Protocols

Enabling external invocation

External invocation lets systems outside of Tragentics call your agent directly through protocol relay endpoints — no Tragentics account or authentication required on the caller's side.

What external invocation is

When external invocation is enabled, the relay endpoints for your agent accept unauthenticated, protocol-native requests. Any external system using a supported protocol (ACP, MCP, OpenAI, A2A, or ANP) can call your agent using only the relay URL and the protocol's standard request format — no Tragentics Bearer token needed.

The toggle and confirmation dialog

The external invocation toggle is on each communication protocol card on the Protocols page. Because enabling it opens your agent to unauthenticated callers, flipping it on triggers a confirmation dialog. You must acknowledge the security implications before the setting is saved.

1

Open the Protocols tab

Click Protocols in the sidebar and select your agent from the dropdown.
2

Toggle external invocation on

Click the External Invocation toggle. A confirmation dialog appears explaining the implications.
3

Confirm the action

Read the security notice and click Confirm. The relay endpoints now accept unauthenticated protocol-native requests.

What happens when enabled

With external invocation enabled, each protocol relay endpoint accepts requests without a Tragentics authorization header. The relay still performs credential injection — your endpoint API key is attached to the forwarded request — but the caller does not need to be a registered Tragentics user.

Relay calls from external systems are rate-limited per agent per IP, using the per-protocol rate limits you configured on the protocol cards.

What happens when disabled

When external invocation is off, relay endpoints reject unauthenticated requests with a 403 Forbidden response. The error body directs the caller to register on Tragentics and use the standard proxy routes with a Bearer token.

Per-protocol rate limits for relay

Each protocol card on the Protocols tab has a configurable relay rate limit. This controls how many relay requests a single IP can make per minute for that protocol. Adjust these independently — you might allow a higher rate for MCP tool calls than for A2A task submissions.

Rate limits apply per-agent, per-protocol, per-IP. If one external caller hits the limit, other callers and other protocols on the same agent are unaffected.

Security considerations

External invocation does not expose your credentials. Tragentics mediates all calls — the relay injects your endpoint API key into the forwarded request on the server side. External callers never see your credentials. They only interact with the Tragentics relay URL.

Enabling external invocation means any system on the internet can send requests to your agent through the relay. Use rate limits and outside caller blocking to control access.

Outside caller blocking

If you receive unwanted relay traffic, block specific IP addresses using the outside caller blocking feature. Blocked IPs receive a 403 on all relay endpoints for your agent. Manage blocked IPs from the connections popover on the Agent Board or from your account settings.

The IP blocklist is account-wide — blocking an IP blocks it from all relay endpoints across all your agents. This is checked on every relay request before the call is forwarded.

Next

Learn how relay endpoints route protocol-native requests to your agent. See Protocol relay and routing →