Every participant in a MeshAgent room operates with a secure token that defines their identity and permissions. These JWT-based tokens ensure that users, containers, and services can only access the resources they’re authorized to use.Documentation Index
Fetch the complete documentation index at: https://docs.meshagent.com/llms.txt
Use this file to discover all available pages before exploring further.
Token Anatomy
MeshAgent exposes tokens throughmeshagent.api.participant_token.ParticipantToken which consists of:
name: the participant identifier embedded in the JWT payloadproject_id(optional): the project id, populated when the participant belongs to a projectapi_key_id(optional): the API key id used to mint the tokenversion(optional): the participant-token schema version (defaulted when omitted)grants(optional): a list of individualParticipantGrantentries that describe permissions
Permission Types
Participant tokens use grants and scopes to define permissions. Each grant has a grant name which indicates the type of permission (room, role, api), and each grant has a scope which provides the specific details of what is allowed.
| Grant | Scope format | What it controls |
|---|---|---|
room | room name string | Which room the participant may join (add_room_grant) |
role | "agent" | "tool" | "user" | Participant role advertised to other services (add_role_grant) |
api | ApiScope object | Fine-grained access to each Room API surface (add_api_grant). A single ApiScope can enable multiple sections (storage, containers, secrets, etc.) |
api.tunnels grant (see API Scopes). If tunnels is omitted, tunnel access is denied. If tunnels.ports is omitted or empty, all ports are allowed; otherwise only the listed ports are allowed. Some older tokens include a top-level tunnel_ports grant, but current tunnel enforcement uses api.tunnels.
How tokens are issued
MeshAgent signs participant tokens automatically for anything it launches on your behalf. You describe the identity and permissions through a Service or ServiceTemplate manifest and MeshAgent creates that token whenever it needs to connect the service to the room. When building a custom application on MeshAgent you will need to generate ParticipantTokens so participants can connect to your rooms with the appropriate permissions.- Project services and room containers: MeshAgent reads the manifest for each endpoint (identity, role,
apiscope) and injects the signed token into the container asMESHAGENT_TOKENduring startup. - Local development and MeshAgent Studio: Running
meshagent service runor answering a call from MeshAgent Studio creates a token on demand. This allows yourServiceHostto join the room automatically without creating the token manually. - End-user connections: When a participant connects to the room, MeshAgent looks up the participant’s permissions and returns the JWT to the browser or client that is joining the room.
- Custom apps built on MeshAgent: When building a custom app on MeshAgent, you will need to manually create a
ParticipantTokenand define permissions for your users.
Generate a token from the CLI
Usemeshagent token when you need to sign a participant token yourself.
This is useful for custom clients, coding agents, or temporary room identities that need to access room APIs directly.
Create a token spec file such as token-spec.yaml:
api.llm field. Include api.llm: {} when the token should make LLM proxy requests; tokens without api.llm are rejected by the proxy.
The main fields are:
identity: the participant name in the roomroom: the room this token should joinrole:user,agent, ortoolapi: the API scope for that participant. In the current CLI token spec, this must includellm.
--project-id or --key when you want to override those defaults.