Skip to content

Glossary

Use these terms consistently across docs, API names, web console labels, and examples.

TermMeaning
AgentWorkload identity that performs actions through Caracal-controlled authority.
Agent appConfidential application registered for an agent workload; one agent app backs many agent sessions.
Agent sessionCoordinator record representing one agent execution or child session.
ApplicationRegistered client in a zone; confidential applications can exchange credentials.
Audit ledgerAppend-only evidence stream and database records for decisions and operations.
Caracal OperatorGoverned natural-language console assistant that turns intent into reviewed, audited control-plane changes within your operator scope.
ConsoleBrowser-based management UI served by the packaged web tier in Compose and Helm; caracal web is the local development launcher.
Control APIOptional authenticated automation surface for remote management dispatch.
Delegation edgeBounded authority from one agent session to another.
GatewayReverse proxy that verifies inbound authority, exchanges with STS, and forwards to upstreams.
GrantAccess assignment connecting an application or subject to a resource and scopes.
MandateShort-lived JWT carrying scoped Caracal authority.
PolicyRego content that participates in allow/deny decisions.
Policy setActivated bundle of policy versions for a zone.
PrincipalUser, service, application, or agent identity participating in authority.
ProviderCredential source or upstream integration for a protected resource.
ResourceProtected API, tool, MCP server, provider target, or upstream identifier.
Root sessionOriginating session at the root of a delegation chain; its ID is propagated as the authority root and checked as a revocation anchor.
Runtime profilecaracal.toml or environment configuration used by caracal run and SDKs.
Service agentLong-lived agent session started with the SDK service() handle; it holds a heartbeat lease and is retired explicitly rather than when a block exits.
STSSecurity Token Service that performs token exchange and mandate issuance.
Step-up challengeAdditional approval required before STS issues authority.
Subject sessionOriginal authenticated user or service context that initiates a chain of agent authority.
System zoneReserved caracal.sys/ zone for the infrastructure that runs Caracal; the Operator self-governs through it and never executes against it.
ZoneTenant and trust boundary for product state, policies, grants, sessions, and audit.
  • Use Caracal, not informal product nicknames.
  • Use mandate for Caracal-issued JWT authority, not generic “token” when the distinction matters.
  • Use web console for the browser UI and Control API for automation.
  • Use top-level caracal only for runtime lifecycle, caracal run, and the caracal web development launcher.

Use Error Codes when a service, SDK, Gateway, or verifier returns a machine-readable error.