Evaluate
Not connected

Evaluation harness · v1

Evaluate PolicyArc against your own AS.

Point this harness at any PolicyArc Authorization Server you control. It runs three guided stories end-to-end — workforce SSO + asset access, autonomous agents, and SPIFFE-grade controls — so you can verify policy behavior in your environment before connecting a single production system.

Stays in your browser — credentials never leave this session. Every call lands a real audit row in your AS. Re-run any step. Stop and resume at will.

Step 01 · Connect

Point the harness at your AS.

Paste the URL of any PolicyArc Authorization Server you control and an admin API key. Credentials are held in a signed, HttpOnly cookie scoped to your browser — nothing is persisted server-side.

Use a non-production instance. The harness will register IdPs, resource servers, and clients, and emit audit rows. Idempotent, but you don’t want this co-mingled with prod traffic.

Connection

Story 01 · Workforce

Empower your workforce with agentic AI.

Your team already has identities. Your business already has tools. PolicyArc weaves them together so an employee can ask Claude — or any MCP-aware client — to act on Drive, Jira, or whatever you authorize, with every call policy-checked at the edge.

  1. Connect your corporate sign-on

    Federate Google + Microsoft. Employees sign in with the directory they already trust.

  2. Connect your enterprise tools

    Plug in Google Drive, Atlassian Jira, and GitLab. Every call from now on is policy-gated.

  3. Employee opens a doc through an AI client

    Alice signs in, asks an MCP client to fetch a file, the gateway ALLOWs the call.

  4. Try it yourself in Claude Code

    Wire Claude Code at this AS's MCP endpoint and run a prompt against your own data.

Tip: re-run any single step from its row. Stops at first failure.
Story 02 · Agent access

Give an autonomous agent access — safely.

Move past chat. An agent gets a signed software statement that declares everything it's ever allowed to ask for, then obtains a short-lived token, then uses that token to reach your data — every step policy-checked, no long-lived secret anywhere.

  1. Provision the agent

    Sign a software statement that scopes what the agent can ever request, then register it.

  2. Agent obtains a token

    client_credentials grant → short-lived bearer token bound to a specific resource.

  3. Agent accesses corporate data

    The token unlocks one call through the gateway — policy gate runs first.

Tip: re-run any single step from its row. Stops at first failure.
Story 03 · Best-of-class

AI controls your auditors will ask for.

SPIFFE workload identity, RFC 8693 delegation, RFC 9396 Rich-Authorization-Requests, and policy-driven JIT/TTL on delegated tokens. The four protocol moves that separate a demo from a defensible architecture.

  1. Establish SPIFFE workload identity

    Register trust domain; publish JWKS for JWT-SVID verification.

  2. Delegate to a sub-agent

    RFC 8693 token-exchange; SPIFFE actor; ttl_override=60 applies.

  3. Capture intent with RAR

    RFC 9396 authorization_details — agent declares action + repo.

  4. Route high-risk action through a human (CIBA)

    High-risk RAR trips approval_required; CIBA HITL — approver approves $50k, denies $75k.

  5. Bind the token to the holder's key (DPoP)

    RFC 9449 — token carries cnf.jkt; replay without the proof is denied at the gateway.

  6. One-shot capability token

    First call ALLOW + jit_revoke audit; replay → 403.

Live

Telemetry

One line per call · newest first
  1. No activity yet. Connect above and run a step.