Gates
A Gate is a security checkpoint that verifies agent passports and enforces guardrails in real time. Gates block non-compliant requests before they execute.
What does a Gate do?
When an agent tries to access a protected resource, it presents its passport at the gate. The gate:
- Verifies the passport signature, cryptographically, using Ed25519 (an industry-standard elliptic curve signing algorithm)
- Checks the issuer, is this issuer trusted for the configured trust tier?
- Checks expiry and revocation, is the passport still valid?
- Evaluates guardrails, does this request comply with spend limits, rate limits, domain rules?
- Decides: allow or deny, in real time, before the action executes
- Issues an attestation, a signed, tamper-proof audit record of the decision
Gates are enforcement with teeth, they don't just log, they block. Non-compliant requests never reach the protected resource.
Security Levels
Baseline (L1)
- Accepts:
- Self-issued passports (no managed account needed)
- Replay protection:
- Basic nonce checking
- Revocation:
- Optional
- Use case:
- Local dev, testing, personal automation
Trusted (L2)
- Accepts:
- Managed issuers from the Modei platform
- Replay protection:
- Strict replay protection (nonce + timestamp)
- Revocation:
- Checked on every request
- Use case:
- Production deployments, team agents, real APIs
Verified (L3)
Coming Soon- Accepts:
- Verified/certified issuers only
- Replay protection:
- Proof of Possession (PoP) required
- Revocation:
- Mandatory + real-time CRL check
- Use case:
- Finance, healthcare, legal, regulated environments
Creating a Gate (API)
curl -X POST https://modei.ai/api/v1/gates \
-H "Authorization: Bearer mod_your_key" \
-H "Content-Type: application/json" \
-d '{
"name": "Production API Gate",
"description": "Guards the main production API",
"trust_level": "L2",
"constraints": {
"rate_limits": {
"requests_per_minute": 60,
"requests_per_day": 10000
},
"spend_limits": {
"daily_usd": 100.00,
"per_transaction_usd": 10.00
},
"allowed_domains": ["api.example.com", "data.example.com"],
"pii_controls": {
"mode": "log_only"
}
}
}'{
"gate_id": "gate_01HXYZ...",
"name": "Production API Gate",
"trust_level": "L2",
"gate_url": "https://gate.modei.ai/gate_01HXYZ...",
"created_at": "2026-02-24T10:00:00Z"
}The Verification Flow
// Agent sends request to gate
POST https://gate.modei.ai/gate_01HXYZ.../check
Headers:
X-Modei-Passport: eyJhbGciOiJFZERTQSJ9...
X-Modei-Agent-ID: research-bot-001
X-Modei-Signature: base64url(sign(request_hash))
// Gate verification steps:
1. Verify Ed25519 signature ✓
2. Decode JWT, check expiry ✓
3. Resolve issuer, check trust tier ✓
4. Check revocation status ✓
5. Evaluate guardrails (rate, spend, domain) ✓
6. Issue attestation, return decision ✓
// Response
{"decision": "allow", "attestation_id": "att_01H..."}
Testing a Gate
curl -X POST https://modei.ai/api/v1/gates/gate_01HXYZ.../test \
-H "Authorization: Bearer mod_your_key" \
-H "Content-Type: application/json" \
-d '{
"passport_token": "eyJhbGciOiJFZERTQSJ9...",
"requested_action": "web:search",
"context": {
"domain": "api.example.com",
"estimated_cost_usd": 0.01
}
}'{
"decision": "allow",
"agent_id": "research-bot-001",
"gate_id": "gate_01HXYZ...",
"attestation_id": "att_01HABC...",
"timestamp": "2026-02-24T10:00:00Z",
"guardrails_evaluated": ["rate_limit", "spend_limit", "domain_allowlist"],
"all_passed": true
}{
"decision": "block",
"reason": "spend_limit_exceeded",
"detail": "Daily spend limit of $100.00 would be exceeded. Current: $99.50, Requested: $5.00",
"attestation_id": "att_01HDEF...",
"timestamp": "2026-02-24T10:00:00Z"
}Related
- Guardrails, The rule sets gates enforce.
- Attestations, What gates produce on each decision.
- Trust Profiles, How L1/L2/L3 changes gate behavior.
- Gates API, Full REST API reference.
- Template Library, Pre-built guardrail sets for 30 agent archetypes.