# Caracal > Pre-execution authority enforcement for AI agents. Policies, mandates, and audit for production-grade autonomous systems. Caracal is an open-source system built by Garudex Labs. It issues short-lived signed mandates that bind agents and workloads to policy before protected-resource access. The core primitives are: principal, mandate, policy, zone, resource, grant, delegation edge, constraint, agent session, step-up challenge, and audit ledger. The runtime includes API (port 3000), STS (port 8080), Gateway (port 8081), Audit (port 9090), and Coordinator (port 4000). Control runs as an optional in-process plugin inside API. Runtime lifecycle uses the top-level caracal runtime CLI; product management uses Console, Admin SDK, or Control API. ## Machine-readable endpoints - [Full Markdown corpus](https://docs.caracal.run/llms-full.txt): Complete documentation content in one text file. - [Page metadata index](https://docs.caracal.run/page-index.json): JSON list of canonical HTML URLs, Markdown URLs, titles, descriptions, concepts, requirements, keywords, aliases, and services. - [Concept graph](https://docs.caracal.run/concept-graph.json): JSON graph of pages, concepts, and requirements. - Per-page Markdown: https://docs.caracal.run/markdown/{page-id}.md, for example https://docs.caracal.run/markdown/guides/serve-customers.md. ## Get Started - [Overview](https://docs.caracal.run/get-started/) ([Markdown](https://docs.caracal.run/markdown/get-started.md)): Decide whether Caracal fits, then follow the shortest path to a protected, audited agent call. - [Install Caracal](https://docs.caracal.run/get-started/install-caracal/) ([Markdown](https://docs.caracal.run/markdown/get-started/install-caracal.md)): Install the released Caracal CLI and Console, then verify Docker for the local stack. - [First Protected Call](https://docs.caracal.run/get-started/first-protected-call/) ([Markdown](https://docs.caracal.run/markdown/get-started/first-protected-call.md)): Start Caracal, create one protected resource, call it through the Gateway, and inspect audit. - [Add SDK to Your App](https://docs.caracal.run/get-started/add-sdk-to-your-app/) ([Markdown](https://docs.caracal.run/markdown/get-started/add-sdk-to-your-app.md)): Use the generated runtime profile from your first protected call in TypeScript, Python, or Go. - [First-Run Troubleshooting](https://docs.caracal.run/get-started/first-run-troubleshooting/) ([Markdown](https://docs.caracal.run/markdown/get-started/first-run-troubleshooting.md)): Fix common install, readiness, profile, STS, Gateway, upstream, and audit issues during onboarding. ## Tutorials - [Tutorials](https://docs.caracal.run/tutorials/) ([Markdown](https://docs.caracal.run/markdown/tutorials.md)): Guided post-onboarding walkthroughs for protecting a real API, connecting app code, tracing one request, and choosing the next integration path. - [Protect Your First Real API](https://docs.caracal.run/tutorials/protect-an-api/) ([Markdown](https://docs.caracal.run/markdown/tutorials/protect-an-api.md)): Put a Caracal-enforced boundary in front of one real HTTP service or provider route. - [Connect Your App with the SDK](https://docs.caracal.run/tutorials/connect-an-agent/) ([Markdown](https://docs.caracal.run/markdown/tutorials/connect-an-agent.md)): Wire app code through the SDK so protected calls carry Caracal authority and audit context. - [Trace One Protected Request](https://docs.caracal.run/tutorials/inspect-a-run/) ([Markdown](https://docs.caracal.run/markdown/tutorials/inspect-a-run.md)): Follow one protected request through sessions, policy decisions, Gateway action-result audit, and diagnostics. - [Choose Your Production Integration Path](https://docs.caracal.run/tutorials/choose-production-path/) ([Markdown](https://docs.caracal.run/markdown/tutorials/choose-production-path.md)): Choose the next guide for your production Gateway, SDK, connector, runtime, delegation, audit, or step-up integration. ## Guides - [Guides](https://docs.caracal.run/guides/) ([Markdown](https://docs.caracal.run/markdown/guides.md)): Task-focused implementation guides for modeling, authorizing, integrating, protecting, operating, and extending Caracal. - [Model Your Application in Caracal](https://docs.caracal.run/guides/modeling-recipes/) ([Markdown](https://docs.caracal.run/markdown/guides/modeling-recipes.md)): Map zones, applications, resources, providers, and scopes onto real deployments before creating production objects. - [Serve