// product

Ten pieces.

One runtime control plane.

Five load-bearing layers between every agent and everything they touch, plus five complementary enrichment features.

scroll

// the substrate

The five layers compose because they share state.

The proxy knows what the passport said. The passport knows what the checkpoints recorded. The audit chain anchors every decision from every layer. The detector grid sees the whole stream. Revocation propagates through all of them.

You cannot assemble this by stitching separate products together. A vault that does not know about your audit log cannot enforce scope drift. A kill switch that does not cascade through delegation cannot stop a sub-agent. A detector that runs after the fact is a postmortem, not oversight.

STACK collapses that into one substrate where the layers share a passport identity, a single audit chain, and a single revocation channel. Drop in the MCP server or the REST API once, and every layer arrives pre-wired to every other.

The five enrichment features (Identity, Drop-offs, Checkpoints, Skills, Team) plug into the same primitives. Identity is a passport claim. Drop-offs ride the proxy. Checkpoints feed the detector grid. Nothing is bolted on.

scroll

L1 · Passport

Short-lived, signed credentials.

STACK passports are EdDSA-signed JWTs issued per agent and per mission. They carry the agent identity, the declared scope, and the full delegation chain. Any service can verify a passport offline using STACK's public JWKS.

  • 15-minute default TTL (1-hour maximum) - short windows shrink the blast radius if a passport leaks
  • Delegation up to 4 hops with scope only narrowing - children can never see more than their parent
  • Named-intent declarations across 12 providers (Slack, GitHub, Notion, Gmail, Google Drive, Linear, Jira, HubSpot, Stripe, OpenAI, Supabase, custom)
  • Offline verification via JWKS - verifying services do not depend on STACK being up
  • Three accountability modes - enforced (auto-revoke on violation), logged (recorded only), standard (minimal)
  • Revocable in under 60 seconds via Redis

Available on every plan. Free includes 50,000 passport issuances per month; Studio includes 5 million.

Read the docs

L2 · Proxy

Credentials injected at the boundary.

Outbound HTTP calls are routed through STACK's proxy. Credentials live in a KMS-encrypted vault server-side and are injected at the network boundary, so the agent never holds the raw secret. Scope is enforced cryptographically against the passport on every call.

  • Every outbound call routed through /v1/proxy
  • KMS envelope encryption at rest - AES-256-GCM data keys wrapped by AWS KMS
  • Auth header injected server-side at the boundary - prompt injection has nothing to leak
  • Parameter-level scope constraints (eq, in, matches, starts_with) enforced per call
  • Calls outside scope return 403 and emit a security event into the audit log

Available on every plan. Free includes 5,000 proxy calls per month; Studio includes 500,000.

Read the docs

L3 · Detectors

Twenty-three behavioral signals across two pipelines.

STACK scores every agent action against the passport that authorized it. Thirteen real-time detectors fire during the mission and can auto-revoke in enforced mode. Ten post-hoc review flags fire at checkout and gate operator review. Both write to the audit log.

  • Real-time (13) - prompt injection (three-layer chain: regex catalog + encoding-aware normalization + Haiku 4.5 LLM funnel — F1 0.86 / R 0.77 on a 1,087-sample benchmark), output injection (scans proxied responses for credential-shape leaks + assistant-compliance language; enforced-mode redacts the body), behavior drift (per-passport cross-call z-score), scope drift, scope violation, credential burst, post-checkout access, checkpoint silence, undeclared/downgraded delegation, unchecked-out passport, upstream 404, unauthorized skill access
  • Post-hoc review (10) - intent deviation (LLM-graded), behavioral anomaly (3σ vs rolling baseline), duration overrun, missing checkpoints, checkpoint gap, action volume, scope escalation pattern, undeclared service, undeclared delegation, undeclared access
  • Three severity levels - info, warning, critical - with notification rules subscribing per minimum severity
  • Enforced-mode auto-revocation cascades to delegated children
  • Studio+ operators can customize the prompt-injection detector per-traffic - custom regex, whitelist suppression, severity overrides, master switch
  • Routes to email, SMS, or webhook

Available on every plan. The L3 LLM funnel for prompt injection runs on every tier with no per-call charge (cost currently absorbed by STACK). Operator-side customization is studio+.

Read the docs

L4 · Audit

Hash-chained, tamper-evident log.

