Shell
The interface to your product.
Humans use the embedded widget.
Agents use it through the invoke API.
The surface between your product and its callers
Expose only what you choose. Anything irreversible waits for approval. Every call is logged. Cut access instantly when you need to.
The problem
Agents can call your API today. Most products have no way to restrict what runs, require approval on sensitive actions, audit every decision, or revoke access when something goes wrong.
No auth boundary
Agents reach your API through ad-hoc integrations — or by guessing URLs. Nothing sits in front saying what’s allowed.
Side effects slip through
Refunds and deletes need an approval step. Most teams wire it differently in chat, agent code, and backend checks.
No audit when it breaks
When something goes wrong, you can’t reconstruct who called what, with what consent, and what your API returned.
Concepts used throughout
The interface to your product.
Humans use the embedded widget.
Agents use it through the invoke API.
The enforcement layer behind every shell.
Checks permissions.
Requires approval for sensitive actions.
Records every call.
Humans and agents use the Shell.
Duct decides what is allowed to happen.
Built for safe actions
Give agents access to your product without giving away control.
Only what you allow
Callers can only invoke actions in your manifest. Everything else is blocked before your API runs.
Approval before action
Refunds, cancels, deletes — paused until someone approves. Same gate for chat and the invoke API.
Every call logged
Action, caller, permission rule, consent status, and outcome — one row per call. Queryable and exportable from the dashboard.
Revoke access instantly
Revoke a key or roll back the manifest. The next call fails — no deploy required.
What it looks like on a real call
Customer support agent
Issue refund · $250
Approval required
Executed · logged
Set up once · users, agents, and partners
Users act through your product — in-chat UI, approvals, and audit, not a bolt-on chatbot.
Deploy, scale, and manage your stack — one dashboard your whole team actually loves.
Deploy pipelines
Push to prod in one click with guarded rollouts.
For your users
Users ask in plain language, approve side effects in chat, and get structured in-shell UI — not raw API responses.
01
Answer
Records, status, and summaries show up as in-shell tables and cards — clear at a glance, not a wall of JSON.
02
Act
Permitted actions run inside the conversation — in-shell forms, confirm cards, and a pause before anything irreversible.
03
Hand off
Navigate to exactly the right page in your app, carrying signed context from the chat.
For AI agents
Agents get a typed invoke surface — not scraping your UI or guessing endpoints.
Declared actions, not URLs
Invoke typed actions with structured params. Off-manifest calls fail cleanly with a reason code.
Scoped credentials
Partner agents use scoped profiles (at_) — no root secret to distribute. Your own backend uses a shell token (st_) from server env. Neither gets blanket API access.
Side effects that pause
Irreversible calls return a confirmation step. Retry once approved — same audit as human chat.
Let’s clear this up
It gets lumped in with a lot of things. It's none of them.
NOTan MCP
MCP is developer plumbing for AI tools. Duct is the layer your users and agents actually act through — with your rules enforced.
NOTWebMCP
WebMCP exposes page tools to visiting agents — no server gate. Duct enforces permissions, consent, and audit before anything runs.
NOTa chatbot
It doesn’t just talk. It gets things done — and pauses for approval before anything irreversible.
NOTa support assistant
It’s not only for answering questions. It completes the task for your user, end to end.
So what is it?
What you get
Chat for users, invoke API for agents — one manifest underneath, consent and audit on every call.
Opt in and your shell can delegate to another product’s shell — with capability discovery, runtime consent, and single-use tokens. Off by default; grows as more products join.
How it works
Tell us what you’re building. We provision your shell and issue credentials when a spot opens.
Choose which actions exist, who can call them, and what needs confirmation — in one manifest.
Embed the shell for users. Open the invoke API for agents. Consent and audit run on every call.
From the blog

Get started
Map your API once. Ship with consent and audit from day one.