Your Own Customers](https://docs.caracal.run/guides/serve-customers/) ([Markdown](https://docs.caracal.run/markdown/guides/serve-customers.md)): Run one Caracal deployment that serves many of your customers, with per-customer identity, policy, audit, and revocation. - [Define Resources and Providers](https://docs.caracal.run/guides/resources-providers/) ([Markdown](https://docs.caracal.run/markdown/guides/resources-providers.md)): Register protected upstream resources and explicit provider auth modes from the Console. - [Provider Recipes](https://docs.caracal.run/guides/provider-recipes/) ([Markdown](https://docs.caracal.run/markdown/guides/provider-recipes.md)): Concrete copy-paste provider setups for OpenAI, Google, GitHub, Slack, and internal APIs, with the enforcement boundary each one uses. - [Author Policy Data](https://docs.caracal.run/guides/author-policy/) ([Markdown](https://docs.caracal.run/markdown/guides/author-policy.md)): Author the grant, binding, and confinement data the platform decision contract reads, and validate it before activation. - [Activate a Policy Set](https://docs.caracal.run/guides/activate-policy-set/) ([Markdown](https://docs.caracal.run/markdown/guides/activate-policy-set.md)): Version policies, bundle them into a policy set, simulate the result, and promote the version to active. - [Debug Authorization Decisions](https://docs.caracal.run/guides/authorize-access/) ([Markdown](https://docs.caracal.run/markdown/guides/authorize-access.md)): Diagnose denied exchanges, missing scopes, inactive policy sets, stale sessions, resource mismatches, and missing audit evidence. - [Integrate the TypeScript SDK](https://docs.caracal.run/guides/sdk-typescript/) ([Markdown](https://docs.caracal.run/markdown/guides/sdk-typescript.md)): Install @caracalai/sdk, load a generated profile, spawn agents, delegate authority, and inject Caracal headers. - [Integrate the Python SDK](https://docs.caracal.run/guides/sdk-python/) ([Markdown](https://docs.caracal.run/markdown/guides/sdk-python.md)): Install caracalai-sdk, load a generated profile, spawn agents with async context managers, delegate authority, and use httpx transport injection. - [Integrate the Go SDK](https://docs.caracal.run/guides/sdk-go/) ([Markdown](https://docs.caracal.run/markdown/guides/sdk-go.md)): Install the Go SDK, load a generated profile, spawn agents with context.Context, delegate authority, and inject Caracal headers. - [Run an Agent with caracal run](https://docs.caracal.run/guides/runtime-run/) ([Markdown](https://docs.caracal.run/markdown/guides/runtime-run.md)): Use a generated runtime profile to inject scoped Caracal access into a subprocess. - [Protect a Gateway-Routed HTTP API](https://docs.caracal.run/guides/protect-gateway-http/) ([Markdown](https://docs.caracal.run/markdown/guides/protect-gateway-http.md)): Configure a resource route so Caracal Gateway verifies mandates, brokers provider credentials, forwards the request, and records action-result audit. - [Protect an Express App](https://docs.caracal.run/guides/protect-express/) ([Markdown](https://docs.caracal.run/markdown/guides/protect-express.md)): Add the caracalAuth middleware to Express routes to verify mandates and enforce scope requirements. - [Protect a FastMCP App](https://docs.caracal.run/guides/protect-fastmcp/) ([Markdown](https://docs.caracal.run/markdown/guides/protect-fastmcp.md)): Attach CaracalAuth to a FastMCP server so tool calls are mandate-verified before handlers run. - [Protect a Go net/http Service](https://docs.caracal.run/guides/protect-nethttp/) ([Markdown](https://docs.caracal.run/markdown/guides/protect-nethttp.md)): Wrap Go HTTP handlers with the mcp-nethttp middleware to verify mandates and attach claims to context.Context. - [Protect an MCP Server](https://docs.caracal.run/guides/protect-mcp/) ([Markdown](https://docs.caracal.run/markdown/guides/protect-mcp.md)): Gate MCP tool calls with Caracal mandate verification using framework-neutral transport packages. - [Tail and Query the Audit Stream](https://docs.caracal.run/guides/audit-stream/) ([Markdown](https://docs.caracal.run/markdown/guides/audit-stream.md)): Filter audit events, inspect diagnostics, and explain a specific request ID. - [Implement Multi-Agent Delegation](https://docs.caracal.run/guides/delegation/) ([Markdown](https://docs.caracal.run/markdown/guides/delegation.md)): Spawn child agents, attach typed constraints, inspect graph impact, and revoke safely. - [Step-Up