Skip to main content

Business Actions

A Business Action is the runtime execution of a Business Tool during a conversation — for example looking up an order or creating a ticket in your system of record.

Introduction

Flow in production:

  1. User message arrives (Website Widget or WhatsApp; Internal Portal is knowledge-only in V1)
  2. Assistant retrieves workspace knowledge (hybrid RAG)
  3. When appropriate, the model selects an allowed tool in that workspace (customer channels only)
  4. Qefro authorizes the call, performs SSRF-safe HTTPS egress, and records an execution log
  5. Result is folded into the assistant reply

Channel support (V1)

ChannelBusiness Tool execution
Website Widget✓ Supported
WhatsApp✓ Supported
Internal Portal✗ Not supported

Internal Portal requests that would require a Business Tool receive a structured BUSINESS_TOOLS_NOT_SUPPORTED response. Knowledge search and RAG continue to work normally.

Future Portal support may use enterprise SSO, OAuth On-Behalf-Of, identity federation, employee identity delegation, and JWT forwarding — without removing the existing channel gate.

Why it exists

Answers without actions force users to leave chat and dig through portals. Actions without isolation are unsafe. Qefro combines both under workspace + RBAC boundaries.

Concepts

  • Tool selection — only tools attached to the active workspace
  • Identity — optional end-user forwarding via identify() on the widget
  • Execution logGET /api/v1/tools/:id/logs
  • Failure modes — tool errors surface safely; they must not leak secrets

Architecture

Workflow

Ship a safe action

  1. Define toolREST or OpenAPI import in the workspace.
  2. Least privilegeRead-only scopes first; encrypt secrets.
  3. Identity (if needed)Widget identify() for per-user APIs.
  4. TestConsole tool test + conversational trial.
  5. AuditWatch execution logs in production.

Code examples

# Inspect recent executions
curl -sS -H "Authorization: Bearer $USER_JWT" \
https://api.qefro.com/api/v1/tools/$TOOL_ID/logs

Best practices

  • Separate “customer-safe” tools from “admin-only” tools via workspaces
  • Prefer idempotent reads for auto-invoked actions
  • Document expected side effects for write tools

Security notes

FAQ

Does Qefro store my CRM data?
Tool responses may appear in conversation transcripts. Your CRM remains the system of record. Review retention and access with your security team.