[{"data":1,"prerenderedAt":1007},["ShallowReactive",2],{"navigation":3,"/reference/escapes-config":145,"/reference/escapes-config-surround":1002},[4,28,49,88,101,127],{"title":5,"path":6,"stem":7,"children":8,"icon":27},"Getting Started","/getting-started","1.getting-started/1.index",[9,11,15,19,23],{"title":10,"path":6,"stem":7},"Introduction",{"title":12,"path":13,"stem":14},"Working with Agents","/getting-started/working-with-agents","1.getting-started/2.working-with-agents",{"title":16,"path":17,"stem":18},"Setup a Service Provider","/getting-started/setup-service-provider","1.getting-started/3.setup-service-provider",{"title":20,"path":21,"stem":22},"Setup an Identity Provider","/getting-started/setup-identity-provider","1.getting-started/4.setup-identity-provider",{"title":24,"path":25,"stem":26},"Developers","/getting-started/developers","1.getting-started/5.developers",false,{"title":29,"icon":27,"path":30,"stem":31,"children":32,"page":27},"Guides","/guides","2.guides",[33,37,41,45],{"title":34,"path":35,"stem":36},"How It Works","/guides/how-it-works","2.guides/1.how-it-works",{"title":38,"path":39,"stem":40},"Capabilities Guide","/guides/capabilities-guide","2.guides/2.capabilities-guide",{"title":42,"path":43,"stem":44},"End-to-End Tutorial","/guides/end-to-end-tutorial","2.guides/3.end-to-end-tutorial",{"title":46,"path":47,"stem":48},"Delegation Guide","/guides/delegation-guide","2.guides/4.delegation-guide",{"title":50,"path":51,"stem":52,"children":53,"icon":27},"Ecosystem","/ecosystem","3.ecosystem/1.index",[54,56,60,64,68,72,76,80,84],{"title":55,"path":51,"stem":52},"Overview",{"title":57,"path":58,"stem":59},"grapes CLI","/ecosystem/grapes","3.ecosystem/2.grapes",{"title":61,"path":62,"stem":63},"shapes CLI","/ecosystem/shapes","3.ecosystem/3.shapes",{"title":65,"path":66,"stem":67},"escapes","/ecosystem/escapes","3.ecosystem/4.escapes",{"title":69,"path":70,"stem":71},"OpenApe Proxy","/ecosystem/proxy","3.ecosystem/5.proxy",{"title":73,"path":74,"stem":75},"OpenApe Browser","/ecosystem/browser","3.ecosystem/6.browser",{"title":77,"path":78,"stem":79},"OpenApe Auth","/ecosystem/auth","3.ecosystem/7.auth",{"title":81,"path":82,"stem":83},"OpenApe Grants","/ecosystem/grants","3.ecosystem/8.grants",{"title":85,"path":86,"stem":87},"nuxt-auth-sp","/ecosystem/nuxt-auth-sp","3.ecosystem/9.nuxt-auth-sp",{"title":89,"icon":27,"path":90,"stem":91,"children":92,"page":27},"Security","/security","4.security",[93,97],{"title":94,"path":95,"stem":96},"Compliance","/security/compliance","4.security/1.compliance",{"title":98,"path":99,"stem":100},"Threat Model","/security/threat-model","4.security/2.threat-model",{"title":102,"path":103,"stem":104,"children":105,"icon":27},"Reference","/reference","5.reference/1.index",[106,107,111,115,119,123],{"title":102,"path":103,"stem":104},{"title":108,"path":109,"stem":110},"IdP Configuration","/reference/idp-configuration","5.reference/2.idp-configuration",{"title":112,"path":113,"stem":114},"SP Configuration","/reference/sp-configuration","5.reference/3.sp-configuration",{"title":116,"path":117,"stem":118},"API Endpoints","/reference/api-endpoints","5.reference/4.api-endpoints",{"title":120,"path":121,"stem":122},"escapes Config","/reference/escapes-config","5.reference/5.escapes-config",{"title":124,"path":125,"stem":126},"Proxy