Why Cloudflare, Agoric, and MetaMask Are Betting on Ocaps

For decades, security models on the web have been bolted on after the fact – access control lists, role-based permissions, patchwork sandboxes. But a different idea has been quietly gaining ground: Object Capabilities (Ocaps).

The principle is simple but profound: a reference is authority. If your code holds a reference to an object, you can use it. If not, you can’t. No global permissions to leak, no brittle ACLs to misconfigure. Authority flows exactly where references flow.

Long a niche in programming language theory, ocaps are now surfacing in real production systems. From Cloudflare’s new RPC library to Agoric’s smart contract platform and MetaMask’s plugin architecture, a growing ecosystem is betting on this model.

Endo & HardenedJS: Security by Design

The Endo project brings object capabilities to JavaScript. It introduces:

• Compartments to confine code execution.
• Lockdown and Harden to make built-ins tamper-proof.
• Eventual Send (E(obj).method()) to stretch object references across workers or networks.

Endo powers Agoric’s smart contracts and MetaMask Snaps, enabling third-party extensions without giving away the keys to the kingdom. By construction, it limits authority to only what code is explicitly granted.

This isn’t just about decentralization or blockchains. It’s also about defending against supply chain attacks, which involve malicious packages sneaking into npm dependencies. With Endo, hardened compartments make that vector far harder to exploit.

Cap’n Web: Cloudflare Joins the Party

This month, Cloudflare unveiled Cap’n Web, a lightweight JavaScript RPC library inspired by Cap’n Proto but designed for the modern web.

• Zero boilerplate: no schemas, just JSON.
• Everywhere: works in browsers, Node.js, and Cloudflare Workers.
• Expressive RPC model: bidirectional calls, passing functions by reference, promise pipelining.
• Capability security: references as the unit of authority.

In other words: Cloudflare has built an RPC library that feels like normal JS, but carries the ocap DNA.

A Growing Ecosystem of Capability Protocols

These projects don’t exist in isolation. They’re converging:

• CapTP (Endo) – the original capability transport protocol for JS.
• OCapN – an emerging standard for capability networking.
• Cap’n Proto / Cap’n Web – high-performance RPC with ocap semantics.

Different implementations, same principle: secure distributed programming through object capabilities. That convergence creates an opportunity for interoperability rather than silos.

Why Now?

Three forces make this the right moment for Ocaps:

1. Secure extensibility: Web apps and wallets need to host third-party plugins without full trust.
2. Supply chain defense: With attacks on the rise, hardened compartments are a compelling mitigation.
3. Better distributed programming: Promise pipelining and reference-by-authority simplify what developers already struggle to do with REST or gRPC.

The result: a security model that also improves developer ergonomics.

Where This Leads

Object Capabilities are no longer just theory. With Cloudflare, Agoric, and MetaMask all adopting them, we’re watching the beginnings of a new distributed programming stack.

Expect to see:

• Standards like OCapN bringing cross-protocol interoperability.
• Shared libraries and developer tooling around capability security.
• A future where granting or revoking authority is as easy as passing or revoking a reference.

Wrapping it up

The rise of Ocaps marks a shift as profound as the adoption of public/private key cryptography decades ago. At the time, it felt esoteric. Now it’s the bedrock of everything online.

With Cloudflare, Agoric, and MetaMask leaning in, Object Capabilities are poised to become the next foundation layer of secure, distributed applications.

Looking to dive deeper into Object Capabilities and Endo? Check out the GitHub repo here.