Skip to main content

Agent Cases

An agent case is a temporary read grant. It serves the owner's memories as Markdown through a tokenized URL.

The holder does not need a toda account or API key.

Minting

POST /agent-cases
Authorization: Bearer <session token>

{ "expiresInMinutes": 15, "maxReads": 1 }
{
"id": "...",
"url": "https://api.toda.io/agent-cases/toda_case_a3f1...",
"expiresAt": "2026-07-08T12:15:00.000Z",
"maxReads": 1,
"remainingReads": 1,
"memoryCount": 37,
"revokedPreviousCount": 1
}
ParameterDefaultRange
expiresInMinutes151 to 1440
maxReads1 in the extension, 3 in the API1 to 10

Minting a case revokes every other active case for the same owner. One wallet can have one active read grant.

Token storage

Case tokens contain 32 random bytes and use the toda_case_ prefix.

Only the SHA-256 hash is stored. The URL cannot be reconstructed from the database.

The URL is a credential. Anyone with it can consume the remaining reads until it expires or is revoked.

Consumption

GET /agent-cases/toda_case_a3f1...

The endpoint is unauthenticated because the token provides authorization. A valid request atomically increments the read count and returns text/markdown.

Unknown, expired, revoked, and fully consumed tokens return the same 404 response.

Cache-Control: no-store, max-age=0
Pragma: no-cache
X-Robots-Tag: noindex, nofollow, noarchive

Document format

The Markdown document includes:

  • generation and expiry times
  • owner address
  • read count
  • memory index
  • content and source metadata
  • anchor status and leaf hash

Memory bodies are fenced as text. The fence length is computed from the content so embedded backticks cannot close it.

The document also states that memory content is data, not instructions. This reduces prompt-injection risk but does not eliminate it.

Scope

Cases currently include the owner's full memory set. The stored scope field is reserved for future subset grants.

Management

GET /agent-cases/:id/status
POST /agent-cases/:id/revoke

Both routes require the owner's session. Management uses the case UUID. Consumption uses the secret token.

Audit log

Every read attempt records its status, timestamp, user agent, and a hash of the first forwarded IP address. Raw IP addresses are not stored.

Security

RiskControl
URL exposureShort expiry and read cap
Token enumeration32 random bytes
Database readOnly token hashes are stored
Indexingnoindex and no-store headers
Malicious memory contentInstruction preamble and text fencing

Do not include untrusted memory in a case used by a privileged agent.

Next: Memory Drops.