Back to Home

Security

Economic Access Control — built by security practitioners, not bolted on after.

The Security Model

SatGate implements Economic Access Control — a capability-based security model where every API request must present a cryptographically verified token with embedded access constraints.

Traditional APIs ask “who are you?” and maintain identity databases. SatGate asks “what can you afford?” — enforcing budgets, scopes, and delegation limits at the request layer. No user databases. No PII. No credential stuffing surface.

The gateway operates as a Policy Enforcement Point (PEP). No request reaches your upstream without passing cryptographic verification.

SatGate Mint — Trust Broker

Agents authenticate through your existing identity infrastructure. SatGate Mint exchanges workload identity tokens (OIDC JWTs from Kubernetes, AWS IAM, or any OIDC provider) for capability-bearing macaroons with policy-defined constraints.

Agent Identity
K8s / AWS / OIDC
SatGate Mint
Verify + Policy Match
Macaroon
Budget + Scope + TTL
  • Zero secrets to manage. Agents present their existing workload identity — no API keys to rotate, no credentials to store.
  • Policy-driven issuance. Each agent policy defines budget, scope, TTL, and delegation permissions. Different agents get different constraints.
  • Multi-provider support. Same issuer with different audiences routes to different policies — enforce different budgets per agent class.

Why Macaroons

API keys are passwords. JWTs are ID cards. Macaroons are signed checks with spending limits — and every person who touches the check can only reduce the limit, never increase it.

Delegation Without Calling Home

A manager mints a token, carves off a weaker one for their team, who delegates further to an agent. Each step is cryptographically chained — no API call, no DB write. Permissions only shrink.

Runtime Constraints Built In

Caveats encode “only until 5pm,” “only for /openai/*,” or “max 200 credits.” Verified at the gateway on every request. The token carries its own budget.

The Right Primitive for Agents

Agents can't do OAuth flows or sign up for accounts. But they can hold a bearer token that encodes exactly what they're allowed to do and spend. That's a macaroon.

Cascade Revocation

Revoking a parent token instantly invalidates all of its children. No propagation delay — the gateway checks revocation status on every request. Admin kill switch: immediate.

Enforcement Modes

Three modes, one adoption path. Start safe, add enforcement when ready.

Observe

Verify → Allow → Log. Full visibility into agent traffic, cost attribution by team, zero enforcement. Free forever.

Control

Verify → Enforce Budget → Allow. Per-agent spending caps, real-time budget enforcement. Works with Stripe, ERP — no crypto required. HTTP 402 when budget exhausted.

Charge

Verify → Payment Proof → Allow. L402 Lightning micropayments. Per-request pricing. Instant settlement, no invoices, no chargebacks.

Non-Custodial Architecture

  • Never stores upstream credentials. SatGate verifies tokens at the gateway. Your API keys, secrets, and upstream credentials stay in your infrastructure.
  • No request body inspection. Gateway inspects only token and routing metadata. Request payloads pass through opaque (MCP proxy reads method/tool name for cost attribution only).
  • Tenant-isolated data. All data scoped by tenant_id. Cross-tenant access is architecturally impossible.
  • Lightning payments settle directly. In Charge mode, payments go from payer to your Lightning node. SatGate never touches funds.

Zero Trust Access Control

SatGate is a Zero Trust Policy Enforcement Point for API access. It verifies every request and enforces scoped access — no network trust assumptions.

Policy Enforcement Point

Deny-by-default. Every protected request verified before proxying.

Continuous Authorization

Token validated on each request — no long-lived sessions or network zone trust.

Least Privilege

Macaroon caveats restrict scope, method, TTL, and budget per token.

No Trust Dependencies

Cryptographic verification — no centralized user database required.

What SatGate is (and isn't)

  • Zero Trust PEP for API access (request-level verification + least privilege)
  • Economic abuse friction — high-volume abuse becomes self-limiting
  • Complements existing security stack (WAF/CDN, rate limiting, SIEM)
  • Not a full Zero Trust program (identity governance, device posture, microsegmentation)

Audit & Compliance

  • 55 event types across 12 categories in immutable audit log. Every mint, revocation, delegation, budget change, and config update recorded.
  • Real-time alerts via Slack, Discord, email, or custom webhooks for critical events.
  • Shadow Report — real-time dashboard showing all agent traffic, spend, and policy violations.
  • Export — CSV/JSON export for audit log and billing data via dashboard and API.

Security Practices

Open Source

  • Core gateway is Apache 2.0 licensed
  • Full source audit at any time
  • No black boxes

Dependencies

  • Automated Dependabot updates
  • Go vulnerability scanning
  • Checksum verification

Infrastructure

  • TLS 1.2+ enforced
  • Stateless gateway design
  • Minimal attack surface

Code Quality

  • Required code review
  • Automated tests on every PR
  • Static analysis enforced

Enterprise Security Review

Need to evaluate SatGate for your security team? Download the full Security Posture Pack — covers architecture, encryption, data handling, audit, and compliance.

View Security Posture Pack →

Leadership

SatGate was founded by Wayne Mattadeen, a cybersecurity executive with 27+ years of experience across Deloitte, Accenture, and EY — including partner-level roles focused on enterprise security architecture and Zero Trust.

Security isn't something we're learning. It's where we come from.

Compliance Roadmap

Responsible disclosure programActive
Automated vulnerability scanningActive
Open source core (Apache 2.0)Active
Third-party penetration testQ2 2026
SOC 2 Type IPost-revenue

Responsible Disclosure

Found a security vulnerability? Please report issues privately before public disclosure.

Email: security@satgate.io

  • • Acknowledge receipt within 48 hours
  • • Initial assessment within 7 days
  • • Coordinated disclosure
  • • Public credit (unless you prefer anonymity)

Open Source Transparency

All gateway code is open source under the Apache 2.0 License. Audit every line, fork it, run your own infrastructure.

View Source on GitHub →