Duvo Auth And Access

Duvo access is workspace-scoped. Agents, API clients, MCP servers, and webhooks inherit the policies, approvals, and permissions configured for the customer workspace.

Discover

• Protected resource metadata: https://api.duvo.ai/.well-known/oauth-protected-resource.
• OAuth authorization server metadata: https://login.duvo.ai/.well-known/oauth-authorization-server.
• Agent-readable auth guide: https://www.duvo.ai/auth.md.
• OpenAPI security schemes: https://www.duvo.ai/openapi.json under components.securitySchemes.

Pick A Method

• Use workspace-issued bearer API tokens for approved workspace API access.
• Use scoped OAuth client credentials for enterprise workspaces where Duvo has enabled OAuth for the customer tenant.
• Use SSO and RBAC for human users in the Duvo application.
• Use managed OAuth/API connections for third-party business systems such as ERP, CRM, email, spreadsheets, supplier portals, and collaboration tools.
• Do not attempt public dynamic agent registration unless Duvo has explicitly provisioned that capability for the workspace.

Register

Public self-serve dynamic agent registration is not currently available on duvo.ai. Agent clients, API clients, OAuth client credentials, MCP access, and sandbox workspaces are registered by Duvo during an approved customer or pilot onboarding process.

To request registration, contact Duvo at /contact with the workspace name, workflow category, redirect URI if applicable, requested scopes, expected systems, data residency needs, and the agent operator or vendor identity.

Claim

After Duvo provisions access, the workspace admin or agent operator receives the allowed auth method, client identifier or token handling instructions, allowed scopes, and the API/MCP surfaces approved for that workspace. Credentials should be stored in a secret manager and never embedded in prompts, logs, client-side code, or public repositories.

Use Credential

• Send workspace bearer credentials as Authorization: Bearer <token>.
• For enabled OAuth client-credential tenants, request a token from the configured authorization server and use the issued access token as Authorization: Bearer <access_token>.
• Include Idempotency-Key on mutating API requests when retry safety matters.
• Treat 401 as missing, expired, malformed, or revoked credentials.
• Treat 403 as insufficient scope, workspace policy denial, RBAC denial, or human approval requirement.

Errors

• invalid_token: refresh, rotate, or request a newly issued credential.
• insufficient_scope: request the narrow missing scope through a workspace admin or Duvo contact.
• workspace_policy_denied: the workspace policy or approval gate blocks the action.
• approval_required: pause the agent run and wait for an authorized human response.
• rate_limited: honor Retry-After and retry with the same Idempotency-Key when the request is safe to retry.

Revocation

Workspace admins can revoke or rotate issued API tokens, OAuth clients, managed connections, webhook secrets, and MCP access through the approved Duvo workspace process. Agents must stop using revoked credentials immediately, clear cached tokens, and require a newly provisioned credential before resuming privileged work.

Supported Auth Models

• Bearer API tokens for approved workspace API access.
• Scoped OAuth client credentials for enterprise workspaces where enabled.
• SSO and RBAC for human users in the Duvo application.
• Managed OAuth/API connections for third-party business systems such as ERP, CRM, email, spreadsheets, supplier portals, and collaboration tools.

Agent Constraints

• Agents cannot see raw third-party passwords when credentials are stored in managed connections.
• Agents cannot bypass human approval gates, workspace RBAC, SSO, audit logging, or customer policy.
• Sensitive write actions should be scoped and routed through human-in-the-loop approval where required.
• API and MCP access should use the least scopes needed for the workflow.

Common Scopes

• runs:read - inspect run status, messages, tool calls, and audit events.
• runs:write - start, pause, resume, or replay runs.
• queues:write - create and update queue cases.
• approvals:write - respond to human approval requests.
• files:read - read files attached to authorized runs or cases.
• sandboxes:write - request governed browser, file, or desktop execution.
• webhooks:manage - manage webhook subscriptions for a workspace.