Re-Authentication](https://docs.caracal.run/guides/step-up/) ([Markdown](https://docs.caracal.run/markdown/guides/step-up.md)): Handle interaction_required from the STS, satisfy the challenge, and retry token exchange with proof. - [Production Integration Patterns](https://docs.caracal.run/guides/enterprise-runtime-patterns/) ([Markdown](https://docs.caracal.run/markdown/guides/enterprise-runtime-patterns.md)): Integration patterns for APIs, MCP servers, queues, service mesh, SIEM, provider SDKs, and production rollout. ## Core Concepts - [Understand the Model](https://docs.caracal.run/concepts/) ([Markdown](https://docs.caracal.run/markdown/concepts.md)): Learn the mental model behind scoped authority, policy decisions, delegation, revocation, and audit in Caracal. - [Caracal Mental Model](https://docs.caracal.run/concepts/model-overview/) ([Markdown](https://docs.caracal.run/markdown/concepts/model-overview.md)): Six nouns, three verbs, and one decision point that explain Caracal. - [Authority and Enforcement](https://docs.caracal.run/concepts/authority-model/) ([Markdown](https://docs.caracal.run/markdown/concepts/authority-model.md)): How Caracal enforces authority before a request reaches its target. - [Zones](https://docs.caracal.run/concepts/zone/) ([Markdown](https://docs.caracal.run/markdown/concepts/zone.md)): The tenancy boundary that owns policies, keys, resources, sessions, and audit. - [Identities and Applications](https://docs.caracal.run/concepts/principal/) ([Markdown](https://docs.caracal.run/markdown/concepts/principal.md)): Applications, users, services, and agents that act inside a zone. - [Resources and Grants](https://docs.caracal.run/concepts/resource-grant/) ([Markdown](https://docs.caracal.run/markdown/concepts/resource-grant.md)): Resources expose protected targets and scopes; grants bind principals to subsets of those scopes. - [Policies and Policy Sets](https://docs.caracal.run/concepts/policy/) ([Markdown](https://docs.caracal.run/markdown/concepts/policy.md)): Versioned policy data documents the platform decision contract evaluates inside the STS at token-exchange time. - [Step-Up Challenges](https://docs.caracal.run/concepts/step-up/) ([Markdown](https://docs.caracal.run/markdown/concepts/step-up.md)): How policies require fresh proof of authority for sensitive resources. - [Mandates](https://docs.caracal.run/concepts/mandate/) ([Markdown](https://docs.caracal.run/markdown/concepts/mandate.md)): The short-lived, signed JWT that carries approved session or resource authority. - [Agent Delegation](https://docs.caracal.run/concepts/delegation/) ([Markdown](https://docs.caracal.run/markdown/concepts/delegation.md)): Directed, cycle-checked edges that pass scoped authority between agent sessions. - [Delegation Constraints](https://docs.caracal.run/concepts/constraint/) ([Markdown](https://docs.caracal.run/markdown/concepts/constraint.md)): Resource, TTL, hop, budget, and approval restrictions that travel with a delegation edge. - [Sessions and Revocation](https://docs.caracal.run/concepts/sessions-revocation/) ([Markdown](https://docs.caracal.run/markdown/concepts/sessions-revocation.md)): Agent sessions, cascading revocation, and the revocation event stream. - [Audit and Request Traces](https://docs.caracal.run/concepts/audit-ledger/) ([Markdown](https://docs.caracal.run/markdown/concepts/audit-ledger.md)): Decision events and diagnostics that explain Caracal authority. ## Operations - [Operate Caracal](https://docs.caracal.run/operations/) ([Markdown](https://docs.caracal.run/markdown/operations.md)): Operator runbooks for deploying, configuring, securing, observing, recovering, releasing, and handing off Caracal. - [Deploy with Docker Compose](https://docs.caracal.run/operations/docker-compose/) ([Markdown](https://docs.caracal.run/markdown/operations/docker-compose.md)): Run and verify the local or self-hosted Caracal stack with Docker Compose. - [Deploy with Helm](https://docs.caracal.run/operations/kubernetes-helm/) ([Markdown](https://docs.caracal.run/markdown/operations/kubernetes-helm.md)): Deploy Caracal on Kubernetes with the repository Helm chart. - [Choose a Cloud Profile](https://docs.caracal.run/operations/cloud-native-profiles/) ([Markdown](https://docs.caracal.run/markdown/operations/cloud-native-profiles.md)): Configure Caracal for managed Kubernetes, managed Postgres, Redis, ingress, secrets, and observability. - [Deploy on Managed