Documentation
Authority infrastructure for agents and services
Caracal issues short-lived, policy-approved mandates for protected resources and records the decision trail.
How it works
Five steps between an agent and a resource
Agents call real APIs with real credentials, and standing secrets are how that goes wrong. Caracal swaps them for short-lived authority that policy approves first. Click through the flow.
Step 1 of 5
Your agent asks for authority right when it needs it. Nothing sits in code or env files waiting to leak.
Identities and ApplicationsStep 2 of 5
Rego policy looks at the request and says yes or no before anything touches the resource.
Policies and Policy SetsStep 3 of 5
STS signs a short-lived mandate scoped to that app, that resource, that action. It expires on its own.
MandatesStep 5 of 5
Audit keeps the whole story: who asked, what policy said, what actually happened.
Audit and Request Tracescurl -fsSL https://raw.githubusercontent.com/Garudex-Labs/caracal/main/install.sh | shthen caracal upFind your path
Where are you starting from?
You want to see it run before you read theory. Install the stack, protect one call, then dig into how it works.
What is Caracal?You have an app and an agent. Wire in the SDK, write your first policy, and watch authority flow through it.
Model your applicationYou keep this thing healthy. Deployment options, production hardening, and what to check when something breaks.
Operations guideCaracal is built in the open and good PRs land fast. Set up locally, learn the architecture, find your first change.
Contribute to CaracalCommunity
We build this in the open
Talks, posts, and a weekly call where the roadmap actually gets decided.
CommunityFrom the blogCaracal Joins LFX MentorshipWhy Caracal is taking part in the Linux Foundation's LFX Mentorship program, and what mentees and the project get out of it.