Appearance
Tokens & delegation
Every request carries a bearer token. A token has a principal (who it's for), a set of capabilities, and an optional project scope.
Capabilities
| Capability | Grants |
|---|---|
deploy | create projects, deploy, restart, env, view status |
scale | change replica counts |
provision_datastore | add/query/back up/restore datastores |
manage_domains | custom domains (M3) |
manage_dns | DNS records (M3) |
expose_tcp | raw TCP / dedicated IPs (M3) |
smtp_egress | outbound port 25 (M3) |
delete | delete projects |
admin | everything, plus token management |
The default automaton token holds everything except delete, smtp_egress, and admin.
Issuing & delegating
sh
conway tokens issue \
--principal child-agent \
--caps deploy,scale \
--projects my-app \
--expires-in-hours 24The delegation rule: a non-admin token can only grant capabilities it already holds, scoped to projects it can already access. So an agent can safely mint a narrower token for a child agent — it can never escalate. The secret is returned exactly once.
sh
conway tokens list # admin: see all tokens
conway tokens revoke <id> # admin: revoke immediatelyThis is the mechanism for multi-agent setups: a coordinator holds a broad token and hands each worker a deploy-only token scoped to one project.