Understanding agents in Veto — what they are, how they’re managed, and their lifecycle.
An agent is an AI actor — a bot, workflow, LLM-based tool, or any automated system — that you register with Veto so its tool calls can be authorized at runtime.Before Veto can make an authorization decision for an actor, that actor must be registered as an agent. Requests from unknown agent IDs are rejected with a 404.
Every agent has a status that controls whether it can make authorized tool calls.
active
The agent can make tool calls. Each call is evaluated against the agent’s attached policies to determine whether it is allowed or denied.
suspended
All authorization requests from this agent are immediately denied, regardless of policies. Use suspension for temporary holds — you can reactivate a suspended agent.
revoked
All authorization requests are denied, same as suspended. Revocation is intended to be permanent. A revoked agent cannot be reactivated through normal flows.
When an agent is suspended or revoked, Veto short-circuits policy evaluation entirely and returns denied without inspecting any rules. No policy can override a non-active status.
Agents are scoped to your workspace. An agent ID from one workspace cannot be used to authorize calls in another. This isolation is enforced on every authorization request.
You can create agents from the Veto dashboard or programmatically via the API or Node.js SDK.
import { VetoClient } from "@useveto/node";const veto = new VetoClient({ apiKey: process.env.VETO_API_KEY! });const agent = await veto.createAgent({ name: "support-bot", description: "Customer support agent",});console.log(agent.id); // Use this ID when calling veto.authorize(...)
An agent on its own has no permissions — Veto defaults to denying all tool calls for agents with no matching policies. To allow an agent to do anything, attach at least one policy with an explicit allowlist rule.A single agent can have multiple policies attached to it. See Policies for how evaluation order and priority work.
