Agent Teams
Agent Teams lets an organization admin provision an agent team, issue the per-tenant credentials your agents use to authenticate to the Containment proxy, and choose which policies govern each team.
Accessing Agent Teams
Open Agent Teams from the dashboard sidebar (or the Manage agent teams button on the Agents page). Managing agent teams requires Organization Admin permission.
Agent Teams availability depends on your plan. Every plan can provision an agent team; the enforcement tier differs:
| Plan | Agent Teams tier |
|---|---|
| Free | Shadow only |
| Professional | Enforce-eligible |
| Enterprise | Federation-eligible |
New teams always start in shadow / observe mode.
Creating a Team
- In Create agent team, enter a Team name (and an optional description).
- Click Create team.
Your teams appear in the Teams selector. Select a team to configure its identities, governing policies, and credentials.
Agent Identities
With a team selected, register the agent slugs that belong to it:
- Enter an Agent slug (for example,
growth-lead). - Click Register identity.
Registered identities are listed with an active/inactive status badge.
Governing Policies
Choose which of your organization's policies govern the selected team:
- A policy left unassigned stays org-wide and applies to every team automatically.
- Assigning a policy scopes it to the teams you pick.
Each assigned policy runs in one of two modes:
- Shadow (observe-only, the default) — a violation is recorded but not blocked.
- Enforce — a violation blocks the agent's action. Enforce is opt-in per policy and reversible; switching a policy to Enforce prompts for confirmation because it can stop your agents from running.
Use the mode toggle in the Governing policies table to switch a policy between Shadow and Enforce.
Credentials
Agents authenticate to the Containment proxy with a per-tenant credential.
Issuing a Credential
- Optionally enter a Label.
- Click Issue agent credential.
- The token is shown once in a modal — copy it into your agent's secret manager immediately. It is never shown again, and the signing secret never leaves the server.
Issued credentials appear in the credentials table with their key ID, label, status, and creation time.
Rotating and Revoking
- Rotate issues a new key and activates it before revoking the old one — a zero-downtime replacement. The new token is shown once, like issuance.
- Revoke immediately invalidates a key: any agent still using a token signed with it will fail to authenticate. Revoke is irreversible; use Rotate when you need a non-breaking replacement.
Related Topics
- Agents Overview - Monitor policy decisions and agent actions
- Policy Overview - Create and manage the policies that govern teams
- Administrators - Admin and permission management