|
| 1 | +--- |
| 2 | +title: Named agents |
| 3 | +description: >- |
| 4 | + Named agents are team-scoped identities that own and execute cloud agent |
| 5 | + runs. Use them to separate workflows, scope credentials, and attribute |
| 6 | + automated work to a specific bot account. |
| 7 | +sidebar: |
| 8 | + label: "Named agents" |
| 9 | +--- |
| 10 | + |
| 11 | +A **named agent** is a team-scoped identity that can own and execute Oz cloud agent runs. Every Warp team starts with a single default agent. Creating additional named agents lets you separate workflows, scope credentials, and attribute automated runs to a specific bot account instead of a person. |
| 12 | + |
| 13 | +Named agents are useful when you want to: |
| 14 | + |
| 15 | +* **Separate workflows** - Give the deploy bot, the dependency-update bot, and the code-review bot distinct identities so runs are easier to filter and audit. |
| 16 | +* **Scope credentials** - Attach a specific set of managed secrets and skills to one identity so its runs receive only the configuration that workflow needs. |
| 17 | +* **Attribute automated work** - Bind an API key to a named agent so CI pipelines and webhooks show up as that bot in run history rather than as a teammate. |
| 18 | + |
| 19 | +## How named agents work |
| 20 | + |
| 21 | +Each team has one default agent that runs receive automatically when no specific identity is chosen. You can create additional named agents on top of that default and run as any of them. Identities are team-scoped, so every member of a team can see and use the same set of named agents. |
| 22 | + |
| 23 | +You can attach the following configuration to a named agent: |
| 24 | + |
| 25 | +* **Description** - A short, human-readable summary teammates see when picking the agent. |
| 26 | +* **Managed secrets** - References (by name) to [team-managed secrets](/agent-platform/cloud-agents/secrets/) the agent should have access to. |
| 27 | +* **Skills** - Skill specs (for example, `org/repo:path/to/SKILL.md`) the agent comes preloaded with. Shorthand specs like `repo:skill_name` are accepted when they resolve unambiguously against the team's cloud environments. |
| 28 | + |
| 29 | +Skill specs are stored in their normalized fully-qualified form, and managed secret references are validated against the team's secret scope at attach time. If a secret is missing or a skill repo is not accessible to the team's GitHub App installation, the request is rejected before anything is saved. |
| 30 | + |
| 31 | +## Plan limits |
| 32 | + |
| 33 | +Each plan caps the number of named agents (including the default) a team can have: |
| 34 | + |
| 35 | +* **Free** - 1 named agent. |
| 36 | +* **Build** - 1 named agent. |
| 37 | +* **Business** - 5 named agents. |
| 38 | +* **Enterprise** - Unlimited. |
| 39 | + |
| 40 | +When a team is over its plan limit (for example, after downgrading), the extra identities remain visible in the list but are marked as unavailable. Unavailable identities cannot be used to start runs, cannot have new API keys generated for them, and cannot be edited. |
| 41 | + |
| 42 | +## Managing named agents |
| 43 | + |
| 44 | +You can create, list, update, and delete named agents through the public API. The full request and response shapes — including error codes — live on the [API Reference](/api) page; the operations to look for are `createAgent`, `listAgents`, `getAgent`, `updateAgent`, and `deleteAgent` under the **agent** tag. |
| 45 | + |
| 46 | +The endpoints behave as follows: |
| 47 | + |
| 48 | +* **Create** - `POST /agent/identities` with a `name` and optional `description`, `secrets`, and `skills`. Returns `201` with the new agent's `uid`, `name`, and `available` flag. |
| 49 | +* **List** - `GET /agent/identities` returns every named agent on the team, including the default. Each entry includes an `available` flag indicating whether it is within the plan limit. |
| 50 | +* **Retrieve** - `GET /agent/identities/{uid}` returns a single agent by its UID. |
| 51 | +* **Update** - `PUT /agent/identities/{uid}` replaces individual fields. Omitting a field preserves the current value; passing an empty string or empty array clears it. |
