Create an identity
Set the name
Enter a descriptive name for this agent — e.g.,
support-agent, ci-deploy-bot, data-analyst.Add labels (after creation)
Once the identity is created, go to its settings page to add labels. Labels are key-value pairs used in policy evaluation.Common labels:
team: supportenv: productionrole: agentvendor: anthropic
Set allowed tools (optional)
Optionally restrict which tools this identity can see and call. Leave empty to allow all project tools.
| Setting | Behavior |
|---|---|
| Not set | Can see all tools |
| Specific tools | Can only see listed tools |
Using the credential
The agent uses the credential as a bearer token to authenticate with the gateway. MCP clients include it in theAuthorization header:
Manage credentials
From the identity detail page, you can:- Revoke a credential — immediately invalidates it, blocking all requests
- Generate a new credential — creates a fresh token (the old one stays active until revoked)
- Set expiration — credentials can auto-expire after a set date
Edit labels
Update labels at any time from the identity detail page. Changes take effect within 5 minutes (the identity cache TTL in the gateway).Next steps
Define tasks
Create task definitions for scoped, time-limited access.
Write policies
Author policies that use identity labels for access control.