Kill switch and anomaly detection
Pause any AI agent instantly with the kill switch, and let online rule-based detection flag dormant wakeups, expired credentials and volume spikes without ever blocking legitimate traffic.
An AI agent is software: it can be compromised, misconfigured or simply forgotten. Obexal gives every agent two independent safety nets. The kill switch pauses the agent instantly and reversibly. Online anomaly detection flags suspicious behavior with deterministic rules, and never slows down or blocks a legitimate token.
What the kill switch does
The kill switch is the enabled flag of the agent's governance policy. Setting it to false neutralizes the agent immediately:
- No new tokens, on any grant. The token endpoint refuses
client_credentials, Token Exchange delegation, and alsoauthorization_codeandrefresh_tokenif the agent happens to carry interactive grants. There is no side door. - Tokens in circulation are reported inactive. Introspection (RFC 7662) answers
{"active": false}for both the access tokens and the refresh tokens of a disabled agent, so resource servers that introspect see the revocation immediately. - Every attempt is recorded. Each use attempted while disabled raises a
killed_useanomaly withdangerseverity.
The switch is fail-closed: if the policy store cannot be read, issuance is refused and introspection reports the token inactive, never the opposite.
A resource server that only validates the JWT signature locally keeps accepting an already-issued access token until its exp. Cap maxTokenTtlSeconds in the governance policy to bound that window.
Pause, not delete
Disabling an agent changes nothing but the enabled flag: the TTL cap, the scope ceiling and the audience allowlist are preserved, and so are the client, its secret and its user authorizations. Re-enabling restores the agent exactly as it was, in one click in the console or one API call. Both directions are sensitive actions: the console requires a fresh MFA check, and every toggle is written to the audit log as admin.agent.policy_updated.
curl -sS -X PUT https://accounts.obexal.com/v1/admin/agents/$AGENT_ID/policy \
-H "Authorization: Bearer $OBEXAL_API_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"enabled": false,
"maxTokenTtlSeconds": 300,
"scopeCeiling": ["tickets:read"],
"allowedAudiences": ["https://api.example.eu"]
}'
# 204 No Content: audited as admin.agent.policy_updatedPUT .../policy replaces the whole policy: resend the existing caps along with enabled: false. The console does this for you.
Online anomaly detection
Detection is rule-based and deterministic, and it runs inline on the token issuance path. It is strictly non-blocking: recording an anomaly is best-effort and never delays or refuses a legitimate token. It applies to AI agents only, meaning clients that carry the client_credentials or Token Exchange grant.
Two rules build a behavioral baseline from the agent's hourly activity. They are evaluated when the agent's activity enters a new hour, over the hour that just ended.
The six rules
| Kind | Severity | Fires when |
|---|---|---|
dormant_wakeup | info | an agent used before, but inactive for more than 30 days, issues a token again (a first ever use is not an anomaly) |
expired_agent | warn | issuance is attempted after the agent's expiry date (the request is refused) |
expired_secret | warn | the agent authenticates with an expired client_secret (the request is refused) |
killed_use | danger | the agent is used despite the kill switch (the request is refused) |
off_hours | warn | once a sufficient activity history exists, the agent issues during an hour of the day (UTC) in which it has never been observed |
volume_spike | warn | the hour that just ended shows a spike well above the agent's usual cadence |
Deduplication and acknowledgement
There is at most one open anomaly per agent and kind in the organization: repeats increment its count and refresh lastSeen instead of flooding the list. Open anomalies also appear as a badge on the agent inventory. Acknowledging an anomaly closes it, and is itself audited as admin.agent.anomaly_acked.
curl -sS https://accounts.obexal.com/v1/admin/agents/anomalies \
-H "Authorization: Bearer $OBEXAL_API_TOKEN"{
"anomalies": [
{
"id": "0d5f0e93-8a43-4a5e-9a3f-2f4f0a7c1d2e",
"clientId": "agent-support-bot",
"agentName": "Support bot",
"kind": "volume_spike",
"severity": "warn",
"detail": {"prevHourCount": 412, "threshold": 96},
"count": 3,
"firstSeen": "2026-07-01T08:00:12Z",
"lastSeen": "2026-07-01T10:00:03Z",
"acknowledged": false
}
]
}curl -sS -X POST https://accounts.obexal.com/v1/admin/agents/anomalies/0d5f0e93-8a43-4a5e-9a3f-2f4f0a7c1d2e/ack \
-H "Authorization: Bearer $OBEXAL_API_TOKEN"
# 204 No ContentAdd ?all=true to include acknowledged anomalies in the list.
Automatic containment on extreme drift
An extreme volume spike triggers containment without waiting for a human. When the hour that just ended shows an extreme spike, far above the agent's usual cadence, Obexal flips the agent's kill switch itself, preserving the other caps, records an auto_contained anomaly with danger severity, and writes an agent.auto_contained audit event. An agent already disabled is left untouched.
This threshold sits deliberately far above the volume_spike warning to keep false positives low. Reactivation is the same one-click operation as after a manual pause. Self-hosted deployments can turn the behavior off with AGENT_AUTO_CONTAINMENT_ENABLED=false (it is on by default), see Configuration.