---
title: "Manage Product Objects"
url: "https://docs.caracal.run/runtime-console/admin/"
markdown_url: "https://docs.caracal.run/markdown/runtime-console/admin.md"
description: "Manage zones, applications, providers, resources, policies, authority sessions, and Control through the Console."
page_type: "reference"
concepts: []
requires: []
---

# Manage Product Objects

Canonical URL: https://docs.caracal.run/runtime-console/admin/
Markdown URL: https://docs.caracal.run/markdown/runtime-console/admin.md
Description: Manage zones, applications, providers, resources, policies, authority sessions, and Control through the Console.
Page type: reference
Concepts: none
Requires: none

---

The Console is the supported human interface for product management. Launch it with:

```bash
caracal console
```

or:

```bash
caracal-console
```

## Management Flow

```text
zone -> application -> provider -> resource -> policy -> policy set -> authority session/audit
```

Console `guided setup` walks the first version of that flow and can write a runtime profile for `caracal run` and SDKs.

## Menu Workflows

| Menu label | What it manages |
| --- | --- |
| `zone` | Zone records and active zone selection. |
| `application` | Confidential agent applications and one-time client secrets. |
| `provider` | Gateway upstream auth modes for Caracal mandates, OAuth 2.0 authorization code, OAuth 2.0 client credentials, API-key, and bearer-token upstreams. |
| `resource` | Protected resource identifiers, scopes, upstream URLs, Gateway application bindings, and upstream credential provider bindings. |
| `policy` | Policy content and versions. |
| `policy set` | Policy-set composition, simulation, activation, and shadow evaluation. |
| `authority session` | Active authority-session records. |
| `control` | Control API exposure and Control credentials. |

## Secrets and Credentials

Application client secrets are shown once when created. Provider secrets are accepted only in provider create or rotation-style edit flows and are stored sealed by the Control API. Store application secrets in a secret manager, mounted secret file, or Console-generated local profile before leaving the result screen. The Console masks secret-shaped fields and error output.

## Automation Handoff

Use the Console `control` menu when management needs to move from interactive operations to automation. Control API calls are authenticated and audited. They use the same product-management boundary as the Console; they are not exposed as top-level runtime CLI commands.

## Troubleshooting

| Symptom | Check |
| --- | --- |
| A view says a zone is required | Press `z` to select a zone before opening zone-scoped views. |
| A created client secret is no longer visible | Generate or rotate a new secret; one-time secrets are not recoverable. |
| Policy activation fails | Run simulation, inspect validation errors, and confirm the policy set references the intended policy versions. |
| Control API calls fail | Confirm Control is enabled from the Console `control` menu and the automation token targets the Control resource. |

## Next Step

Use [Inspect Diagnostics and Audit](/runtime-console/observability/) when you need health checks, audit records, or request traces.