Kubernetes](https://docs.caracal.run/operations/cloud-reference-deployments/) ([Markdown](https://docs.caracal.run/markdown/operations/cloud-reference-deployments.md)): Concrete managed-Kubernetes reference for Caracal with External Secrets, cert-manager TLS, and managed Postgres and Redis. - [Package an Install Kit](https://docs.caracal.run/operations/enterprise-install-kit/) ([Markdown](https://docs.caracal.run/markdown/operations/enterprise-install-kit.md)): Package and hand off production Caracal installation materials without crossing product boundaries. - [Configure Service Environment](https://docs.caracal.run/operations/env-vars/) ([Markdown](https://docs.caracal.run/markdown/operations/env-vars.md)): Operational environment variables for Caracal services and runtime workloads. - [Harden Production](https://docs.caracal.run/operations/tls-hardening/) ([Markdown](https://docs.caracal.run/markdown/operations/tls-hardening.md)): Harden network exposure, secrets, service processes, and upstream access for production Caracal. - [Rotate Keys and Secrets](https://docs.caracal.run/operations/key-management/) ([Markdown](https://docs.caracal.run/markdown/operations/key-management.md)): Manage Caracal secret material, signing keys, HMAC keys, and rotation evidence. - [Operate PostgreSQL](https://docs.caracal.run/operations/postgres/) ([Markdown](https://docs.caracal.run/markdown/operations/postgres.md)): Operate the durable Caracal control-plane database. - [Operate Redis Streams](https://docs.caracal.run/operations/redis/) ([Markdown](https://docs.caracal.run/markdown/operations/redis.md)): Operate Redis Streams for Caracal events, invalidation, revocation, and coordination. - [Scale Capacity](https://docs.caracal.run/operations/scale-capacity/) ([Markdown](https://docs.caracal.run/markdown/operations/scale-capacity.md)): Size Caracal services, storage, and queues for production traffic. - [Monitor Health and Metrics](https://docs.caracal.run/operations/observability/) ([Markdown](https://docs.caracal.run/markdown/operations/observability.md)): Monitor Caracal health, readiness, metrics, audit flow, and runtime diagnostics. - [Configure Alerts](https://docs.caracal.run/operations/alerts/) ([Markdown](https://docs.caracal.run/markdown/operations/alerts.md)): Alert names, meanings, and first-response actions for Caracal operations. - [Troubleshoot by Symptom](https://docs.caracal.run/operations/troubleshooting/) ([Markdown](https://docs.caracal.run/markdown/operations/troubleshooting.md)): Start from the symptom of a failing or denied Caracal call, locate the surface that failed, inspect the right object, and use the matching diagnostic tool. - [Debug Infrastructure Issues](https://docs.caracal.run/operations/debugging/) ([Markdown](https://docs.caracal.run/markdown/operations/debugging.md)): Diagnose Caracal deployment, configuration, token exchange, Gateway, audit, and delegation issues. - [Recover from Failures](https://docs.caracal.run/operations/failure-modes/) ([Markdown](https://docs.caracal.run/markdown/operations/failure-modes.md)): Recover Caracal from storage, stream, policy, Gateway, STS, audit, and Coordinator failures. - [Run Failure Drills](https://docs.caracal.run/operations/failure-drills/) ([Markdown](https://docs.caracal.run/markdown/operations/failure-drills.md)): Rehearse Caracal failures by injecting faults and confirming the expected alerts, readiness behavior, and recovery. - [Back Up and Retain Data](https://docs.caracal.run/operations/backup-retention/) ([Markdown](https://docs.caracal.run/markdown/operations/backup-retention.md)): Back up and retain Caracal database, secrets, audit evidence, and replay state. - [Respond to Incidents](https://docs.caracal.run/operations/incident-response/) ([Markdown](https://docs.caracal.run/markdown/operations/incident-response.md)): Respond to Caracal access-safety, audit-integrity, and platform incidents. - [Plan a Platform Rollout](https://docs.caracal.run/operations/platform-rollout-kit/) ([Markdown](https://docs.caracal.run/markdown/operations/platform-rollout-kit.md)): Plan, gate, execute, and roll back Caracal platform rollouts. - [Deploy Policy Changes](https://docs.caracal.run/operations/policy-deployment/) ([Markdown](https://docs.caracal.run/markdown/operations/policy-deployment.md)): Safely validate, activate, observe, and roll back Caracal policy changes. - [Upgrade Caracal](https://docs.caracal.run/operations/upgrade/) ([Markdown](https://docs.caracal.run/markdown/operations/upgrade.md)): Upgrade Caracal