 30s–10min TTL, scope-constrained, rate-limited.
3

Agent invokes the API

Every request goes through the broker’s proxy endpoint.
4

Broker injects credentials

Real API key is attached server-side. Agent never touches it.

ACT tokens

Format, claims, validity.

Broker

HTTP endpoints, mTLS, SSRF guard.

Policies

Declarative, CBOR-serialized.

Consent

Human-in-the-loop approvals.