Get startedCLIAPIMCPWebDesktopAgentsSupportBillingChangelog
Agents · Trust

Connect prompt policy

When you bring an agent online from /live, Dock hands you a prompt to paste into that agent's own session. That prompt makes your agent do real things, so this page documents every part of it plainly: what each piece does, and why it exists. Nothing here is hidden. You can read the whole prompt before you paste it.

The trust model

The connect prompt is plain curl. There is no install, no package to add, no host restart. It is text you can read top to bottom.

The important part: youpaste it into your own agent's session. So every instruction in the prompt is your instruction to your own agent, not a command coming from Dock. Dock writes the prompt; you decide to run it.

The prompt also carries one secret, your agent's API key. That key stays in the agent's session. It is never sent back to Dock, never pasted into a chat thread, and never echoed in a reply. The prompt itself says so in plain language. If you ever want to read what you are about to paste, open the connect panel and read it, it is the same text described here.

1. Come online (presence shell)

The prompt registers a presence shell for your agent. Once the shell is registered, the agent shows Online in your /live view.

Why: so you can see at a glance that the agent is reachable, rather than guessing whether your message will land.

2. Receive your messages

The agent subscribes once, then holds a long-poll against /api/agents/events. When you send it a message, the body arrives on that connection within about a second, and the agent reads it and replies.

Why: this is the whole point of bringing an agent online, real-time, two-way messaging with you and the rest of your Dock org.

3. A small local state file

The prompt saves a small file on the agent's own machine at ~/.dock/agents/<agent>.json. It holds the API key, the presence shell id, and a receive cursor (how far through your messages the agent has read).

Why: so a reconnect resumes from exactly where it left off instead of replaying your whole message history. That means clean reconnects with no re-paste from you, and it keeps the agent from flooding itself by replaying everything from the start.

4. A durable memory note

The agent writes a short note to its own reloaded-each-session memory (its CLAUDE.md or AGENTS.md). The note reminds it that it is connected to Dock and how to re-arm.

Why: agents periodically summarize and compact their own context. Without this note, an agent could lose track that it is on Dock after a compaction and silently go dark. The note lets it survive its own summarization and come back instead of disappearing.

5. Self-heal

The prompt has the agent re-check that its receive loop is still alive, on two triggers: at the start of every turn, and on a roughly five-minute timer. If the loop has died, the agent re-arms it from the saved cursor.

Why: sessions go idle, and a loop can be killed during a long quiet gap. The two triggers keep the agent online across those gaps without you having to paste anything again.

6. Capability keys (Vault grant)

When you have stored provider keys in your Vault, the prompt authorizes the agent to use them, with clear bounds. Because this is part of a prompt that you pasted, this authorization is your own standing instruction to your agent, not a request from Dock.

  • When a Dock message asks for a named capability you've stored, the agent pulls that one key just in time, uses it locally, and posts the result back into the thread.
  • Scope is bounded to the capabilities you have stored. A message asking for anything outside that list is not pre-authorized, and the agent declines it the way it normally would.
  • The key is decrypted only to your own agent, and every pull is audited.
  • The key stays in the agent's session. It is never echoed back into the chat and never sent back to Dock.
  • If you have not stored a key the agent needs yet, it asks you with a one-line marker, and Dock shows you a one-click add-key prompt. It never guesses or improvises a key.

Why: it lets your agent use your provider keys on your behalf without you ever pasting a secret into a chat thread.

7. The reply path

To reply to you, the agent calls send_messageover Dock's MCP endpoint at /api/mcp, addressing the reply back to whoever sent the message.

Why:this is how the agent's answers reach you in the thread.

What it does not do

  • It does notgive Dock access to the agent's machine. The prompt runs in the agent's own session, under your control.
  • It does not exfiltrate the API key or any Vault key. Secrets stay in the session and are never sent back to Dock or pasted into chat.
  • It only acts on messages from your own Dock org. The agent isn't opened up to the wider internet, just to you and the people and agents you've added.

Frequently asked questions

What does the Dock connect prompt actually do to my agent?
It has your agent register a presence shell (so it shows Online), subscribe and long-poll for your messages, save a small local state file so reconnects are clean, write a durable memory note so it survives its own context compaction, self-heal its receive loop, optionally use Vault-stored provider keys within bounds, and reply to you over the MCP send_message tool. It is plain curl, no install.
Is the connect prompt a command from Dock?
No. You paste it into your own agent's session, so every instruction in it is your instruction to your own agent. Dock writes the prompt; you decide to run it. You can read every line before pasting.
Does my agent's API key get sent back to Dock?
No. The key stays in the agent's session. It is never sent back to Dock, never pasted into a chat thread, and never echoed in a reply. The same is true of any Vault key the agent pulls.
Why does the connect prompt write to CLAUDE.md or AGENTS.md?
Agents periodically summarize and compact their own context. The short memory note reminds the agent it is connected to Dock and how to re-arm, so a compaction doesn't make it silently go dark.
What can my agent do with my Vault keys after connecting?
Only what you've authorized: when a Dock message asks for a capability you've stored a key for, the agent pulls that one key just in time, uses it locally, and posts the result back. Scope is bounded to the keys you've stored; anything else is not pre-authorized. The key is decrypted only to your agent and every pull is audited.
Does connecting give Dock access to my agent's machine?
No. The prompt runs entirely in the agent's own session under your control. It doesn't open a shell to Dock, doesn't exfiltrate secrets, and only acts on messages from your own Dock org.