🚀Tenuo Cloud is in beta.Get started →
FAQ

Frequently Asked Questions

General

What is Tenuo Cloud?

Tenuo Cloud is the managed control plane for the Tenuo authorization framework. It provides key management, revocation control, and API access for managing warrant-based authorization for AI agents.

How is Tenuo different from traditional auth (RBAC, ABAC)?

Tenuo uses capability-based authorization with cryptographic warrants. Unlike role-based access control (RBAC), permissions travel with the agent as bearer tokens that can be delegated, constrained, and revoked. This is especially suited for AI agent workflows where authority needs to flow through multi-step processes.

Do I need Tenuo Cloud to use Tenuo?

No. The core Tenuo protocol is open source and can be self-hosted. Tenuo Cloud provides a managed service with additional features like the admin dashboard, managed key storage, and enterprise support.

Keys and Warrants

How many root keys should I have?

Most organizations need only 1-2 root keys. Root keys are the anchor of trust and should be created sparingly. Use issuer keys for different environments or purposes.

What happens if I lose my root key?

Root keys are stored securely in Tenuo Cloud's KMS. You cannot "lose" them in the traditional sense. However, if you revoke your only root key, you'll need to create a new one and re-establish your key hierarchy.

How long should warrants live?

As short as practical for your use case. For interactive agent sessions, 1-4 hours is common. For batch jobs, the duration of the job. Short-lived warrants reduce the need for revocation.

Can I extend a warrant's expiration?

No. Warrants are immutable once signed. To extend access, issue a new warrant with a later expiration.

Revocation

How quickly do revocations take effect?

Revocations are effective after you regenerate the SRL and authorizers fetch the new version. This typically takes 30-60 seconds depending on your authorizer's cache settings.

Can I un-revoke a warrant?

Yes. Delete the revocation from the dashboard and regenerate the SRL. The warrant will be valid again (assuming it hasn't expired).

What happens if authorizers can't reach the SRL?

This depends on your authorizer configuration. Options include:

  • Fail closed (deny all requests)
  • Fail open (allow requests, log warnings)
  • Use cached SRL with staleness limit

We recommend fail-closed for security-critical applications.

How large can the SRL get?

The SRL grows with the number of active revocations. For performance, consider:

  • Using short-lived warrants (they expire naturally)
  • Cleaning up revocations for expired warrants periodically

API Keys and Access

What's the difference between API keys and service accounts?

API keys are standalone credentials. Service accounts are identities that can have multiple API keys. Use service accounts for better organization, easier rotation, and clearer audit trails.

Can I see my API key after creation?

No. API keys are shown only once when created. If you lose an API key, create a new one and revoke the old one.

What scopes do authorizers need?

Authorizers only need the authorizer scope, which grants:

  • Fetch SRL
  • Check individual warrant revocation
  • Batch check revocations

They don't need admin access.

Security

How are keys stored?

Keys are stored in a hardware security module (HSM) backed key management system. Private keys never leave the secure enclave.

Is data encrypted?

Yes. All data is encrypted at rest and in transit. API communications use TLS 1.3.

What compliance certifications does Tenuo Cloud have?

Contact sales for current compliance certifications and security documentation.

Integration

Which languages are supported?

The official SDKs support:

  • Python (recommended for AI/ML)
  • Rust (for high-performance authorizers)
  • JavaScript/TypeScript

The REST API can be used from any language.

Can I use Tenuo with LangChain/OpenAI/etc?

Yes! See our integration guides at tenuo.dev/docs (opens in a new tab).

How do I deploy authorizers?

Authorizers can be deployed as:

  • Sidecar containers in Kubernetes
  • Standalone services
  • Embedded in your application

See the deployment guide (opens in a new tab).

Billing and Limits

What are the rate limits?

Default rate limits:

  • 1000 requests/second per tenant
  • 100 requests/second per IP

Contact sales for higher limits.

Is there a free tier?

Yes. Contact sales for current pricing and free tier details.

Still Have Questions?

Contact Support
Troubleshooting