safely across images, Helm chart values, migrations, and runtime configuration. - [Export Audit Evidence](https://docs.caracal.run/operations/compliance-audit-integration/) ([Markdown](https://docs.caracal.run/markdown/operations/compliance-audit-integration.md)): Export, verify, and preserve Caracal audit evidence for compliance workflows. - [Hand Off to Platform Teams](https://docs.caracal.run/operations/platform-team-handoff/) ([Markdown](https://docs.caracal.run/markdown/operations/platform-team-handoff.md)): Handoff checklist for teams operating Caracal in production. ## Architecture - [Understand Architecture](https://docs.caracal.run/architecture/) ([Markdown](https://docs.caracal.run/markdown/architecture.md)): Current Caracal system architecture, request flows, state propagation, storage, keys, and trust boundaries. - [Map the System](https://docs.caracal.run/architecture/system-topology/) ([Markdown](https://docs.caracal.run/markdown/architecture/system-topology.md)): Runtime topology for Caracal services, dependencies, and external clients. - [Exchange Tokens](https://docs.caracal.run/architecture/token-exchange-flow/) ([Markdown](https://docs.caracal.run/markdown/architecture/token-exchange-flow.md)): How STS exchanges authority for scoped Caracal mandates. - [Coordinate Agents](https://docs.caracal.run/architecture/delegation-flow/) ([Markdown](https://docs.caracal.run/markdown/architecture/delegation-flow.md)): How agent sessions, delegation edges, and invocation lifecycle move through Coordinator. - [Propagate Events](https://docs.caracal.run/architecture/event-streams/) ([Markdown](https://docs.caracal.run/markdown/architecture/event-streams.md)): Redis Streams, transactional outboxes, consumer groups, and replay paths in Caracal. - [Store State](https://docs.caracal.run/architecture/storage-model/) ([Markdown](https://docs.caracal.run/markdown/architecture/storage-model.md)): Durable Postgres tables, Redis streams, replay files, and ownership boundaries. - [Manage Keys](https://docs.caracal.run/architecture/crypto-keys/) ([Markdown](https://docs.caracal.run/markdown/architecture/crypto-keys.md)): Key material, signatures, HMACs, JWKS, and rotation boundaries in Caracal. - [Enforce Boundaries](https://docs.caracal.run/architecture/trust-boundaries/) ([Markdown](https://docs.caracal.run/markdown/architecture/trust-boundaries.md)): Security boundaries between users, runtime CLI, Console, Control API, services, storage, and upstreams. ## Runtime and Console - [Operate Runtime and Console](https://docs.caracal.run/runtime-console/) ([Markdown](https://docs.caracal.run/markdown/runtime-console.md)): Start the local stack, run Console setup, configure workloads, run agents, and inspect operations. - [Choose the Right Surface](https://docs.caracal.run/runtime-console/cli-and-console/) ([Markdown](https://docs.caracal.run/markdown/runtime-console/cli-and-console.md)): Decide whether a task belongs in the runtime CLI, Console, Control API, or Admin SDK. - [Start and Check the Stack](https://docs.caracal.run/runtime-console/stack/) ([Markdown](https://docs.caracal.run/markdown/runtime-console/stack.md)): Use caracal up, down, status, and purge to manage the local runtime stack. - [Use the Console](https://docs.caracal.run/runtime-console/console/) ([Markdown](https://docs.caracal.run/markdown/runtime-console/console.md)): Launch, navigate, and operate caracal-console. - [Configure Workloads](https://docs.caracal.run/runtime-console/config-file/) ([Markdown](https://docs.caracal.run/markdown/runtime-console/config-file.md)): Configure runtime profiles, credential manifests, secret files, and workload service endpoints. - [Run Workloads](https://docs.caracal.run/runtime-console/runtime/) ([Markdown](https://docs.caracal.run/markdown/runtime-console/runtime.md)): Use caracal run to inject scoped resource tokens into subprocesses. - [Manage Product Objects](https://docs.caracal.run/runtime-console/admin/) ([Markdown](https://docs.caracal.run/markdown/runtime-console/admin.md)): Manage zones, applications, providers, resources, policies, authority sessions, and Control through the Console. - [Inspect Diagnostics and Audit](https://docs.caracal.run/runtime-console/observability/) ([Markdown](https://docs.caracal.run/markdown/runtime-console/observability.md)): Inspect diagnostics, audit events, and request traces through the Console. - [Manage Agents and