Skip to content

Understand the Model

Caracal gives agents short-lived, policy-approved authority instead of long-lived secrets. Read this section after your first integration when you need the vocabulary behind guides, SDKs, operations pages, and API reference material.

Start hereUse it to understand
Caracal Mental ModelThe smallest useful picture of Caracal.
Authority and EnforcementWhere decisions happen before requests reach a target.
ZonesThe tenant boundary that owns keys, policies, resources, sessions, and audit.
Identities and ApplicationsThe identities that authenticate, run, and delegate.
Resources and GrantsWhat can be accessed and which scopes are granted.
Policies and Policy SetsRego rules evaluated by the STS during token exchange.
Step-Up ChallengesHow sensitive actions require fresh approval.
MandatesThe short-lived JWT that carries approved authority.
Agent DelegationHow one agent passes bounded authority to another.
Delegation ConstraintsThe limits attached to delegated authority.
Sessions and RevocationHow active authority is ended and propagated.
Audit and Request TracesThe event trail behind decisions and runs.
Caracal OperatorThe governed natural-language assistant for control-plane changes.
flowchart LR
  Principal["Principal or agent"] --> SDK["SDK / Gateway request"]
  SDK --> STS["STS token exchange"]
  STS --> Policy["Active policy set"]
  Policy --> Mandate["Mandate JWT"]
  Mandate --> Gateway["Gateway or connector"]
  Gateway --> Resource["Protected resource"]
  STS --> Audit["Audit ledger"]
  Gateway --> Audit

The same model appears across the product:

  • Onboarding uses the web console guided setup to create the first zone, application, resource, and policy, then you configure runtime access with environment variables or a caracal.toml profile.
  • Guides use the SDKs, Console, Admin API, and connectors to build repeatable integrations.
  • Operations pages use the same terms when explaining keys, revocation, audit, and runtime health.
TermShort definitionCanonical page
ZoneTenant boundary for authority data and signing keys.Zones
ApplicationRegistered client or agent workload.Identities and Applications
PrincipalUser, service, or agent identity bound to a session.Identities and Applications
ResourceProtected API, MCP server, tool group, or upstream target.Resources and Grants
GrantBinding from an application and user to resource scopes.Resources and Grants
PolicyVersioned Rego logic evaluated at token exchange.Policies and Policy Sets
Policy setVersioned bundle of policies activated for a zone.Policies and Policy Sets
MandateShort-lived JWT issued by the STS after policy approval.Mandates
Delegation edgeBounded authority transfer between agent sessions.Agent Delegation
Revocation anchorSession, root session, agent session, or delegation edge checked by resource servers.Sessions and Revocation
Caracal OperatorGoverned natural-language assistant that turns intent into reviewed control-plane changes.Caracal Operator
System zoneReserved caracal.sys/ zone for the infrastructure that runs Caracal.Zones

After the concepts, use Guides for task-focused procedures or SDKs for language-specific reference.