The Tradeoff Spectrum
At one extreme, you could embed a fully-featured AI agent that requires no setup—just add a script tag with your API key and it works. The limitation: localhost only, no cross-app tools, no organizational features. This is maximum simplicity at the cost of production readiness. At the other extreme, you could require full enterprise integration before the agent does anything—identity provider, policy configuration, approval workflows. The limitation: months of setup before you see value. This is maximum power at the cost of accessibility. Char’s tiers represent different points on this spectrum, letting you start simple and add capabilities incrementally.Tier 0: Anonymous Mode (Development)
What it is: The agent runs with your own API key from localhost, using Durable Objects for persistence without requiring IDP setup. Why it exists: Sometimes you want to validate the embedded agent experience without committing to identity infrastructure. You’re not sure if AI will add value to your application. You want to experiment locally. Tier 0 lets you add Char to a page with minimal friction:- Full persistence. Conversations persist across page refreshes, tied to a localStorage session ID.
- Same streaming and tool calling. All core agent features work identically to production.
- Local WebMCP tools. Tools registered on the current page are available.
- Localhost only. Anonymous mode is restricted to localhost origins for security. It won’t work from production domains.
- No cross-app tools. The agent sees only tools registered on the current page. It can’t invoke tools from other applications.
- No organizational features. No user tracking, no audit logs, no governance controls.
- No external client access. Claude Desktop can’t connect because there’s no Tool Hub.
- User provides API key. You use your own Anthropic API key rather than organization-managed credentials.
Tier 1: Authenticated Mode (Production)
What it is: Adding authentication connects the agent to Char’s backend, creating a per-user Tool Hub that aggregates tools across applications. Why it exists: The value of embedded AI increases dramatically when the agent can work across your application portfolio. But this requires identity—the Hub needs to know who the user is to scope their tools and conversations. Tier 1 requires:- Configuring an identity provider in the Char dashboard
- Passing the user’s ID token (plus your OIDC client ID) to the embedded agent via
connect()
ticketAuth to the agent instead of exposing the ID token in the browser.
The tradeoffs:
- Requires identity infrastructure. You need an IDP that issues ID tokens. For organizations without one, this is a significant prerequisite.
- Network dependency. The agent communicates with Char’s backend. If the backend is unreachable, cross-app features don’t work.
- More moving parts. There’s now a WebSocket connection, a cloud service, and token validation to consider.
Tier 2: Enterprise Governance (Private Beta)
What it is: Adding policy controls, approval workflows, and audit capabilities on top of the Tool Hub. Why it exists: Some organizations operate under regulatory constraints. Every tool invocation might need to be logged. Sensitive operations might require explicit approval. Administrators might need to disable capabilities instantly. Tier 2 is currently in private beta. It layers governance features on top of the Tool Hub, including:- Approval workflows. Require user confirmation before executing sensitive operations.
- Audit trails. Track tool usage and outcomes for compliance review.
- Access control and guardrails (beta). Role entitlements, origin constraints, and policy checks (feature availability varies by program).
- Planned capabilities. Tool classification, kill switches, and remote browser execution are on the roadmap; confirm availability before planning around them.
- Operational overhead. Someone needs to configure policies, classify tools, and review audit logs. This isn’t set-and-forget.
- User friction. Approval workflows add steps to agent interactions. Users might find this intrusive if not calibrated carefully.
- Complexity. More configuration surfaces mean more ways to misconfigure.
Progressive Adoption
The tiers are designed for incremental adoption. Each tier builds on the previous: Tier 0 → Tier 1: Configure an identity provider and pass tokens to the agent viaconnect({ idToken, clientId }). Replace your API key with the user’s ID token. Your existing tools automatically publish to the Tool Hub. No code changes to tools themselves.
Tier 1 → Tier 2: Configure policies in the dashboard. Your existing cross-app workflows gain governance controls. Tools don’t need modification; policy is evaluated at the Hub.
This design means you can validate the experience at Tier 0 (localhost), prove value with cross-app workflows at Tier 1, and add governance when needed—without rewriting tools or restructuring your integration.
How to Decide
| Question | If Yes → |
|---|---|
| Do users have identity (ID tokens)? | Tier 1+ is possible |
| Do you need cross-app workflows? | Tier 1+ required |
| Do you need remote MCP connectors? | Tier 1+ required |
| Do you need Claude Desktop access? | Tier 1+ required |
| Do you have compliance requirements? | Consider Tier 2 |
| Do you need approval workflows? | Tier 2 required |
| Are you developing locally? | Start with Tier 0 |
| Ready for production? | Tier 1+ required |
Architecture Note
All tiers use Cloudflare Durable Objects for persistence. The difference between tiers is not persistence vs. no-persistence—it’s about identity, scope, and governance:- Tier 0: Persistence tied to a localStorage session ID, isolated to localhost
- Tier 1: Persistence tied to user identity (ID token
subclaim), cross-app capable - Tier 2: Same as Tier 1, plus governance controls