Security Best Practices

Limit API Access

Only grant API keys and tokens with the minimum scopes needed. For example, if an agent only needs to read data, don't give it write permissions.

Restrict File System Access

When agents need file access, limit them to specific directories. Never grant full system access unless absolutely necessary.

Use Service Accounts

Create dedicated service accounts for automated workflows with limited permissions, rather than using personal accounts with broad access.

Review Generated Code

If your workflow generates code, scripts, or configuration files, have a human review them before execution. This prevents malicious or incorrect code from running in your systems.

Validate Data Modifications

When AI modifies databases, files, or other data, implement approval workflows for significant changes. Consider requiring human approval for deletions or modifications to production data.

Check External Communications

Review AI-generated emails, messages, or API calls before they're sent, especially when they involve external parties or sensitive information.

Secure Credential Storage

Never hardcode API keys, passwords, or tokens in your workflows. Use secure credential management systems and environment variables.

Implement Rate Limiting

Add rate limits to prevent abuse and protect your workflows from excessive API calls or resource consumption.

Monitor and Log Activities

Enable logging for all agentic actions and regularly review logs to detect unusual patterns or potential security issues.

Validate Input Data

Always validate and sanitize input data before processing. This prevents injection attacks and ensures data integrity.

Use Authentication and Authorization

Protect your workflows with proper authentication. Only authorized users should be able to execute or modify workflows.

Encrypt Sensitive Data

Use encryption for sensitive data both in transit and at rest. The platform automatically encrypts data in transit using HTTPS, and sensitive credentials are encrypted at rest.

Minimize Data Exposure

Only include the minimum amount of data necessary in workflow outputs. Avoid exposing sensitive information in logs, error messages, or public outputs.

Implement Data Retention Policies

Configure data retention policies to automatically delete or archive old data according to your compliance requirements.

Use Access Levels

Configure appropriate access levels for your published apps: Private (only you), Team (your organization), Authenticated (logged-in users), or Public (anyone with the URL).

Implement IP Restrictions

For sensitive applications, restrict access to specific IP addresses or IP ranges (CIDR blocks). This adds an extra layer of security.

Use Region-Based Access Limits

Restrict access to your published apps by geographic region. This helps with compliance requirements and can prevent unauthorized access from specific regions.

Require Authentication

For applications handling sensitive data, require users to authenticate before accessing. Use API keys, bearer tokens, or OAuth as appropriate.

Enable Audit Logging

Keep detailed logs of all security-relevant events, including authentication attempts, access to sensitive data, and configuration changes.

Regular Security Reviews

Periodically review your workflows and applications for security vulnerabilities. Check access logs, review permissions, and update security configurations as needed.

Data Privacy Compliance

Ensure your workflows comply with data privacy regulations such as GDPR, CCPA, and other applicable laws. Implement data minimization, user consent mechanisms, and data deletion capabilities.