| 52 | +* **Delete** - `DELETE /agent/identities/{uid}` soft-deletes the agent and atomically deletes every API key bound to it. The default agent cannot be deleted. |
| 53 | + |
| 54 | +### Caller requirements |
| 55 | + |
| 56 | +A few constraints apply across every endpoint: |
| 57 | + |
| 58 | +* **Team-scoped** - Named agents belong to a team. The caller must be a member of exactly one team. If the caller is on zero teams or multiple teams, the request is rejected. |
| 59 | +* **Human callers only** - Only human users can create, update, or delete a named agent. A request authenticated as a named agent itself is rejected. |
| 60 | +* **Availability is enforced on use** - Over-plan-limit agents are returned by the list endpoint but cannot be used to update fields, generate new keys, or start new runs. |
| 61 | + |
| 62 | +## API keys bound to a named agent |
| 63 | + |
| 64 | +A team API key can be bound to a specific named agent at creation time. Calls authenticated with that key run as the chosen agent. The team is resolved automatically from the agent — you don't need to specify a team when generating the key. |
| 65 | + |
| 66 | +To create a key bound to a named agent, pass the agent's UID to the `generateApiKey` mutation. See [API Keys](/reference/cli/api-keys/) for the full key creation flow and for the difference between user-scoped and team-scoped keys. |
| 67 | + |
| 68 | +Once the key exists, the CLI and SDK authenticate as that named agent for every call. There is no extra flag to set; the binding is on the key itself. |
| 69 | + |
| 70 | +## Running as a named agent |
| 71 | + |
| 72 | +There are two ways to run a cloud agent as a specific named agent: |
| 73 | + |
| 74 | +* **Authenticate with a key bound to the agent** - Every run started with that key executes as the bound named agent. This is the typical path for CI pipelines and scheduled work. |
| 75 | +* **Pass `agent_identity_uid` on `POST /agent/runs`** - For one-off runs, send the named agent's `uid` in the request body. The field is only valid for team-owned runs. |
| 76 | + |
| 77 | +When neither path is used, runs execute under the default identity ("Quick run" in the web app). |
| 78 | + |
| 79 | +## Where named agents appear in the product |
| 80 | + |
| 81 | +Named agents surface across several Oz surfaces: |
| 82 | + |
| 83 | +* **Agents page** - The Agents page in the [Oz web app](/agent-platform/cloud-agents/oz-web-app/) is where teams view, create, edit, and delete named agents. The same page lists the skills available to your team. |
| 84 | +* **Agent picker** - Forms that start a new run or schedule include an **Agent** dropdown. **Quick run** is the default option (runs execute as the calling user); selecting a named agent runs as that identity instead. |
| 85 | +* **Run filters and detail** - The Runs view lets you filter by named agent, and individual run detail pages show which identity executed the run. |
| 86 | +* **Admin Panel** - Billing usage in the [Admin Panel](/knowledge-and-collaboration/admin-panel/) attributes credits consumed by named-agent runs to the team rather than to a person. |
| 87 | + |
| 88 | +## Related pages |
| 89 | + |
| 90 | +* [Cloud agent secrets](/agent-platform/cloud-agents/secrets/) - Manage the team-managed secrets you can attach to a named agent. |
| 91 | +* [Deployment patterns](/agent-platform/cloud-agents/deployment-patterns/) - When to use a named agent for automation versus a personal identity. |
| 92 | +* [Oz API & SDK](/reference/api-and-sdk/) - Programmatic access to the named agent endpoints. |
| 93 | +* [API Keys](/reference/cli/api-keys/) - Create keys bound to a specific named agent. |
| 94 | +* [Federated identity tokens](/reference/cli/federate/) - Issue OIDC tokens from inside a run, including ones executing as a named agent. |
| 95 | +* [Oz web app](/agent-platform/cloud-agents/oz-web-app/) - The web surface where you manage named agents and inspect their runs. |
| 96 | +* [Admin Panel](/knowledge-and-collaboration/admin-panel/) - Team-level billing and access controls. |
0 commit comments