Arsenal is the capability and credential layer. It lets agents use external services without ever receiving raw provider secrets.

Core primitives

PrimitivePurpose
ACTA signed Agent Capability Token bound to a DID and scoped by service:resource:action.
BrokerThe service that stores provider credentials, verifies ACTs, injects secrets, and proxies upstream calls.
ScopeSetThe route or service permissions an agent can exercise.
Route ruleServer-side mapping from method and path to required scopes and grant condition.
Audit entryHash-linked record of grant, proxy, denial, or policy outcome.

Auto-grant flow

1

Agent signs request

The caller proves key possession through the OpenAgent authentication flow.
2

AEGIS verifies the DID

AEGIS returns signature_valid, lineage status, revocation status, and trust tier.
3

Optional payment layer runs

Routes that require VerifiedAndPaid wait for an x402 payment signal before grant.
4

Arsenal grants an ACT

Arsenal creates a session-scoped or request-scoped ACT containing the route scopes.
5

Credential broker proxies upstream

The agent receives a fetch-shaped handle. The broker injects the real provider credential server-side.

Scope grammar

service:resource:action
Examples:
  • openai:chat:completions
  • github:repo:read
  • admin:config:update
  • !github:pulls:merge
Multiple scopes on a route use AND logic: all listed scopes must be present.

Grant conditions

ConditionGrants whenTypical use
VerifiedDID signature is valid and revocation status is activeNormal authenticated routes
VerifiedAndPaidVerified plus payment middleware confirms paymentPriced agent endpoints
TrustMinimum(n)Verified plus AEGIS conformance level is at least nAdmin, org, or high-risk routes

ACT lifetime

  • Default session ACT: 900 seconds.
  • Request-scoped ACT: 30 seconds.
  • Minimum: 5 seconds.
  • Maximum: 24 hours.

Why it matters

If an agent process is compromised, attacker access is bounded by the ACT scopes and token lifetime. The upstream provider keys remain in the broker and do not have to be rotated just because an agent process leaked.