Config","/reference/proxy-config","5.reference/6.proxy-config",{"title":128,"path":129,"stem":130,"children":131,"icon":27},"Operations","/operations","6.operations/1.index",[132,133,137,141],{"title":128,"path":129,"stem":130},{"title":134,"path":135,"stem":136},"Deployment","/operations/deployment","6.operations/2.deployment",{"title":138,"path":139,"stem":140},"Troubleshooting","/operations/troubleshooting","6.operations/3.troubleshooting",{"title":142,"path":143,"stem":144},"Monitoring","/operations/monitoring","6.operations/4.monitoring",{"id":146,"title":120,"body":147,"description":996,"extension":997,"links":998,"meta":999,"navigation":200,"path":121,"seo":1000,"stem":122,"__hash__":1001},"docs/5.reference/5.escapes-config.md",{"type":148,"value":149,"toc":986},"minimark",[150,155,167,172,311,315,320,417,423,509,525,531,568,571,575,660,664,667,841,982],[151,152,154],"h1",{"id":153},"escapes-configuration","escapes Configuration",[156,157,158,159,162,163,166],"p",{},"The ",[160,161,65],"code",{}," binary reads its configuration from ",[160,164,165],{},"/etc/openape/config.toml",". This file must be owned by root with restricted permissions.",[168,169,171],"h2",{"id":170},"complete-example","Complete Example",[173,174,179],"pre",{"className":175,"code":176,"language":177,"meta":178,"style":178},"language-toml shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","# Hostname for target_host verification (default: system hostname)\nhost = \"prod-server.example.com\"\n\n# User to run commands as (default: root)\nrun_as = \"root\"\n\n# Audit log location\naudit_log = \"/var/log/openape/audit.log\"\n\n[security]\n# REQUIRED: only accept JWTs from these issuers\nallowed_issuers = [\"https://id.example.com\"]\n\n# REQUIRED: only accept approvals from these identities\nallowed_approvers = [\"admin@example.com\", \"ops-team@example.com\"]\n\n# Allowed JWT audiences (default: [\"escapes\"])\nallowed_audiences = [\"escapes\"]\n\n[tls]\n# Custom CA bundle for IdP certificate verification\nca_bundle = \"/etc/ssl/certs/ca-certificates.crt\"\n","toml","",[160,180,181,189,195,202,208,214,219,225,231,236,242,248,254,259,265,271,276,282,288,293,299,305],{"__ignoreMap":178},[182,183,186],"span",{"class":184,"line":185},"line",1,[182,187,188],{},"# Hostname for target_host verification (default: system hostname)\n",[182,190,192],{"class":184,"line":191},2,[182,193,194],{},"host = \"prod-server.example.com\"\n",[182,196,198],{"class":184,"line":197},3,[182,199,201],{"emptyLinePlaceholder":200},true,"\n",[182,203,205],{"class":184,"line":204},4,[182,206,207],{},"# User to run commands as (default: root)\n",[182,209,211],{"class":184,"line":210},5,[182,212,213],{},"run_as = \"root\"\n",[182,215,217],{"class":184,"line":216},6,[182,218,201],{"emptyLinePlaceholder":200},[182,220,222],{"class":184,"line":221},7,[182,223,224],{},"# Audit log location\n",[182,226,228],{"class":184,"line":227},8,[182,229,230],{},"audit_log = \"/var/log/openape/audit.log\"\n",[182,232,234],{"class":184,"line":233},9,[182,235,201],{"emptyLinePlaceholder":200},[182,237,239],{"class":184,"line":238},10,[182,240,241],{},"[security]\n",[182,243,245],{"class":184,"line":244},11,[182,246,247],{},"# REQUIRED: only accept JWTs from these issuers\n",[182,249,251],{"class":184,"line":250},12,[182,252,253],{},"allowed_issuers = [\"https://id.example.com\"]\n",[182,255,257],{"class":184,"line":256},13,[182,258,201],{"emptyLinePlaceholder":200},[182,260,262],{"class":184,"line":261},14,[182,263,264],{},"# REQUIRED: only accept approvals from these identities\n",[182,266,268],{"class":184,"line":267},15,[182,269,270],{},"allowed_approvers = [\"admin@example.com\", \"ops-team@example.com\"]\n",[182,272,274],{"class":184,"line":273},16,[182,275,201],{"emptyLinePlaceholder":200},[182,277,279],{"class":184,"line":278},17,[182,280,281],{},"# Allowed JWT audiences (default: [\"escapes\"])\n",[182,283,285],{"class":184,"line":284},18,[182,286,287],{},"allowed_audiences = [\"escapes\"]\n",[182,289,291],{"class":184,"line":290},19,[182,292,201],{"emptyLinePlaceholder":200},[182,294,296],{"class":184,"line":295},20,[182,297,298],{},"[tls]\n",[182,300,302],{"class":184,"line":301},21,[182,303,304],{},"# Custom CA bundle for IdP certificate verification\n",[182,306,308],{"class":184,"line":307},22,[182,309,310],{},"ca_bundle = \"/etc/ssl/certs/ca-certificates.crt\"\n",[168,312,314],{"id":313},"fields","Fields",[316,317,319],"h3",{"id":318},"top-level","Top-Level",[321,322,323,345],"table",{},[324,325,326],"thead",{},[327,328,329,333,336,339,342],"tr",{},[330,331,332],"th",{},"Field",[330,334,335],{},"Type",[330,337,338],{},"Required",[330,340,341],{},"Default",[330,343,344],{},"Description",[346,347,348,374,396],"tbody",{},[327,349,350,356,361,364,367],{},[351,352,353],"td",{},[160,354,355],{},"host",[351,357,358],{},[160,359,360],{},"string",[351,362,363],{},"No",[351,365,366],{},"System hostname",[351,368,369,370,373],{},"Override hostname for ",[160,371,372],{},"target_host"," claim verification",[327,375,376,381,385,388,393],{},[351,377,378],{},[160,379,380],{},"run_as",[351,382,383],{},[160,384,360],{},[351,386,387],{},"Yes",[351,389,390],{},[160,391,392],{},"\"root\"",[351,394,395],{},"Default user to execute commands as",[327,397,398,403,407,409,414],{},[351,399,400],{},[160,401,402],{},"audit_log",[351,404,405],{},[160,406,360],{},[351,408,387],{},[351,410,411],{},[160,412,413],{},"\"/var/log/openape/audit.log\"",[351,415,416],{},"Path for JSONL audit log",[316,418,420],{"id":419},"security",[160,421,422],{},"[security]",[321,424,425,439],{},[324,426,427],{},[327,428,429,431,433,435,437],{},[330,430,332],{},[330,432,335],{},[330,434,338],{},[330,436,341],{},[330,438,344],{},[346,440,441,464,484],{},[327,442,443,448,453,458,461],{},[351,444,445],{},[160,446,447],{},"allowed_issuers",[351,449,450],{},[160,451,452],{},"string[]",[351,454,455],{},[456,457,387],"strong",{},[351,459,460],{},"—",[351,462,463],{},"Trusted JWT issuer URLs. Must be non-empty.",[327,465,466,471,475,479,481],{},[351,467,468],{},[160,469,470],{},"allowed_approvers",[351,472,473],{},[160,474,452],{},[351,476,477],{},[456,478,387],{},[351,480,460],{},[351,482,483],{},"Trusted approver identities. Must be non-empty.",[327,485,486,491,495,497,502],{},[351,487,488],{},[160,489,490],{},"allowed_audiences",[351,492,493],{},[160,494,452],{},[351,496,363],{},[351,498,499],{},[160,500,501],{},"[\"escapes\"]",[351,503,504,505,508],{},"Accepted ",[160,506,507],{},"aud"," claim values",[510,511,513],"callout",{"type":512},"warning",[156,514,515,516,518,519,521,522,524],{},"Both ",[160,517,447],{}," and ",[160,520,470],{}," are required and must contain at least one entry. ",[160,523,65],{}," will refuse to start with an empty security configuration.",[316,526,528],{"id":527},"tls",[160,529,530],{},"[tls]",[321,532,533,547],{},[324,534,535],{},[327,536,537,539,541,543,545],{},[330,538,332],{},[330,540,335],{},[330,542,338],{},[330,544,341],{},[330,546,344],{},[346,548,549],{},[327,550,551,556,560,562,565],{},[351,552,553],{},[160,554,555],{},"ca_bundle",[351,557,558],{},[160,559,360],{},[351,561,363],{},[351,563,564],{},"System default",[351,566,567],{},"Custom CA certificate bundle path",[156,569,570],{},"Use this when your IdP uses a certificate from a private CA or when the system CA store doesn't include your IdP's certificate.",[168,572,574],{"id":573},"file-permissions","File Permissions",[173,576,580],{"className":577,"code":578,"language":579,"meta":178,"style":178},"language-bash shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","# Config must be root-owned\nsudo chown root:root /etc/openape/config.toml\nsudo chmod 644 /etc/openape/config.toml\n\n# Audit log directory must be root-writable\nsudo mkdir -p /var/log/openape\nsudo chown root:root /var/log/openape\nsudo