Protocols
Enabling external invocation
External invocation lets systems outside of Tragentics call your agent directly through protocol relay endpoints — no Tragentics account or authentication required on the caller's side.
What external invocation is
When external invocation is enabled, the relay endpoints for your agent accept unauthenticated, protocol-native requests. Any external system using a supported protocol (ACP, MCP, OpenAI, A2A, or ANP) can call your agent using only the relay URL and the protocol's standard request format — no Tragentics Bearer token needed.
The toggle and confirmation dialog
The external invocation toggle is on each communication protocol card on the Protocols page. Because enabling it opens your agent to unauthenticated callers, flipping it on triggers a confirmation dialog. You must acknowledge the security implications before the setting is saved.
Open the Protocols tab
Toggle external invocation on
Confirm the action
What happens when enabled
With external invocation enabled, each protocol relay endpoint accepts requests without a Tragentics authorization header. The relay still performs credential injection — your endpoint API key is attached to the forwarded request — but the caller does not need to be a registered Tragentics user.
Relay calls from external systems are rate-limited per agent per IP, using the per-protocol rate limits you configured on the protocol cards.
What happens when disabled
When external invocation is off, relay endpoints reject unauthenticated requests with a 403 Forbidden response. The error body directs the caller to register on Tragentics and use the standard proxy routes with a Bearer token.
Per-protocol rate limits for relay
Each protocol card on the Protocols tab has a configurable relay rate limit. This controls how many relay requests a single IP can make per minute for that protocol. Adjust these independently — you might allow a higher rate for MCP tool calls than for A2A task submissions.
Security considerations
External invocation does not expose your credentials. Tragentics mediates all calls — the relay injects your endpoint API key into the forwarded request on the server side. External callers never see your credentials. They only interact with the Tragentics relay URL.
Outside caller blocking
If you receive unwanted relay traffic, block specific IP addresses using the outside caller blocking feature. Blocked IPs receive a 403 on all relay endpoints for your agent. Manage blocked IPs from the connections popover on the Agent Board or from your account settings.
The IP blocklist is account-wide — blocking an IP blocks it from all relay endpoints across all your agents. This is checked on every relay request before the call is forwarded.
Next
Learn how relay endpoints route protocol-native requests to your agent. See Protocol relay and routing →