Every decision from every layer lands in an append-only log. Each entry references the previous entry's hash, so any tampering breaks the chain. The log is exportable and the chain is externally verifiable - a complete forensic record after an incident.

  • Append-only - no entries can be deleted or modified
  • Each entry hashes the previous entry; tampering breaks the chain
  • Captures decisions from every layer - passport, proxy, detector, revocation
  • Exportable as JSON, NDJSON, or CSV for SIEM, compliance review, and incident response
  • Maps onto EU AI Act Article 14 oversight requirements

Always on. Retention by tier - Free 7 days, Developer 30 days, Studio 90 days, Enterprise 1 year.

Read the docs

L5 · Revocation

Sub-60-second global kill switch.

One API call revokes a passport across every connected service. Propagation runs through Redis and reaches every verifying surface in under a minute. When something goes wrong at 2 AM, you do not have to chase down config files or rotate keys.

  • Single API call to revoke a passport
  • Propagates globally in under 60 seconds via Redis
  • Parent passports cascade revocation to delegated children
  • Batch revoke endpoint kills every active passport for an agent in one call
  • Proxy-mode revocation is effectively instant - the agent never held the credential

Always on. No tier gating.

Read the docs

FEATURE · Identity

Verified humanity and identity claims.

STACK's three-layer trust model proves who is behind an agent - useful when an agent touches money, regulated data, or anything else where "real human signed off" matters. Verifying services receive an opaque claim_ref; PII never enters the JWT.

  • L0 - any valid passport, no identity verification
  • L1 - verified human via Cloudflare Turnstile
  • L2 - verified identity via Stripe Identity (document + selfie)
  • PII KMS-encrypted at rest, never in the JWT - services see only the opaque claim_ref
  • Skills and missions can require a minimum trust level before they accept the passport

L1 is free. L2 verifications bill at Stripe Identity's rate plus 15%, paid from the wallet.

Read the docs

FEATURE · Drop-offs

Schema-validated agent-to-agent data transfer.

A producer agent declares a JSON Schema and deposits a payload. A consumer agent collects it once. Payloads are validated on the way in, KMS-encrypted at rest, and destroyed after collection or on TTL expiry. Full custody chain recorded in the audit log.

  • Schema-validated on deposit (Ajv) - malformed payloads are rejected at the boundary
  • KMS-encrypted at rest
  • TTL-enforced - payload destroyed on expiry, no manual cleanup
  • One-read collection - payload destroyed after the consumer reads it
  • Custody chain recorded in the audit log

Available on every plan. Free includes 500 drop-offs per month; Studio includes 250,000.

Read the docs

FEATURE · Checkpoints

Approval gates for long-running missions.

Long-running missions can require checkpoints at configurable intervals. Each checkpoint surfaces what the agent has done since the last one - credentials accessed, services touched, deviation from the declared intent. Operators approve, reject, or take no action.

  • Configurable checkpoint intervals per passport
  • Each checkpoint surfaces what changed since the last one
  • Deviation flags from the scope-drift and intent-deviation detectors
  • Operator can approve, reject, or take no action
  • A missed checkpoint fires the Checkpoint Silence detector

Available on every plan.

Read the docs

FEATURE · Skills

Sealed-execution capability marketplace.

Publish or consume agent capabilities. Three execution modes determine where the work runs and what gets shared. Paid skills bill per invocation from a Stripe-backed USD wallet; publishers are paid out monthly via Stripe Connect.

  • Sealed mode - buyer's input and seller's logic both encrypted, meet in an isolated sandbox, only the result escapes
  • Open mode - provider processes externally
  • Source mode - code shared
  • Sealed-execution sandboxes for JS and Python; LLM steps via OpenRouter
  • Per-invocation USD billing from a Stripe-backed wallet

Publish on every plan (Free 3, Developer 25, Studio 100). Free includes 1,000 free-skill invocations per month. Paid skills always wallet-paid.

Read the docs

FEATURE · Team

Scoped API keys per team member.

Invite team members and give each one a scoped API key. Member keys resolve to the parent organisation, so the team shares one vault without seeing each other's secrets. One command to invite, one to revoke.

  • Per-member API keys with role-based permissions
  • Three roles - readonly, standard, admin
  • Per-service connection restrictions limit what each member can touch
  • Member keys resolve to the parent org - one shared vault, no per-member duplication
  • One command to invite, one to revoke

Free 1 member, Developer 5, Studio 25, Enterprise unlimited.

Read the docs