Modei
PricingDocsBlog
Theme
Log inSign up
Products/Gates

Enforcement Gates

Policy enforcement at every access point

A gate sits between an agent and a protected resource. It verifies identity, checks permissions against a published catalog, evaluates constraints, and makes a real-time enforcement decision — all before the action executes.

Gate Documentation

API Gateways Weren't Built for Agents

API gateways enforce rate limits and auth tokens, but they can't answer the questions that matter for autonomous agents: Is this specific agent model authorized? Is it within its spend budget for this task? Does it have permission from its delegating agent? Has its credential been revoked since it started this session?

These are governance questions, not traffic management questions.

Gates Publish What's Allowed — Before Agents Try

Every gate publishes a permission catalog — a versioned, immutable document that describes what permissions exist, what constraints apply, and what trust level is required. Agents can query the catalog before making requests.

When a credential is issued, it's pinned to a specific catalog version. If the gate operator changes policies, existing credentials keep their original terms until re-issued. This is the bait-and-switch prevention mechanism.

Key Capabilities
01

Constraint Expressions

Spend limits, rate limits, time windows, domain allowlists, trust tier requirements, approval thresholds — all structured constraints in the catalog. Versioned, signed, pinned to credentials.

02

Dry-Run Authorization

Before taking an action, an agent can ask the gate: "Would this be allowed?" Full verification logic, no side effects. Returns the exact decision the agent would receive.

03

Catalog Version Pinning

Credentials are pinned to a specific catalog snapshot at issuance. Policy changes publish a new version. Existing credentials keep their original terms until deliberately re-issued.

04

Trusted Issuer Management

Configure which issuers your gate trusts. Accept credentials from your own agents, partner organizations, or any trusted authority — and revoke trust instantly if needed.

05

Anonymous Access Control

Define what unauthenticated agents can do (read-only, rate-limited) vs. what requires a credential. Machine-readable upgrade hints for agents that need more.

06

Multi-Gate Credentials

A single agent can hold credentials pinned to multiple gates, each with its own catalog and version pin. Universal constraint vocabulary for cross-gate reasoning.

Related

Passports Enforcement