chmod 755 /var/log/openape\n","bash",[160,581,582,588,604,617,621,626,639,649],{"__ignoreMap":178},[182,583,584],{"class":184,"line":185},[182,585,587],{"class":586},"sHwdD","# Config must be root-owned\n",[182,589,590,594,598,601],{"class":184,"line":191},[182,591,593],{"class":592},"sBMFI","sudo",[182,595,597],{"class":596},"sfazB"," chown",[182,599,600],{"class":596}," root:root",[182,602,603],{"class":596}," /etc/openape/config.toml\n",[182,605,606,608,611,615],{"class":184,"line":197},[182,607,593],{"class":592},[182,609,610],{"class":596}," chmod",[182,612,614],{"class":613},"sbssI"," 644",[182,616,603],{"class":596},[182,618,619],{"class":184,"line":204},[182,620,201],{"emptyLinePlaceholder":200},[182,622,623],{"class":184,"line":210},[182,624,625],{"class":586},"# Audit log directory must be root-writable\n",[182,627,628,630,633,636],{"class":184,"line":216},[182,629,593],{"class":592},[182,631,632],{"class":596}," mkdir",[182,634,635],{"class":596}," -p",[182,637,638],{"class":596}," /var/log/openape\n",[182,640,641,643,645,647],{"class":184,"line":221},[182,642,593],{"class":592},[182,644,597],{"class":596},[182,646,600],{"class":596},[182,648,638],{"class":596},[182,650,651,653,655,658],{"class":184,"line":227},[182,652,593],{"class":592},[182,654,610],{"class":596},[182,656,657],{"class":613}," 755",[182,659,638],{"class":596},[168,661,663],{"id":662},"audit-log-format","Audit Log Format",[156,665,666],{},"Each entry is a single JSON line:",[173,668,672],{"className":669,"code":670,"language":671,"meta":178,"style":178},"language-json shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","{\"timestamp\":\"2025-01-15T10:30:00Z\",\"grant_id\":\"abc123\",\"command\":[\"systemctl\",\"restart\",\"nginx\"],\"requester\":\"agent+deploy@example.com\",\"approver\":\"admin@example.com\",\"result\":\"success\",\"exit_code\":0,\"duration_ms\":1234}\n","json",[160,673,674],{"__ignoreMap":178},[182,675,676,680,683,687,689,692,694,697,699,702,704,707,709,711,713,716,718,720,722,725,727,730,732,735,737,739,741,744,746,748,750,753,755,758,760,763,765,767,769,772,774,776,778,781,783,785,787,790,792,794,796,799,801,803,805,808,810,812,814,817,819,821,824,826,828,831,833,835,838],{"class":184,"line":185},[182,677,679],{"class":678},"sMK4o","{",[182,681,682],{"class":678},"\"",[182,684,686],{"class":685},"spNyl","timestamp",[182,688,682],{"class":678},[182,690,691],{"class":678},":",[182,693,682],{"class":678},[182,695,696],{"class":596},"2025-01-15T10:30:00Z",[182,698,682],{"class":678},[182,700,701],{"class":678},",",[182,703,682],{"class":678},[182,705,706],{"class":685},"grant_id",[182,708,682],{"class":678},[182,710,691],{"class":678},[182,712,682],{"class":678},[182,714,715],{"class":596},"abc123",[182,717,682],{"class":678},[182,719,701],{"class":678},[182,721,682],{"class":678},[182,723,724],{"class":685},"command",[182,726,682],{"class":678},[182,728,729],{"class":678},":[",[182,731,682],{"class":678},[182,733,734],{"class":596},"systemctl",[182,736,682],{"class":678},[182,738,701],{"class":678},[182,740,682],{"class":678},[182,742,743],{"class":596},"restart",[182,745,682],{"class":678},[182,747,701],{"class":678},[182,749,682],{"class":678},[182,751,752],{"class":596},"nginx",[182,754,682],{"class":678},[182,756,757],{"class":678},"],",[182,759,682],{"class":678},[182,761,762],{"class":685},"requester",[182,764,682],{"class":678},[182,766,691],{"class":678},[182,768,682],{"class":678},[182,770,771],{"class":596},"agent+deploy@example.com",[182,773,682],{"class":678},[182,775,701],{"class":678},[182,777,682],{"class":678},[182,779,780],{"class":685},"approver",[182,782,682],{"class":678},[182,784,691],{"class":678},[182,786,682],{"class":678