Securing Business Actions in production
· 2 min read
Business Actions let Customer AI and Employee AI call your REST APIs during a conversation. Treat every action like production API traffic — not like a demo plugin.
What a Business Action is
| Term | Meaning |
|---|---|
| Business Tool | Connector definition: URL, method, auth, schema |
| Business Action | One runtime invocation of that tool |
Concept page: What are Business Actions?. Broader threat model: AI Agent Security.
Controls that matter in order
- Workspace scope — tools live inside a workspace; do not attach privileged write tools to a public Customer AI workspace without a hard reason.
- Least privilege — start with read-only
GETtools. Add writes only after logging and authz are proven. - Encrypted secrets — store credentials in the Admin Console; never in browser JS or prompts. See Secrets.
- SSRF-aware egress — tool URLs must not become a path to cloud metadata or internal networks.
- Identity forwarding — for customer-facing tools, use widget
identify()so your API authorizes the end user, not only Qefro’s service credential. - Execution logs — review unexpected calls as incidents. See Audit logs.
Prompt injection is a blast-radius problem
No platform can honestly claim “prompt injection solved.” Design for containment:
- Hostile text may appear in user messages and uploaded documents.
- Validate tool arguments on your API, not only in the model prompt.
- Prefer idempotent writes; require human approval for irreversible money movement.
Implementation path
Follow the guide Secure Business Actions, then:
- Connect REST APIs or Import OpenAPI.
- Test the tool in the console before enabling chat invocation.
- Monitor
GET /api/v1/tools/:id/logs(or the console equivalent) during pilot traffic.
When in doubt, ship knowledge-only assistants first. Actions can wait until retrieval quality and isolation are solid.
