All non-PUBLIC routes have Default Protection — cryptographic verification, caveats, delegation, revocation. Then choose your economic policy: observe (audit), control (budget), or charge (payments).
Protection is the starting state. Economics are configurable.
Layer 0 — Always-On Cryptographic Verification
Default Protection is the foundation of SatGate's security model. Every request is cryptographically verified — signatures, caveats, delegation chains. You can't turn this off. Then you choose your economic policy: observe, control, or charge.
Issues root credentials. Retains authority. Can revoke instantly.
Uses tokens. Can delegate restricted sub-tokens offline.
Receives delegated tokens. Cannot escalate beyond granted scope.
This demo runs against the live SatGate OSS deployment on Railway.