},[182,788,789],{"class":596},"admin@example.com",[182,791,682],{"class":678},[182,793,701],{"class":678},[182,795,682],{"class":678},[182,797,798],{"class":685},"result",[182,800,682],{"class":678},[182,802,691],{"class":678},[182,804,682],{"class":678},[182,806,807],{"class":596},"success",[182,809,682],{"class":678},[182,811,701],{"class":678},[182,813,682],{"class":678},[182,815,816],{"class":685},"exit_code",[182,818,682],{"class":678},[182,820,691],{"class":678},[182,822,823],{"class":613},"0",[182,825,701],{"class":678},[182,827,682],{"class":678},[182,829,830],{"class":685},"duration_ms",[182,832,682],{"class":678},[182,834,691],{"class":678},[182,836,837],{"class":613},"1234",[182,839,840],{"class":678},"}\n",[321,842,843,853],{},[324,844,845],{},[327,846,847,849,851],{},[330,848,332],{},[330,850,335],{},[330,852,344],{},[346,854,855,868,881,894,907,920,941,955,968],{},[327,856,857,861,865],{},[351,858,859],{},[160,860,686],{},[351,862,863],{},[160,864,360],{},[351,866,867],{},"ISO 8601 timestamp",[327,869,870,874,878],{},[351,871,872],{},[160,873,706],{},[351,875,876],{},[160,877,360],{},[351,879,880],{},"Grant UUID",[327,882,883,887,891],{},[351,884,885],{},[160,886,724],{},[351,888,889],{},[160,890,452],{},[351,892,893],{},"Executed command",[327,895,896,900,904],{},[351,897,898],{},[160,899,762],{},[351,901,902],{},[160,903,360],{},[351,905,906],{},"Agent email",[327,908,909,913,917],{},[351,910,911],{},[160,912,780],{},[351,914,915],{},[160,916,360],{},[351,918,919],{},"Who approved",[327,921,922,926,930],{},[351,923,924],{},[160,925,798],{},[351,927,928],{},[160,929,360],{},[351,931,932,934,935,934,938],{},[160,933,807],{},", ",[160,936,937],{},"verification_failed",[160,939,940],{},"exec_failed",[327,942,943,947,952],{},[351,944,945],{},[160,946,816],{},[351,948,949],{},[160,950,951],{},"number",[351,953,954],{},"Command exit code (0 = success)",[327,956,957,961,965],{},[351,958,959],{},[160,960,830],{},[351,962,963],{},[160,964,951],{},[351,966,967],{},"Execution time",[327,969,970,975,979],{},[351,971,972],{},[160,973,974],{},"error",[351,976,977],{},[160,978,360],{},[351,980,981],{},"Error message (on failure)",[983,984,985],"style",{},"html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .sHwdD, html code.shiki .sHwdD{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#546E7A;--shiki-default-font-style:italic;--shiki-dark:#676E95;--shiki-dark-font-style:italic}html pre.shiki code .sBMFI, html code.shiki .sBMFI{--shiki-light:#E2931D;--shiki-default:#FFCB6B;--shiki-dark:#FFCB6B}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html pre.shiki code .sbssI, html code.shiki .sbssI{--shiki-light:#F76D47;--shiki-default:#F78C6C;--shiki-dark:#F78C6C}html pre.shiki code .sMK4o, html code.shiki .sMK4o{--shiki-light:#39ADB5;--shiki-default:#89DDFF;--shiki-dark:#89DDFF}html pre.shiki code .spNyl, html code.shiki .spNyl{--shiki-light:#9C3EDA;--shiki-default:#C792EA;--shiki-dark:#C792EA}",{"title":178,"searchDepth":197,"depth":191,"links":987},[988,989,994,995],{"id":170,"depth":191,"text":171},{"id":313,"depth":191,"text":314,"children":990},[991,992,993],{"id":318,"depth":197,"text":319},{"id":419,"depth":197,"text":422},{"id":527,"depth":197,"text":530},{"id":573,"depth":191,"text":574},{"id":662,"depth":191,"text":663},"Configuration reference for /etc/openape/config.toml.","md",null,{},{"title":120,"description":996},"8PC9764whBYajW-dZCDg7902qY7jYgMKuJDGGEbqqE8",[1003,1005],{"title":116,"path":117,"stem":118,"description":1004,"children":-1},"Complete API reference for IdP and SP endpoints.",{"title":124,"path":125,"stem":126,"description":1006,"children":-1},"TOML configuration reference for the OpenApe agent proxy.",1774221117377]