Skip to content

Understand Architecture

Caracal is a pre-execution authority system for AI agents. It separates control-plane management, token exchange, protected-resource routing, audit evidence, and agent/delegation coordination into independent services backed by Postgres and Redis Streams.

flowchart LR
  Console[Console/Admin SDK] --> API[Control-Plane API]
  Workload[SDK or caracal run] --> STS[STS]
  Client[Protected request] --> Gateway[Gateway]
  Agent[Agent SDK] --> Coordinator[Coordinator]
  API --> Postgres[(Postgres)]
  STS --> Postgres
  Gateway --> Postgres
  Coordinator --> Postgres
  API --> Redis[(Redis Streams)]
  STS --> Redis
  Gateway --> Redis
  Coordinator --> Redis
  Redis --> Audit[Audit]
  Audit --> Postgres
  Control[Control API] --> API
ChoiceEffect
Postgres as source of truthProduct state, policy versions, grants, sessions, audit rows, agents, delegations, and outboxes are durable.
Redis Streams for propagationAudit, invalidation, revocation, key, agent, invocation, and delegation events move asynchronously.
STS for mandate issuanceEvery protected access path receives a scoped, short-lived mandate.
Gateway for protected upstreamsGateway verifies inbound authority, exchanges with STS, blocks unsafe routing, and emits audit evidence.
Coordinator for agent authorityAgent sessions, service leases, delegation edges, and invocation lifecycle stay explicit.
Console/API boundaryHuman management uses Console; automation uses Control/Admin APIs; runtime CLI remains lifecycle-only.
NeedPage
Identify services, clients, and dependenciesMap the System
Understand STS mandate issuanceExchange Tokens
Understand agent sessions and delegationCoordinate Agents
NeedPage
Understand Redis Streams and outboxesPropagate Events
Understand durable data ownershipStore State
Understand signing, HMACs, JWKS, and rotationManage Keys
Understand security and command boundariesEnforce Boundaries

Start with Map the System before tracing request and state flows.

For service-by-service detail, continue to Understand Services. For deployment detail, use Operations.