The surface between your product and its callers

Let agents do real work. Safely.

Expose only what you choose. Anything irreversible waits for approval. Every call is logged. Cut access instantly when you need to.

Scoped permissionsConsent before changesFull audit trail
See Duct in action~3 mins

The problem

Agents want to act. Most products aren’t ready.

Agents can call your API today. Most products have no way to restrict what runs, require approval on sensitive actions, audit every decision, or revoke access when something goes wrong.

No auth boundary

Agents reach your API through ad-hoc integrations — or by guessing URLs. Nothing sits in front saying what’s allowed.

Side effects slip through

Refunds and deletes need an approval step. Most teams wire it differently in chat, agent code, and backend checks.

No audit when it breaks

When something goes wrong, you can’t reconstruct who called what, with what consent, and what your API returned.

Concepts used throughout

Shell is where requests arrive. Duct is where decisions are made.

Shell

The interface to your product.

Humans use the embedded widget.

Agents use it through the invoke API.

Duct

The enforcement layer behind every shell.

Checks permissions.

Requires approval for sensitive actions.

Records every call.

Humans and agents use the Shell.

Duct decides what is allowed to happen.

Built for safe actions

Every call stays inside your rules.

Give agents access to your product without giving away control.

Only what you allow

Callers can only invoke actions in your manifest. Everything else is blocked before your API runs.

Approval before action

Refunds, cancels, deletes — paused until someone approves. Same gate for chat and the invoke API.

Every call logged

Action, caller, permission rule, consent status, and outcome — one row per call. Queryable and exportable from the dashboard.

Revoke access instantly

Revoke a key or roll back the manifest. The next call fails — no deploy required.

What it looks like on a real call

Example · one risky call
Who called

Customer support agent

Action

Issue refund · $250

Rule

Approval required

Outcome

Executed · logged

One audit row — same evidence shape for chat, agent API, and cross-product calls.

Set up once · users, agents, and partners

Acme Corp on Duct

Users act through your product — in-chat UI, approvals, and audit, not a bolt-on chatbot.

For your users

Ship infrastructure without the busywork.

Deploy, scale, and manage your stack — one dashboard your whole team actually loves.

Deploy pipelines

Push to prod in one click with guarded rollouts.

For your users

Every interaction, handled.

Users ask in plain language, approve side effects in chat, and get structured in-shell UI — not raw API responses.

01

Answer

Records, status, and summaries show up as in-shell tables and cards — clear at a glance, not a wall of JSON.

02

Act

Permitted actions run inside the conversation — in-shell forms, confirm cards, and a pause before anything irreversible.

03

Hand off

Navigate to exactly the right page in your app, carrying signed context from the chat.

For your users

For AI agents

Stable actions. Scoped keys. Recoverable errors.

Agents get a typed invoke surface — not scraping your UI or guessing endpoints.

Declared actions, not URLs

Invoke typed actions with structured params. Off-manifest calls fail cleanly with a reason code.

Scoped credentials

Partner agents use scoped profiles (at_) — no root secret to distribute. Your own backend uses a shell token (st_) from server env. Neither gets blanket API access.

Side effects that pause

Irreversible calls return a confirmation step. Retry once approved — same audit as human chat.

For AI agents

Let’s clear this up

Let's be clear about what Duct isn't.

It gets lumped in with a lot of things. It's none of them.

NOTan MCP

MCP is developer plumbing for AI tools. Duct is the layer your users and agents actually act through — with your rules enforced.

NOTWebMCP

WebMCP exposes page tools to visiting agents — no server gate. Duct enforces permissions, consent, and audit before anything runs.

NOTa chatbot

It doesn’t just talk. It gets things done — and pauses for approval before anything irreversible.

NOTa support assistant

It’s not only for answering questions. It completes the task for your user, end to end.

So what is it?

  • One place your product’s actions live — what’s allowed, and for whom
  • Every action runs through your rules, with approval on anything irreversible
  • One surface for your users and AI agents
  • Works with the product you already have — no rebuild

What you get

Shell & invoke API today. Network in early access.

Available today

Shell + Invoke API

Chat for users, invoke API for agents — one manifest underneath, consent and audit on every call.

  • Human shell with confirm cards
  • Agent invoke with scoped keys
  • Consent gate on side effects
  • One audit row per call
Early access

The cross-product network

Opt in and your shell can delegate to another product’s shell — with capability discovery, runtime consent, and single-use tokens. Off by default; grows as more products join.

  • Opt-in per shell
  • Runtime user consent
  • 60s single-use delegation tokens
  • Audited on both sides

Shell to shell

How it works

Up in a week. Maintained in minutes.

1

Get early access

Tell us what you’re building. We provision your shell and issue credentials when a spot opens.

2

Map your API once

Choose which actions exist, who can call them, and what needs confirmation — in one manifest.

3

Ship with guardrails

Embed the shell for users. Open the invoke API for agents. Consent and audit run on every call.

FAQs

Common questions

What people ask us about Duct.

Read more

Get started

Safe agent actions. On your product.

Map your API once. Ship with consent and audit from day one.