How ACT Tokens Work
Secure your AI agents in 4 simple steps
ACT (Agent Capability Tokens) provides OAuth-like security for AI agents. Instead of giving your agents unrestricted access to APIs and systems, ACT lets you define exactly what each agent can do, enforce those permissions in real-time, and maintain complete audit trails for compliance.
Create Your Agent
Register your AI agent in the ACT platform. Give it a name, description, and unique identifier. This creates a digital identity for your agent that will be referenced in all future actions.
Example API Call:
POST /api/agents
{
"name": "Customer Support Agent",
"description": "Handles tier-1 customer inquiries",
"metadata": {
"team": "customer-success",
"environment": "production"
}
}Result: You receive an Agent ID that uniquely identifies this agent across your organization.
Define Permission Policies
Create policies that specify what your agent can and cannot do. Policies are capability-based: you grant specific permissions like "read:customer_data", "create:support_ticket", or "access:zendesk_api".
Example Policy:
POST /api/policies
{
"name": "Customer Support Policy",
"capabilities": [
"read:customer_profile",
"read:order_history",
"create:support_ticket",
"update:ticket_status"
],
"constraints": {
"max_actions_per_day": 1000,
"allowed_hours": "09:00-17:00 UTC",
"rate_limit": "100 per minute"
}
}Best Practice: Follow the principle of least privilege - grant only the minimum permissions needed.
Generate Capability Tokens
Create an ACT token for your agent by combining the agent identity with one or more policies. The token is cryptographically signed and includes all permission information in a secure, tamper-proof format.
Generate Token:
POST /api/tokens
{
"agent_id": "agent_12345",
"policy_ids": ["policy_support_01"],
"expires_at": "2025-12-31T23:59:59Z",
"metadata": {
"issued_by": "[email protected]",
"purpose": "Q4 customer support operations"
}
}Response:
{
"token": "act_1a2b3c4d5e6f...",
"agent_id": "agent_12345",
"expires_at": "2025-12-31T23:59:59Z",
"capabilities": ["read:customer_profile", ...]
}Security Tip: Set appropriate expiration times. Short-lived tokens (hours/days) are more secure.
Enforce & Audit
Before your agent performs any action, it checks with ACT to verify it has permission. ACT validates the token, checks the requested capability, and returns approve/deny in under 10ms. Every action is logged for audit purposes.
Permission Check (in your agent code):
// Before accessing customer data
POST /api/enforcement/check
{
"token": "act_1a2b3c4d5e6f...",
"action": "read:customer_profile",
"resource": "customer_54321",
"context": {
"ip": "10.0.1.50",
"reason": "User inquiry about order status"
}
}Response (Approved):
{
"allowed": true,
"action": "read:customer_profile",
"reason": "Token valid, capability granted",
"audit_id": "audit_xyz789"
}Response (Denied):
{
"allowed": false,
"action": "delete:customer_account",
"reason": "Capability not granted in token",
"audit_id": "audit_abc123"
}Audit Trail: Every check (approved or denied) is logged with full context, timestamps, and reasoning.
Key Features
Real-Time Enforcement
Sub-10ms latency for permission checks. Your agents operate at full speed with enterprise security.
Instant Revocation
Revoke a token or change a policy, and the effect is immediate. No waiting, no deployments needed.
Complete Audit Logs
Every action is logged with who, what, when, where, and why. Export to your SIEM or download as CSV/JSON.
Fine-Grained Control
Grant permissions at the capability level, not just all-or-nothing access. Maximum security with minimal friction.
Universal Integration
Works with any AI agent, any LLM (ChatGPT, Claude, Gemini), and any programming language.
Scalable Architecture
Handle millions of agents and billions of actions per month. Globally distributed for low latency.
Common Use Cases
🤖 Customer Support Automation
Grant your support agent permission to read customer data and create tickets, but not delete accounts or process refunds. Escalate sensitive actions to human operators while automating routine inquiries.
📧 Email & Communication Agents
Allow your agent to send emails on behalf of your team, but restrict which email templates it can use, who it can email, and how many emails per day. Prevent spam and maintain brand consistency.
💰 Financial & Billing Agents
Enable your agent to check account balances and generate reports, but require human approval for transactions over $1000. Meet SOX and PCI-DSS compliance requirements with detailed audit trails.
🏥 Healthcare AI Assistants
Grant read-only access to patient records with strict HIPAA audit logging. Automatically log every access attempt with patient ID, reason, and timestamp for compliance reporting.
🔧 DevOps Automation Agents
Allow your CI/CD agent to deploy to staging automatically, but require manual approval for production. Prevent accidental production outages while accelerating your development workflow.
Integration Examples
Python (LangChain)
from act_sdk import ACTClient
# Initialize ACT client
act = ACTClient(token="act_1a2b3c4d5e6f...")
# Check permission before agent action
if act.check_permission("read:customer_profile", resource="customer_123"):
# Allowed - proceed with action
customer_data = fetch_customer_profile("customer_123")
process_customer_data(customer_data)
else:
# Denied - handle gracefully
raise PermissionError("Agent not authorized for this action")JavaScript/TypeScript (Node.js)
import { ACTClient } from '@act-platform/sdk';
const act = new ACTClient({ token: process.env.ACT_TOKEN });
// Middleware for API routes
async function actAuthMiddleware(req, res, next) {
const allowed = await act.checkPermission({
action: req.route.action,
resource: req.params.resourceId,
context: { ip: req.ip, user: req.user }
});
if (allowed) {
next(); // Permission granted
} else {
res.status(403).json({ error: 'Agent not authorized' });
}
}C# (.NET)
using ActPlatform.SDK;
var actClient = new ACTClient("act_1a2b3c4d5e6f...");
// Check permission before action
var result = await actClient.CheckPermissionAsync(new PermissionCheck
{
Action = "create:support_ticket",
Resource = "ticket_system",
Context = new { userId = "user_123", reason = "Customer inquiry" }
});
if (result.Allowed)
{
// Permission granted - proceed
await CreateSupportTicket(ticketData);
}
else
{
// Permission denied
throw new UnauthorizedAccessException(result.Reason);
}Ready to Secure Your AI Agents?
Start with our free plan and implement enterprise-grade security in minutes.