# Sealith Agent Token Guide Sealith Agent Token is a constrained bearer token for AI workflows. Use cases: - Agent API over HTTPS - MCP over HTTP JSON-RPC - Purpose-bound secure handoff workflows - AI-to-AI receive workflows via `receive_handoff` - Audit-backed URL sharing workflows via `resourceType=url` Business plan or higher is required. ## Token format ```text Authorization: Bearer sl_agent_agt_xxxxxxxxxxxxxxxx_yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy ``` The raw secret is shown only once at issuance time. ## What you can restrict - `scope` - `purpose` - recipient domains - IP allowlist - expiry time - max file size ## Core scopes - `transfers:create` - `transfers:read` - `transfers:finalize` - `transfers:revoke` - `logs:read` - `audit:append` ## Recommended issuance pattern 1. Split tokens by workflow, not by team. 2. Keep `allowedPurposes` narrow. 3. Keep recipient domains narrow. 4. Set a short expiry. 5. Revoke unused tokens. Example: - token name: `契約レビューエージェント` - agentId: `contract-review-agent` - scopes: `transfers:create`, `transfers:read`, `transfers:finalize`, `logs:read`, `audit:append` - allowedPurposes: `contract_review` - allowedRecipientDomains: `example.com` For AI receive flows: - use `transfers:read` - keep `allowedPurposes` narrow - pair the token with a dedicated receiving workflow instead of reusing a sender token For URL sharing flows: - use `transfers:create`, `transfers:finalize`, and `transfers:read` as needed - keep `allowedPurposes` narrow - restrict recipient domains - treat the external service domain as review context, not as access control delegated by Sealith ## Audit log fields Sealith stores these fields for agent-driven actions: - `actorType` - `tokenId` - `purpose` - `jobId` - `scope` - `success` - `errorCode` If you call `append_audit_context`, you can also attach: - `note` - `result` - custom `metadata` ## Common auth errors - `agent_unauthorized` - `invalid_agent_token` - `agent_token_revoked` - `agent_token_expired` - `agent_scope_denied` - `agent_ip_denied`