Getting Started

Some options are still at the design stage (2026-05-15)

The HITL approval polling flow and the HMAC signature enforcement mode (pak_secret, X-Panopticon-Signature) are not yet implemented in the logi server. Even if the toggles appear in the console, they are only saved — the enforcement does not run. For detailed progress, see the status table on the policies page.

Let's attach Panopticon to a single application in 5 minutes.

Prerequisites

• One OAuth application registered in the logi console (start.1pass.dev/developer)
• The application's client_id
• curl or an equivalent HTTP client

1. Enable Panopticon in the console

1. Sign in at start.1pass.dev/developer.
2. Select the application → click the Panopticon tab.
3. Turn the Enable toggle ON.
4. Click Issue PAK → a key in the form pano_pak_... is shown only once.

⚠️ The PAK is shown only once, at issue time. Store it immediately somewhere safe (for example, 1Password, Doppler, or a Render env). If you lose it, just rotate and issue a new key.

Options:

• Enforce HMAC signing 🔬 (design stage): when enabled, a pak_secret is issued and the X-Panopticon-Signature header becomes required on every trace request (planned). For now, the console toggle is shown, but the logi server only verifies the PAK hash (details).

2. Send your first trace

The simplest form:

curl -X POST https://api.1pass.dev/panopticon/trace \
  -H "Authorization: Bearer pano_pak_YOUR_PAK_HERE" \
  -H "Content-Type: application/json" \
  -d '{
    "event_id": "550e8400-e29b-41d4-a716-446655440000",
    "client_id": "logi_f31b6962aef3",
    "tool": "hello",
    "scope_used": "agent:read",
    "status": "ok",
    "started_at": "2026-05-09T10:11:12Z",
    "duration_ms": 12
  }'

Expected response:

HTTP/1.1 202 Accepted
{"event_id":"550e8400-e29b-41d4-a716-446655440000","status":"accepted"}

If you send the same event_id again:

HTTP/1.1 200 OK
{"event_id":"550e8400-e29b-41d4-a716-446655440000","status":"duplicate"}

→ Idempotency guaranteed. Resending is safe.

3. Check it in the console

start.1pass.dev/panopticon → select the application → the trace you just sent appears in the Activity Timeline tab.

The Live Trace tab streams in real time over an ActionCable channel.

4. Integrate into your RP

In a personal-mcp or agent RP, fire the trace asynchronously after handling a tool call:

# Python example (FastMCP, etc.)
import httpx, uuid
from datetime import datetime, timezone

async def emit_trace(tool_name, scope, status, duration_ms, user_sub=None):
    payload = {
        "event_id": str(uuid.uuid4()),
        "client_id": CLIENT_ID,
        "tool": tool_name,
        "scope_used": scope,
        "status": status,
        "started_at": datetime.now(timezone.utc).isoformat(),
        "duration_ms": duration_ms,
        "user_sub": user_sub,
    }
    async with httpx.AsyncClient(timeout=2.0) as client:
        # fire-and-forget; the tool call itself still completes normally even on failure
        try:
            await client.post(
                f"{LOGI_URL}/panopticon/trace",
                headers={"Authorization": f"Bearer {PANOPTICON_PAK}"},
                json=payload,
            )
        except Exception:
            pass  # recommended: buffer locally and resend

5. View usage aggregates

The console Usage tab, or the CLI:

logi panopticon usage <client_id> --since 2026-05-01

It shows, per application × date, the daily trace count, error count, HITL request count, and kill-switch count.

Next

• Trace API Reference — payload schema, HMAC mode, error codes
• Policy Configuration — enabling AI Guard policies