Deployment Tiers - Char

Char now uses a unified embed auth model across tiers: publishable key required, optional ID token for end-user identity.

Tier 0: Key-only embed

Use a publishable key without per-user ID tokens:

<char-agent publishable-key="pk_live_..."></char-agent>

What you get:

Fastest integration path
Org-scoped runtime and ticket flow
No IDP dependency

Tradeoff:

User identity is synthetic (not mapped to your IDP users)

Tier 1: Key + ID token (recommended production)

Pass user identity with connect():

agent.connect({
  publishableKey: "pk_live_...",
  idToken,
});

What you get:

Per-user identity from your IDP
Cross-app/tooling flows tied to real users
Better auditability and access control alignment

Tier 2: Enterprise governance

Adds governance controls on top of Tier 1:

Policy checks
Approval flows
Audit workflows
Enterprise connectors

Migration path

Start at key-only (publishable-key)
Add IDP configuration and pass idToken
Add governance controls as requirements mature

All tiers use the same core embed contract: publishable key required, optional ID token for per-user identity.

ArchitectureHow Char's security model works and why it's designed this way

Tier 0: Key-only embed
Tier 1: Key + ID token (recommended production)
Tier 2: Enterprise governance
Migration path