Delegation](https://docs.caracal.run/runtime-console/agents/) ([Markdown](https://docs.caracal.run/markdown/runtime-console/agents.md)): Inspect and manage agent sessions and delegation edges through the Console. ## SDKs - [Choose an SDK or Package](https://docs.caracal.run/sdks/) ([Markdown](https://docs.caracal.run/markdown/sdks.md)): Choose the Caracal SDK, verification package, transport, connector, admin client, or state backend for your integration. - [TypeScript SDK](https://docs.caracal.run/sdks/typescript/) ([Markdown](https://docs.caracal.run/markdown/sdks/typescript.md)): Public API reference for @caracalai/sdk. - [Python SDK](https://docs.caracal.run/sdks/python/) ([Markdown](https://docs.caracal.run/markdown/sdks/python.md)): Public API reference for caracalai-sdk. - [Go SDK](https://docs.caracal.run/sdks/go/) ([Markdown](https://docs.caracal.run/markdown/sdks/go.md)): Public API reference for the Go Caracal SDK. - [Verification Layer Overview](https://docs.caracal.run/sdks/verification-layer/) ([Markdown](https://docs.caracal.run/markdown/sdks/verification-layer.md)): Choose between framework connectors, MCP auth transport, identity verification, revocation stores, and state backends. - [Framework Connectors](https://docs.caracal.run/sdks/connectors/) ([Markdown](https://docs.caracal.run/markdown/sdks/connectors.md)): Framework adapters for Caracal-protected resource servers. - [Express Connector](https://docs.caracal.run/sdks/connectors/express/) ([Markdown](https://docs.caracal.run/markdown/sdks/connectors/express.md)): Express 5 middleware for Caracal mandate verification. - [FastMCP Connector](https://docs.caracal.run/sdks/connectors/fastmcp/) ([Markdown](https://docs.caracal.run/markdown/sdks/connectors/fastmcp.md)): FastMCP token verifiers for TypeScript and Python servers. - [Go net/http Connector](https://docs.caracal.run/sdks/connectors/nethttp/) ([Markdown](https://docs.caracal.run/markdown/sdks/connectors/nethttp.md)): Go middleware for protecting HTTP handlers with Caracal mandate verification. - [MCP Auth Transport](https://docs.caracal.run/sdks/transport-mcp/) ([Markdown](https://docs.caracal.run/markdown/sdks/transport-mcp.md)): Framework-neutral MCP authentication primitives for bearer parsing, mandate verification, and revocation checks. - [Identity Package](https://docs.caracal.run/sdks/identity/) ([Markdown](https://docs.caracal.run/markdown/sdks/identity.md)): JWT verification packages for mandate claims, scopes, targets, agents, delegation, and hop count. - [Revocation Package](https://docs.caracal.run/sdks/revocation/) ([Markdown](https://docs.caracal.run/markdown/sdks/revocation.md)): Revocation-store interfaces and in-memory stores for resource servers. - [OAuth Package](https://docs.caracal.run/sdks/oauth/) ([Markdown](https://docs.caracal.run/markdown/sdks/oauth.md)): RFC 8693 token exchange clients for Caracal STS. - [A2A Transport](https://docs.caracal.run/sdks/transport-a2a/) ([Markdown](https://docs.caracal.run/markdown/sdks/transport-a2a.md)): TypeScript helper for agent-to-agent calls with STS exchange and Caracal context propagation. - [Admin Package](https://docs.caracal.run/sdks/admin/) ([Markdown](https://docs.caracal.run/markdown/sdks/admin.md)): TypeScript client for the Caracal Admin API and Coordinator management surfaces. - [Redis Revocation Store](https://docs.caracal.run/sdks/connectors/redis/) ([Markdown](https://docs.caracal.run/markdown/sdks/connectors/redis.md)): Shared Redis revocation stores and revocation stream consumers. - [Postgres Token State Backend](https://docs.caracal.run/sdks/connectors/postgres/) ([Markdown](https://docs.caracal.run/markdown/sdks/connectors/postgres.md)): TypeScript Postgres backend for persisted token state. ## API Reference - [Use API Reference](https://docs.caracal.run/api/) ([Markdown](https://docs.caracal.run/markdown/api.md)): Current HTTP APIs, Gateway proxy behavior, STS exchange, Coordinator endpoints, and stream topics. - [Use Management API](https://docs.caracal.run/api/control-plane/) ([Markdown](https://docs.caracal.run/markdown/api/control-plane.md)): Management API endpoints served by the Caracal API service. - [Use Coordinator API](https://docs.caracal.run/api/coordinator/) ([Markdown](https://docs.caracal.run/markdown/api/coordinator.md)): Agent-session, service-agent, invocation, and delegation endpoints served by Coordinator. - [Use STS Endpoint](https://docs.caracal.run/api/sts/) ([Markdown](https://docs.caracal.run/markdown/api/sts.md)): OAuth token exchange, JWKS, step-up, and