Skip to main content

Secure Business Actions

This guide hardens Business Actions so assistants can call your APIs without becoming an over-privileged backdoor.

Outcome

  • Tools scoped to the right workspace
  • Read-only pilot completed
  • Secrets encrypted and rotatable
  • identify() used where end-user authz matters
  • Log review cadence defined

Threats to design for

RiskMitigation
Public chat triggers refundsNo write tools on Customer Support until justified
Stolen widget tokenToken ≠ admin secret; still bind workspace carefully
Prompt injectionValidate args on your API; least privilege
SSRFHTTPS only; blocked private targets
Confused deputyForward end-user identity

Concepts: AI Agent Security, What are Business Actions?.

Step 1 — Split audiences

Customer tools on Support workspace. Internal tools on Employee workspaces. Never mix.

Step 2 — Start read-only

Create one GET tool (Connect REST APIs). Test and log before chat enablement.

Step 3 — Encrypt and scope secrets

Follow Secrets. Issue vendor keys that cannot delete data.

Step 4 — Add identity forwarding for customer tools

User logs into your site
→ your app issues JWT/session
→ widget identify()
→ Business Action sends end-user headers to your API
→ your API authorizes the user

Details: Identity Forwarding.

Step 5 — Review logs weekly (then continuously)

Use tool execution logs and org audit logs (Audit Logs). Unexpected calls are incidents.

Step 6 — Introduce writes carefully

  • Idempotent operations
  • Human approval for irreversible money movement
  • Rate limits on your API

Workflow checklist

Secure actions rollout

  1. Workspace splitCustomer vs employee tools.
  2. Read-only toolTest + logs.
  3. identify() if neededEnd-user authz on your side.
  4. Pilot trafficWatch failures and odd args.
  5. Optional writesIdempotency + approvals.

FAQ

Can I disable all tools quickly?
Remove or disable tools on the workspace in Admin Console, and rotate credentials at the vendor if you suspect abuse.
Are OpenAPI imports safe by default?
No. Preview and strip admin/delete operations. See Import OpenAPI.