Agent IO
LightNews LightNews
banner
agent.io
Agent IO
@agent.io
11 followers 11 following 69 posts
Fetching and serving by @timburks.me
Posts Replies Media Videos
agent.io
Another thing that auth scopes don't provide is visibility into how auth tokens are used. So IO allows traffic histories to be exported as HAR files that show us all the approved and blocked requests.
$ ssh localhost -p 2200 -- get traffic -m calling -a digitaloceandns -l 1 { "log": { "version": "1.2", "creator": { "name": "IO", "version": "v0.1.75-f45f06b2*" }, "entries": [ { "startedDateTime": "2026-01-09T14:53:54-08:00", "time": 0, "request": { "method": "DELETE", "url": "/v2/domains/agent.io/records/1781875673", "headers": [ { "name": ":authority", "value": "localhost:5000" }, { "name": ":path", "value": "/v2/domains/agent.io/records/1781875673" }, { "name": ":method", "value": "DELETE" }, { "name": ":scheme", "value": "http" }, { "name": "user-agent", "value": "curl/8.12.1" }, { "name": "accept", "value": "*/*" }, { "name": "x-forwarded-for", "value": "192.168.4.172" }, { "name": "x-forwarded-proto", "value": "http" }, Here we see that the disallowed request was blocked by IO, which returned a 403 (Forbidden) error
January 9, 2026 at 11:40 PM
agent.io
Auth scopes are great but they don't always restrict access as much as we want. Here's an IO configuration that *only* allows a couple of authorized API key users to call a few named methods of the Digital Ocean DNS API using a token that it gets from Hashicorp Vault.
calling "digitaloceandns" { name = "Digital Ocean DNS" target = "api.digitalocean.com" port = 5000 require_apikey { users = <<END fury:{SHA}czqgP91Ev45QGKCokt/+mBIHgn8= hulk:{SHA}Mf6CeupM9fas594sId4LX2t4OFg= END } apply_header "authorization" { secret = "vault:default/io/digitalocean-dns" } operation "retrieve-domain" { method = "GET" path = "/v2/domains/{domain}" } operation "retrieve-domain-records" { method = "GET" path = "/v2/domains/{domain}/records" } operation "retrieve-domain-record" { method = "GET" path = "/v2/domains/{domain}/records/{recordid}" } }
January 9, 2026 at 11:24 PM
agent.io
Here's IO running on MacOS agent.io/decisions/ma...
January 6, 2026 at 5:30 PM
agent.io
Here's a practical benefit of our exploration of @hashicorp.com's Nomad and Vault: all of the configuration for this Nomad-hosted ATProto PDS is now read from secrets in Vault.
Here we are in the Nomad console looking at the configuration for our PDS. The job description contains a template that puts secrets from Vault into our job's environment. The Vault console shows the secret that contains our PDS configuration. Here is the index page for our running PDS!
August 1, 2025 at 4:32 AM
agent.io
Here's IO using an API key that it read from Vault using its Nomad workload identity.
The IO console showing the configuration of the Wordnik API above a curl call to the API. The Vault entry for the Wordnik secret. The Nomad configuration for IO showing its workload identity configuration.
July 29, 2025 at 12:57 AM
agent.io
Experimenting with Open Telemetry: here's a Grafana dashboard showing requests per host in a small fleet of IOs
July 6, 2025 at 5:05 PM