Secure Business Actions
This guide hardens Business Actions so assistants can call your APIs without becoming an over-privileged backdoor.
Outcome
- Tools scoped to the right workspace
- Read-only pilot completed
- Secrets encrypted and rotatable
identify()used where end-user authz matters- Log review cadence defined
Threats to design for
| Risk | Mitigation |
|---|---|
| Public chat triggers refunds | No write tools on Customer Support until justified |
| Stolen widget token | Token ≠ admin secret; still bind workspace carefully |
| Prompt injection | Validate args on your API; least privilege |
| SSRF | HTTPS only; blocked private targets |
| Confused deputy | Forward end-user identity |
Concepts: AI Agent Security, What are Business Actions?.
Step 1 — Split audiences
Customer tools on Support workspace. Internal tools on Employee workspaces. Never mix.
Step 2 — Start read-only
Create one GET tool (Connect REST APIs). Test and log before chat enablement.
Step 3 — Encrypt and scope secrets
Follow Secrets. Issue vendor keys that cannot delete data.
Step 4 — Add identity forwarding for customer tools
User logs into your site
→ your app issues JWT/session
→ widget identify()
→ Business Action sends end-user headers to your API
→ your API authorizes the user
Details: Identity Forwarding.
Step 5 — Review logs weekly (then continuously)
Use tool execution logs and org audit logs (Audit Logs). Unexpected calls are incidents.
Step 6 — Introduce writes carefully
- Idempotent operations
- Human approval for irreversible money movement
- Rate limits on your API
Workflow checklist
Secure actions rollout
- Workspace split — Customer vs employee tools.
- Read-only tool — Test + logs.
- identify() if needed — End-user authz on your side.
- Pilot traffic — Watch failures and odd args.
- Optional writes — Idempotency + approvals.
FAQ
Can I disable all tools quickly?
Remove or disable tools on the workspace in Admin Console, and rotate credentials at the vendor if you suspect abuse.
Are OpenAPI imports safe by default?
No. Preview and strip admin/delete operations. See Import OpenAPI.