internal policy endpoints served by STS. - [Proxy Through Gateway](https://docs.caracal.run/api/gateway/) ([Markdown](https://docs.caracal.run/markdown/api/gateway.md)): Protected reverse-proxy behavior, routing headers, denial checks, and upstream forwarding. - [Use Event Topics](https://docs.caracal.run/api/event-topics/) ([Markdown](https://docs.caracal.run/markdown/api/event-topics.md)): Redis Stream topic names, producers, consumers, and contracts. ## Services - [Understand Services](https://docs.caracal.run/services/) ([Markdown](https://docs.caracal.run/markdown/services.md)): Service-by-service map for the current Caracal runtime, authority path, management plane, evidence pipeline, and automation surface. - [Manage Product State](https://docs.caracal.run/services/api/) ([Markdown](https://docs.caracal.run/markdown/services/api.md)): Service reference for the Caracal API service. - [Coordinate Agent State](https://docs.caracal.run/services/coordinator/) ([Markdown](https://docs.caracal.run/markdown/services/coordinator.md)): Service reference for agent sessions, delegation edges, invocations, and lifecycle events. - [Issue Mandates](https://docs.caracal.run/services/sts/) ([Markdown](https://docs.caracal.run/markdown/services/sts.md)): Service reference for token exchange, mandate issuance, JWKS, policy evaluation, and step-up status. - [Protect Upstreams](https://docs.caracal.run/services/gateway/) ([Markdown](https://docs.caracal.run/markdown/services/gateway.md)): Service reference for protected reverse proxying, STS exchange, revocation checks, and upstream safety. - [Ingest Audit Evidence](https://docs.caracal.run/services/audit/) ([Markdown](https://docs.caracal.run/markdown/services/audit.md)): Service reference for audit ingestion, DLQ, tamper checks, retention, search, and metrics. - [Automate Management](https://docs.caracal.run/services/control/) ([Markdown](https://docs.caracal.run/markdown/services/control.md)): Service reference for optional remote management invocation. ## Security - [Secure Caracal](https://docs.caracal.run/security/) ([Markdown](https://docs.caracal.run/markdown/security.md)): Review Caracal security boundaries, harden production deployments, and report vulnerabilities responsibly. - [Review the Threat Model](https://docs.caracal.run/security/threat-model/) ([Markdown](https://docs.caracal.run/markdown/security/threat-model.md)): Assets, boundaries, threats, mitigations, and validation checks for Caracal. - [Harden Security Posture](https://docs.caracal.run/security/hardening/) ([Markdown](https://docs.caracal.run/markdown/security/hardening.md)): Security hardening guidance for production Caracal deployments. - [Report a Vulnerability](https://docs.caracal.run/security/disclosure/) ([Markdown](https://docs.caracal.run/markdown/security/disclosure.md)): How to report Caracal security vulnerabilities responsibly. ## Examples - [Use Examples](https://docs.caracal.run/examples/) ([Markdown](https://docs.caracal.run/markdown/examples.md)): Choose the right runnable example for learning, automation, validation, or full reference-lab integration. - [Run Echo Upstream](https://docs.caracal.run/examples/echo-upstream/) ([Markdown](https://docs.caracal.run/markdown/examples/echo-upstream.md)): Start the local protected target that proves Gateway-brokered requests reach an upstream service. - [Bootstrap Control State](https://docs.caracal.run/examples/control-bootstrap/) ([Markdown](https://docs.caracal.run/markdown/examples/control-bootstrap.md)): Keep an agent environment in sync with a declared plan through a scoped Control API automation key. - [Check Provider Readiness](https://docs.caracal.run/examples/provider-preflight/) ([Markdown](https://docs.caracal.run/markdown/examples/provider-preflight.md)): Validate service readiness, dependencies, provider configuration, reachability, and policy authorization before the first Gateway request. - [Iterate Policy Safely](https://docs.caracal.run/examples/policy-iterate/) ([Markdown](https://docs.caracal.run/markdown/examples/policy-iterate.md)): Diagnose a denied request, simulate a candidate policy-set version, regression-check expected decisions, and activate only when every gate passes. - [Launch Research Agent](https://docs.caracal.run/examples/research-agent/) ([Markdown](https://docs.caracal.run/markdown/examples/research-agent.md)): Run a plain CLI agent with Google and OpenAI provider credentials injected by caracal run. - [Run Lynx