The token is personal to one user and governed by .agency.
Bearer Token Policy
The token is portable. Authorization is conditional.
CREATE SOMETHING .agency issues one managed bearer token per authenticated user for approved hosts, local tools, and background agents. A valid token does not guarantee access unless current policy and entitlement checks pass.
The managed bearer token is not a replacement for portal identity or organization checks.
Membership, policy acceptance, contract status, billing status, and service entitlement are checked before access.
Issuance, regeneration, revocation, and request-time authorization are recorded.
Effective March 6, 2026
User responsibilities are part of the control model.
Bearer tokens are useful because they are managed, revocable, and auditable. They become risky when treated as shared credentials or bypass paths.
Do not share a personal token with another person, team, repository, or uncontrolled environment.
Store tokens in a secure secret manager or equivalent controlled runtime environment.
Regeneration invalidates the prior token immediately unless a managed transition is explicitly provided.
Access may stop when a user, organization, contract, billing state, or policy state is no longer in good standing.
Enforcement
Revocation terminates token usability at once.
CREATE SOMETHING may revoke or suspend bearer-token access immediately where compromise, misuse, billing delinquency, contract failure, policy violation, or other legal, operational, or security risk is detected.