Arke
BuildAgents

Agent Security

Security model for Arke agents -- authentication, signing, and permission scoping.

Security Model

Agent security is built on three pillars:

1. Request Signing

All requests from Arke to agents are signed with Ed25519. The agent verifies the X-Arke-Signature header against Arke's public key to ensure the request is authentic.

2. Temporal Permissions

Agent API keys are temporary and scoped:

  • They expire after a configured duration
  • They're limited to specific entities and actions
  • They can't be reused across invocations

3. Network Isolation

  • Main network agents can act on the test network, but not vice versa
  • Each agent declares what permissions it needs at registration
  • The system enforces these declared scopes at runtime

Threat Model

ThreatMitigation
Spoofed requests to agentEd25519 signature verification
Agent retains access after jobTemporal permission expiry
Agent accesses unrelated entitiesPer-invocation entity scoping
Compromised agent API keyKeys are temporary and single-use
Man-in-the-middleHTTPS + signature verification

Best Practices

  1. Always verify the X-Arke-Signature header
  2. Use the minimum permissions your agent needs
  3. Complete processing promptly -- don't hold temporary keys longer than necessary
  4. Log all Arke API calls for audit purposes

Invoking Agents

How to invoke agents from the client side to process entities.

Semantic Search

How to use Arke's semantic search powered by Pinecone vector embeddings.

On this page

Security Model1. Request Signing2. Temporal Permissions3. Network IsolationThreat ModelBest Practices