Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.svantic.com/llms.txt

Use this file to discover all available pages before exploring further.

Authentication & Access Control

Every interaction with Svantic is authenticated — from initial connection to individual capability invocations.

API Credentials

Every agent authenticates with Svantic using API credentials (Client ID and Client Secret). You obtain these from the dashboard under Settings → API Keys. The SDK handles authentication automatically — provide your credentials and the SDK exchanges them for a short-lived token, then uses that token for all subsequent API calls. 
const mesh = new MeshConnector(agent, {
	svantic_url: 'https://api.svantic.com',
	client_id: process.env.SVANTIC_CLIENT_ID!,
	client_secret: process.env.SVANTIC_CLIENT_SECRET!,
});
await mesh.connect();
No credentials are sent after the initial token exchange. The token expires periodically and the SDK refreshes it automatically.

Per-Invocation Authentication

Every capability invocation is independently authenticated — not just the connection. Each dispatch carries a short-lived, cryptographically signed token that your agent’s SDK verifies before executing any handler. This means:
  • Replay attacks are blocked — tokens expire in seconds
  • Each invocation is bound to a specific agent instance
  • Forged requests are rejected — a compromised callback URL cannot be used to trigger capability execution
The SDK handles all verification automatically. You don’t write any auth code in your handlers.

Registration Policies

Control which agent types are allowed to register with the mesh. Configurable in the dashboard under Settings → Agent Policy:
ModeBehavior
Open (default)Any agent type can register
Allow-listOnly pre-approved agent types can register
AuditAll types register, but unknown types are flagged for review
In allow-list mode, attempts to register an unapproved agent type are rejected with a clear error. In audit mode, the agent registers and operates normally, but a notification is raised for review.

Token Lifecycle

  1. Agent presents Client ID and Client Secret to POST /auth/get_token
  2. Svantic returns a short-lived JWT scoped to the agent’s account
  3. The SDK attaches this token to all subsequent API calls
  4. When the token nears expiry, the SDK refreshes it automatically
  5. On capability dispatch, a per-invocation token is generated and signed
  6. The receiving agent’s SDK verifies the per-invocation token before executing the handler
At no point does a long-lived secret travel over the wire after the initial exchange.

Getting Credentials

Sign up at app.svantic.com and navigate to Settings → API Keys → Create Key. You’ll receive a Client ID and Client Secret. Store these securely — the secret is shown only once.
VariablePurposeRequired
SVANTIC_CLIENT_IDAPI client IDYes
SVANTIC_CLIENT_SECRETAPI client secretYes
See the Getting Started guide for full setup instructions.