The gateway now ships in the
praisonai-bot package. praisonai serve gateway still works exactly as documented here; for a standalone install see praisonai-bot Migration.Quick Start
1
Single-operator (no scopes — unchanged)
Today’s setup keeps working. Authenticated clients receive all scopes when no policy is configured.
2
Multi-operator (scoped tokens)
Map each operator token to the scopes they need in
gateway.yaml, then run your agent as usual.When no
auth_scopes policy is configured, every successfully authenticated client is granted all scopes — identical to today’s binary auth behaviour. Single-operator setups need no changes.How It Works
- Client connects with a bearer token.
- Gateway resolves scopes via
GatewayConfig.resolve_scopes(token). - Each HTTP route and WebSocket action checks the required scope.
- Outbound events are filtered — approval events only reach clients with the
approvalsscope.
Scope Reference
Which scope should this operator have?
Configuration
YAML — structured (recommended)
YAML — flat mapping
Python
Scope-Gated Routes
Common Patterns
Read-only dashboard viewer —[read] for status and transcripts without send or approve rights.
Send but not approve — [read, write] for operators who reply to users but cannot resolve tool approvals.
Approvals-only on-call — [read, approvals] for security-sensitive approval resolution without channel admin rights.
Full admin — [admin] for SREs who need pause/resume/reconnect plus all other capabilities.
Error Handling
HTTP 403 when scope check fails:message without write scope:
Best Practices
Default to read and add scopes as needed
Default to read and add scopes as needed
Start every operator with
[read] and expand only when their role requires it.Rotate per-token secrets independently
Rotate per-token secrets independently
Issue separate tokens per operator so you can revoke one role without rotating everyone.
Pair approvals with the allowlist
Pair approvals with the allowlist
Combine
approvals scope with /api/approval/allowlist for defence-in-depth on tool execution.Use admin sparingly
Use admin sparingly
Prefer explicit scope lists over
[admin] unless the operator truly needs channel control.Related
Bind-Aware Auth
Token requirements when binding to external interfaces
Gateway Overview
Multi-channel gateway architecture and setup

