How does okoro work?
When an agent runs a skill, it sends your OKORO_SERVICE_TOKEN to the okoro tokenizer to request a short-lived operation token. The tokenizer checks that your service token has the required scope, then issues a JWT scoped to that single operation.
The agent uses the operation token to call the okoro proxy (e.g. okoro.ai/p/trello/...). The proxy validates the token, signs the request with the real service credentials (OAuth 1.0a for Trello, API keys for others), forwards it to the third-party API, and writes an audit entry.
Your Trello credentials — or any other service credentials — never leave okoro’s infrastructure. The agent only ever holds short-lived, scoped tokens.
Read the full technical overview →
Where do I get a service token?
Service tokens are created in the okoro dashboard at okoro.ai. Sign in, go to Dashboard → Service tokens, and create a new token scoped to the services and permission levels your skill needs.
Step-by-step token setup guide →
What is a service token vs an operation token?
A service token (svc_...) is a long-lived credential you create once and store in your environment. It identifies your account and defines the maximum permissions any agent session can request.
An operation token is short-lived (minutes) and is automatically fetched by the skill at runtime. It is scoped to one specific action and intent. Skills cache it and reuse it until it expires — you never manage operation tokens manually.
Do my third-party credentials ever reach my agent?
No. You configure service credentials (Trello OAuth, Notion API key, etc.) in the okoro dashboard, not in your agent environment. The agent only holds OKORO_SERVICE_TOKEN. The proxy handles all credential signing internally.
What is the intent field used for?
Every operation token is issued with an intent — a short description of why the agent is making the call (e.g. "check todo items on project board"). The intent is embedded in the token and recorded in the audit log for every proxy request.
This lets you detect agents acting outside their stated purpose. If an agent was told to read a board but starts deleting cards, the audit log captures both the stated intent and the actual action.
What happens if my token doesn’t have the right scope?
The tokenizer returns HTTP 403 Forbidden when a skill requests a scope higher than your service token allows. For example, if your token is configured for read only and a skill tries to create a card (write), the request is rejected before it ever reaches Trello.
Can I revoke a token?
Yes. Go to Dashboard → Service tokens in the okoro dashboard and revoke it. This immediately invalidates the service token and all operation tokens derived from it — any in-flight agent session using it will start receiving 401 errors.
Which services are supported?
Trello is available now. More services are coming — follow okoro.ai for updates.