Security Best Practices.

Recommendations for keeping your agents, data, and integrations secure.

Use BYOK for production

Add your own Anthropic API key in Settings → API Keys. This gives you direct control over API usage, costs, and model selection. Your key is stored in users.preferences.anthropicApiKey and never logged or exposed in responses.

Rotate API keys regularly

Generate new API keys every 90 days. Revoke old keys immediately if you suspect compromise. Each integration (Twilio, Stripe, Google) should use a separate key with the minimum required permissions.

Review agent permissions quarterly

Go to each agent's configuration and review its skills and tool access. Remove skills for integrations you no longer use. An agent with fewer permissions has a smaller blast radius if something goes wrong.

Enable 2FA

Enable two-factor authentication on your Firebase account. This protects the JWT tokens that authorize all API requests. Go to Settings → Security → Two-Factor Authentication.

Monitor pending decisions

Check /dashboard/decisions daily. Unexpected pending decisions — especially for actions you did not initiate — may indicate a prompt injection attempt or misconfigured agent. Reject and investigate before approving.