Manage Product Objects
The Console is the supported human interface for product management. Launch it with:
caracal consoleor:
caracal-consoleManagement Flow
Section titled “Management Flow”zone -> application -> provider -> resource -> policy -> policy set -> authority session/auditConsole guided setup walks the first version of that flow and can write a runtime profile for caracal run and SDKs.
Menu Workflows
Section titled “Menu Workflows”| Menu label | What it manages |
|---|---|
zone | Zone records and active zone selection. |
application | Confidential agent applications and one-time client secrets. |
provider | Gateway upstream auth modes for Caracal mandates, OAuth 2.0 authorization code, OAuth 2.0 client credentials, API-key, and bearer-token upstreams. |
resource | Protected resource identifiers, scopes, upstream URLs, Gateway application bindings, and upstream credential provider bindings. |
policy | Policy content and versions. |
policy set | Policy-set composition, simulation, activation, and shadow evaluation. |
authority session | Active authority-session records. |
control | Control API exposure and Control credentials. |
Secrets and Credentials
Section titled “Secrets and Credentials”Application client secrets are shown once when created. Provider secrets are accepted only in provider create or rotation-style edit flows and are stored sealed by the Control API. Store application secrets in a secret manager, mounted secret file, or Console-generated local profile before leaving the result screen. The Console masks secret-shaped fields and error output.
Automation Handoff
Section titled “Automation Handoff”Use the Console control menu when management needs to move from interactive operations to automation. Control API calls are authenticated and audited. They use the same product-management boundary as the Console; they are not exposed as top-level runtime CLI commands.
Troubleshooting
Section titled “Troubleshooting”| Symptom | Check |
|---|---|
| A view says a zone is required | Press z to select a zone before opening zone-scoped views. |
| A created client secret is no longer visible | Generate or rotate a new secret; one-time secrets are not recoverable. |
| Policy activation fails | Run simulation, inspect validation errors, and confirm the policy set references the intended policy versions. |
| Control API calls fail | Confirm Control is enabled from the Console control menu and the automation token targets the Control resource. |
Next Step
Section titled “Next Step”Use Inspect Diagnostics and Audit when you need health checks, audit records, or request traces.