example.com with your deployment domain. Only enable it when you have a process for storing admin tokens and auditing
their use. Only the API host routes /admin. The management console host must
not proxy admin endpoints, and browser sessions are not valid admin credentials.
Enablement
For Kubernetes, enable the chart value and load token descriptors from the platform Secret:CONTROL_PLANE_ADMIN_TOKENS_JSON contains hash descriptors, not raw tokens.
Generate raw tokens out of band, store only the SHA-256 hash in the descriptor,
and deliver the raw token through your operator secret channel. Production
startup rejects enabled admin API configuration with no enabled token
descriptors, invalid hashes, duplicate ids, unsupported scopes, or placeholder
hash values.
Auth and scopes
Every request uses:Mutations and audit
Mutating admin requests require areason:
actor.type=admin_token and the admin token id.
Audit metadata is sanitized and must not contain raw tokens, prompts, message
bodies, authorization headers, full tool arguments, or agent keys.
Agent-key rotation is the only admin response that returns a secret:
Cache-Control: no-store.
Workspace plans and quotas
Configure deployment-wide workspace plans in Kubernetes:WORKSPACE_PLANS_CONFIG_JSON.
Admins can change a workspace plan or set nullable quota overrides through
PATCH /admin/v1/workspaces/{workspaceId}/plan and
PATCH /admin/v1/workspaces/{workspaceId}/quotas. The control plane rejects
changes that would place current workspace usage over the resulting effective
limit.