Suspend or reactivate an agent

Suspension is the right move when you want an agent off right now but expect to use it again. It preserves the agent ID, the keypair, the permission matrix, and the audit history — only the status flips.

Suspend

/agents/:id → Suspend.

The agent’s status changes from active to suspended immediately. The next call from that agent comes back denied — the proxy reads status on every request, so there’s no propagation delay.

While suspended:

• Signed JWTs still verify (the keypair is still valid) but the request never reaches a permission check
• The audit log records the denial with reason agent_suspended
• The agent’s MCP server can surface the denial to its user with the suggested next action

You can suspend any active agent from this surface. There’s no confirmation prompt — it’s a reversible action.

Reactivate

Same button location, label switches to Reactivate when the agent is currently suspended.

Status flips back to active. The circuit-breaker failure counter is also reset to zero as part of the reactivation — so an agent that auto-suspended after three failures (see the circuit breaker) gets a clean slate.

When to suspend vs delete

• Suspend — you might want this agent again. Audit history, permissions, keypair all preserved.
• Delete — you never want this agent again. The keypair becomes useless, the audit history stays under the agent ID but the agent no longer appears in lists. See Delete an agent.

When to suspend vs revoke a single permission

• Suspend — take the whole agent offline.
• Revoke a permission — let the agent keep using the platforms/scopes it’s good at, but cut off the one going wrong. See Configure permissions.

What gets audited

Suspension writes agent.suspended to the audit log with you as the actor. Reactivation writes agent.reactivated.

Next

• Configure an agent’s permissions
• Delete an agent
• The auto-suspension safeguard