get_intent_token()
Requests a cryptographically signed token from ArmorIQ for executing your plan.
client.get_intent_token(
plan_capture: PlanCapture,
policy: dict = None,
validity_seconds: float = 60.0
) -> IntentTokenawait client.getIntentToken(
planCapture: PlanCapture,
policy?: Record<string, any>,
validitySeconds?: number // default: 60
): Promise<IntentToken>Parameters
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
| plan_capture | PlanCapture | Yes | - | Captured plan from capture_plan() |
| policy | dict | No | {"allow": ["*"], "deny": []} | Authorization policy (see Policy Specification) |
| validity_seconds | float | No | None | Token validity in seconds |
Policy Specification
See the dedicated Policy Specification page for the full policy structure and ways to define policies.
Flow
- SDK → ArmorIQ Proxy POST /token/issue with X-API-Key
- Proxy validates API key (bcrypt) and builds identity bundle
- CSRG-IAP converts plan to Merkle tree structure
- CSRG-IAP calculates SHA-256 hash from canonical representation
- CSRG-IAP signs token with Ed25519
- Token with hash and merkle_root returned to SDK via proxy
Returns
{
"success": bool, # Always True if no exception
"token": str, # JWT token string
"plan_hash": str, # SHA-256 of plan
"merkle_root": str, # Merkle tree root
"expires_at": int, # Unix timestamp
"issued_at": int # Unix timestamp
}interface IntentToken {
tokenId: string; // Unique identifier
planHash: string; // SHA-256 of plan
signature: string; // Ed25519 signature
issuedAt: number; // Unix timestamp
expiresAt: number; // Unix timestamp
policy: Record<string, any>; // Applied policy
stepProofs: Array<any>; // Merkle proofs for each step
rawToken: Record<string, any>; // Full token payload
}Raises
- AuthenticationError: If API key is invalid
- TokenIssuanceError: If token creation fails
- NetworkError: If proxy is unreachable
Example
# Basic usage - LLM generates plan
captured_plan = client.capture_plan(
llm="gpt-4",
prompt="Analyze the dataset"
)
token_response = client.get_intent_token(captured_plan)
token = token_response["token"]
# Custom expiration
token_response = client.get_intent_token(
plan_capture=captured_plan,
validity_seconds=7200 # 2 hours
)
# With policy
token_response = client.get_intent_token(
plan_capture=captured_plan,
policy={
"allow": ["analytics-mcp/*", "data-mcp/fetch_*"],
"deny": ["data-mcp/delete_*"]
},
validity_seconds=1800 # 30 minutes
)
# Check expiration
import time
if time.time() < token_response["expires_at"]:
print("Token is valid")
else:
print("Token expired, get new one")import { ArmorIQClient, IntentToken } from '@armoriq/sdk';
// Basic usage - LLM generates plan
const capturedPlan = client.capturePlan(
'gpt-4',
'Analyze the dataset'
);
const token = await client.getIntentToken(capturedPlan);
// Custom expiration (5 minutes)
const token = await client.getIntentToken(capturedPlan, undefined, 300);
// With policy
const token = await client.getIntentToken(
capturedPlan,
{
allow: ['analytics-mcp/*', 'data-mcp/fetch_*'],
deny: ['data-mcp/delete_*']
},
1800 // 30 minutes
);
// Check expiration using helper
if (!IntentToken.isExpired(token)) {
console.log(`Token is valid for ${IntentToken.timeUntilExpiry(token).toFixed(0)}s`);
} else {
console.log('Token expired, get new one');
}