Skip to content

Guides

Use Guides after Get Started or the Tutorials when you know the task you need to complete. You do not need to read every concept first; each guide links to the canonical concept page when the model matters.

TaskStart with
Map your architecture onto CaracalModel Your Application in Caracal
Serve many of your own customers from one deploymentServe Your Own Customers
Define protected targets and upstream credentialsDefine Resources and Providers and Provider Recipes
Write and activate authorization logicAuthor Policy Data and Activate a Policy Set
Debug an authorization resultDebug Authorization Decisions
Add Caracal to app codeTypeScript SDK, Python SDK, or Go SDK
Run an existing process with Caracal tokensRun an Agent with caracal run
Protect a Gateway-routed HTTP upstreamProtect a Gateway-Routed HTTP API
Protect a resource server in processExpress, FastAPI, FastMCP, Go net/http, or MCP server
Add delegation, audit export, or step-upDelegation, Audit Stream, or Step-Up Re-Authentication
Plan a production integrationProduction Integration Patterns
flowchart LR
  Model["Model app"]
  Resource["Define resources and providers"]
  Policy["Author policy"]
  Activate["Activate policy"]
  App["Integrate app"]
  Protect["Protect boundary"]
  Debug["Trace and debug"]

  Model --> Resource --> Policy --> Activate --> App --> Protect --> Debug

Use the right surface for each task:

SurfaceUse for
caracal up, down, status, upgrade, purge, run, webLocal runtime lifecycle and subprocess injection.
ConsoleHuman-facing zone, application, provider, resource, policy, session, audit, explanation, delegation, and diagnostic workflows.
Admin API and @caracalai/adminAutomation for the same control-plane objects.
SDKs and connectorsApplication integration, context propagation, mandate exchange, and mandate verification.

You need a running Caracal runtime, a zone, an application, at least one resource, and an active policy set. First Protected Call creates that baseline.