Capital](https://docs.caracal.run/examples/lynx-capital/) ([Markdown](https://docs.caracal.run/markdown/examples/lynx-capital.md)): Run the agent-swarm reference protected by one Caracal managed application per permission boundary and per-agent labeled sessions. ## Reference - [Use Reference](https://docs.caracal.run/reference/) ([Markdown](https://docs.caracal.run/markdown/reference.md)): Lookup pages for answers, terms, errors, configuration, defaults, compatibility, releases, and wire contracts. - [FAQ](https://docs.caracal.run/reference/faq/) ([Markdown](https://docs.caracal.run/markdown/reference/faq.md)): Stable, searchable answers to recurring Caracal modeling, runtime, provider, troubleshooting, and edition questions. - [Glossary](https://docs.caracal.run/reference/glossary/) ([Markdown](https://docs.caracal.run/markdown/reference/glossary.md)): Canonical Caracal terms and names used across the documentation. - [Error Codes](https://docs.caracal.run/reference/errors/) ([Markdown](https://docs.caracal.run/markdown/reference/errors.md)): Shared Caracal error codes and response shape. - [Configuration Keys](https://docs.caracal.run/reference/configuration/) ([Markdown](https://docs.caracal.run/markdown/reference/configuration.md)): Runtime profile, service environment, and deployment configuration keys. - [Configuration Order](https://docs.caracal.run/reference/config-precedence/) ([Markdown](https://docs.caracal.run/markdown/reference/config-precedence.md)): How Caracal chooses runtime profiles, environment values, file secrets, and deployment values. - [Defaults and Limits](https://docs.caracal.run/reference/defaults-and-limits/) ([Markdown](https://docs.caracal.run/markdown/reference/defaults-and-limits.md)): Current ports, TTLs, timeouts, limits, and operational defaults. - [CLI Exit Codes](https://docs.caracal.run/reference/runtime-exit-codes/) ([Markdown](https://docs.caracal.run/markdown/reference/runtime-exit-codes.md)): Exit behavior for top-level caracal runtime CLI commands and Console launch. - [Compatibility](https://docs.caracal.run/reference/compatibility/) ([Markdown](https://docs.caracal.run/markdown/reference/compatibility.md)): Supported runtimes, package manager, service deployment targets, and docs build assumptions. - [Release Map](https://docs.caracal.run/reference/release-package-runtime-map/) ([Markdown](https://docs.caracal.run/markdown/reference/release-package-runtime-map.md)): Release, package, runtime, and service image naming map. - [Wire Contracts](https://docs.caracal.run/reference/interoperability-contracts/) ([Markdown](https://docs.caracal.run/markdown/reference/interoperability-contracts.md)): JSON schemas and fixtures for Caracal wire contracts. - [Compare Editions](https://docs.caracal.run/enterprise/) ([Markdown](https://docs.caracal.run/markdown/enterprise.md)): Compare the open-source Community Edition with the commercial Caracal Enterprise Edition. ## Contributing - [Contribute to Caracal](https://docs.caracal.run/contributing/) ([Markdown](https://docs.caracal.run/markdown/contributing.md)): Contributor guide for local setup, project standards, workflow, validation, governance, and releases. - [Set Up Locally](https://docs.caracal.run/contributing/setup/) ([Markdown](https://docs.caracal.run/markdown/contributing/setup.md)): Install dependencies and start a local Caracal development stack. - [Follow Project Standards](https://docs.caracal.run/contributing/style/) ([Markdown](https://docs.caracal.run/markdown/contributing/style.md)): Repository conventions for code, docs, naming, command ownership, and product boundaries. - [Make a Change](https://docs.caracal.run/contributing/workflow/) ([Markdown](https://docs.caracal.run/markdown/contributing/workflow.md)): How to plan, implement, validate, and submit Caracal changes. - [Validate Changes](https://docs.caracal.run/contributing/testing/) ([Markdown](https://docs.caracal.run/markdown/contributing/testing.md)): Test commands and validation strategy for Caracal contributors. - [Understand Governance](https://docs.caracal.run/contributing/governance/) ([Markdown](https://docs.caracal.run/markdown/contributing/governance.md)): Maintainer ownership, contribution process, security process, and community expectations. - [Release Caracal](https://docs.caracal.run/contributing/release/) ([Markdown](https://docs.caracal.run/markdown/contributing/release.md)): CalVer releases, package publishing, protected workflows, and rollback rules.