Create Token — AgentLeash

Identity

Permissions

Forbidden

Binding

Review

Token Identity

Name your token, specify the agent, and choose a blockchain.

Token Name

A human-readable name for this permission token

Agent ID

Auto-generated unique identifier. This binds the token to the agent.

Target User (optional)

Scope this token to a specific user. Leave empty for an agent-level token that applies to all users. Can be a Slack user ID, email, or any identifier your system uses.

Blockchain

🔵

Ethereum L2 - Base

Ethereum L2 (ERC-721)

⚪

Algorand

ASA

🔒 On-Chain Identity

By default, a pseudonymous identifier is used on-chain to protect your agent's real name. Only your organization can link it back to the real agent.

Use real agent name on-chain

If enabled, the actual agent ID will be publicly visible on the blockchain. Default: off (decoy identifier used).

On-chain identifier: al-••••••••••••••••

Describe what your agent should do

Tell us in plain English what you want this agent to do, and we'll configure the permissions automatically. You can review and adjust before minting.

Try: "Read my email and calendar, search the web, but block all PII"

What can this agent do?

Choose capabilities for your agent. We'll handle the technical permissions automatically.

📨 Email & Communication

📧 Read Emails

View inbox and email content

✉️ Send Emails

Compose and send emails

📝 Drafts Only

Write emails to drafts, no sending

💬 Send Messages

Slack, Teams, or chat platforms

🌐 Web & Browsing

🔍 Search the Web

Google, Brave, web search

🌐 Browse Web (Read Only)

View pages, no form submission

🖱️ Browse + Interact

Click, fill forms, navigate

🔗 Access APIs

Fetch data from web APIs

📂 Files & Data

📄 Read Files

View documents and data

📂 Read & Write Files

Create, edit, and save files

🖼️ Analyze Images

View and interpret images

📑 Analyze Documents

Read and process PDFs

🔒 Data Sensitivity

What types of sensitive data should be blocked?

✓

🔑 Block Passwords & Credentials

API keys, tokens, secrets

✓

💳 Block Credit Card Numbers

Card numbers, CVVs, expiry dates

✓

🛡️ Block PII

SSN, DOB, addresses, phone numbers

✓

🏥 Block Health Records

HIPAA-protected health information

✓ All data protections are ON by default. Click to disable if your agent needs access.

💰 Payments & Finance

📊 View Financial Data

Read-only access to transactions

💳 Process Payments

Initiate and approve transactions

⚙️ System & Agents

🖥️ Run Safe Commands

ls, cat, grep, curl (read-only)

⚡ Run All Commands

Full shell access (use with caution)

🤖 Create Sub-agents

Spawn and manage child agents

📡 Message Other Agents

Send data between agents

Permission Builder (Advanced)

Direct tool-level control. Click a tool to toggle it.

Only tools you select below will be permitted. Everything else is denied.

File I/O

read i

Read any file the agent can access. Includes source code, configs, logs, documents.

When to forbid: Forbid to prevent reading sensitive files like .env, credentials, or private keys.

Read files

write i

Create or overwrite files. Can modify code, configs, or create new documents.

When to forbid: Forbid to prevent agents from modifying your codebase or creating files.

Write files

edit i

Make precise edits to existing files (find & replace). Surgical code changes.

When to forbid: Forbid to prevent code modifications while still allowing file reading.

Edit files

System

exec i

Run ANY shell command: install packages, deploy code, access databases, delete files.

When to forbid: ⚠️ Most dangerous tool. Forbid unless the agent needs system access. Can run rm, curl, ssh, etc.

Shell commands

process i

List, monitor, and control running processes. Can kill processes and write to stdin.

When to forbid: Forbid to prevent agents from interfering with running services.

Manage processes

gateway i

Modify OpenClaw gateway settings. Can change agent configuration and plugins.

When to forbid: Almost always forbid. Only needed for self-managing agents.

System config

Network

web_search i

Search the internet via Brave Search API. Returns titles, URLs, and snippets.

When to forbid: Safe for most agents. Forbid only if the agent should have no internet awareness.

Search the web

web_fetch i

Download and read content from any URL. Can access APIs, websites, documents.

When to forbid: Forbid to prevent agents from reaching external services or leaking data via URL calls.

Fetch URLs

browser i

Full browser automation: navigate, click, type, screenshot. Can log into websites.

When to forbid: Forbid to prevent agents from interacting with web UIs or accessing authenticated sites.

Browser control

Communication

message i

Send messages to Slack, Telegram, Discord, email, etc. Can contact anyone.

When to forbid: ⚠️ High risk. Forbid to prevent agents from sending unauthorized communications.

Send messages

tts i

Convert text to audio and deliver it. Used for voice interactions.

When to forbid: Forbid if the agent shouldn't produce audio output.

Text to speech

canvas i

Create and control visual UI elements presented to users.

When to forbid: Forbid if the agent shouldn't display custom interfaces.

UI canvases

Agents

sessions_spawn i

Create new sub-agent sessions. The spawned agents inherit permissions unless constrained.

When to forbid: ⚠️ Forbid to prevent agents from creating unconstrained child agents.

Spawn agents

sessions_send i

Send messages to other running agent sessions. Enables inter-agent communication.

When to forbid: Forbid to isolate the agent from communicating with other agents.

Message agents

subagents i

List, steer, and kill sub-agent sessions. Full control over child agents.

When to forbid: Forbid to prevent agents from orchestrating other agents.

Manage sub-agents

Media & Info

image i

Analyze images using vision models. Can read screenshots, photos, diagrams.

When to forbid: Safe for most agents. Forbid if the agent shouldn't process visual content.

Analyze images

pdf i

Read and analyze PDF documents. Can extract text, tables, images.

When to forbid: Safe for most agents. Forbid if the agent shouldn't access PDF documents.

Analyze PDFs

session_status

Session info

Forbidden Actions

Explicit deny rules that override all permissions. Even if a tool is allowed in Step 2, a forbidden rule here will block it. Use these for hard safety boundaries.

🧠 Describe what should be forbidden in plain English:

+ Add forbidden action

💡 Common patterns:
• Block all shell access: forbid exec — "Shell commands not permitted"
• Block external comms: forbid message — "No outbound messaging allowed"
• Block file deletion: forbid exec with params rm — "File deletion prohibited"
• Block sub-agents: forbid sessions_spawn — "Cannot create child agents"

Session Binding & Expiration

Control when and where this token is valid.

Session Binding

Lock this token to a specific agent session. When strict, the token only works within that exact session.

Session Key

Strict Mode

Token only valid within this exact session (recommended)

Expiration

Set an automatic expiration date for this token.

Expires At

Duration

On Expiry

Choose what happens when the token reaches its expiration date.

🔐 Permission Encryption

Encrypt permissions on-chain so they can't be read without the decryption key. Enterprise feature for sensitive/classified agent configurations.

Encrypt Permissions

AES-256-GCM encryption. Only your organization can decrypt and verify permissions.

What this means:

Permissions stored as encrypted ciphertext
On-chain: only a SHA-256 hash is visible
Runtime decrypts in memory during verification
Competitors and public cannot see agent capabilities

Review & Mint

Confirm your token configuration before minting to the blockchain.

Token Identity

—

Blockchain

—

On-Chain Identity

—

Permission Mode

—

Allowed Tools

—

Forbidden Actions

Session Binding

—

Expiration

—

Description

This description is stored with the token. Edit freely before minting.