Admin
Security & Privacy
Agently is built with security at every layer: passwordless authentication via Supabase Auth, workspace-level data isolation, OAuth 2.0 for all integrations, Composio-managed credential storage, HMAC webhook verification, and a granular permission system. Your data is never used to train AI models. This page explains how your information is protected and what controls you have.
How Does Agently Authentication Work?
Agently uses passwordless authentication powered by Supabase Auth. There are no passwords stored in Agently — ever.
Email OTP — Enter your email, receive a one-time code, and you're in. No password to remember, no password to steal.
Google OAuth — Sign in with your Google account using the industry-standard OAuth 2.0 flow.
How Are Sessions Secured?
Sessions use JWT (JSON Web Tokens) for secure, stateless authentication
Tokens are validated on every request
Sessions can be revoked at any time by signing out
How Is My Data Protected?
Your Data Is Yours
Your workspace data (conversations, documents, knowledge, tasks) belongs to your workspace
Data is isolated between workspaces — one workspace cannot access another's data
Deleting your workspace removes your data
What Encryption Does Agently Use?
All data is transmitted over HTTPS (TLS encryption in transit)
Integration credentials are securely managed by Composio — Agently does not store raw OAuth tokens
Database connections are secured with TLS
Where Is Agently Hosted?
Hosted on secure cloud infrastructure
PostgreSQL database with Supabase for data storage
Regular security updates and patches
How Are Integrations Secured?
Agently uses Composio as its integration engine, connecting to 100+ third-party services securely:
OAuth 2.0 — You authorize access directly with the service provider. Agently never sees your passwords.
Composio-managed credentials — OAuth tokens and credentials are securely managed by Composio's infrastructure. Agently's database only stores connection references, never raw tokens.
Webhook verification — Incoming webhooks from integrations are verified using HMAC signatures to prevent tampering
Minimal permissions — Only the permissions agents need to function are requested
Revocable — Disconnect any integration at any time from Settings, or revoke access from the service provider's side
Workspace-scoped — Integrations are connected per workspace, not globally
What Can Agents Do and Not Do?
Agents can:
Read from and write to connected integrations (email, calendar, CRM, etc.) within the scope you authorized
Search and retrieve knowledge from your Brain
Create and manage tasks, pages, and other workspace items
Search the web for public information
Agents cannot:
Access data outside your workspace
Act without your knowledge — tool actions are shown transparently in the chat
Access integrations you haven't connected
Override workspace permissions or roles
Access other users' private data within the workspace
What Is the Human-in-the-Loop System?
For important or irreversible actions, agents can request approval through the Decisions system in your Inbox. This gives you a review step before the action is executed. You always stay in control.
How Does Access Control Work?
What Workspace Roles Are Available?
Access is controlled through three workspace roles:
Owner — Full control, including billing and workspace deletion
Admin — Can manage settings, members, and integrations
Member — Can use all features but cannot change workspace configuration
Learn more: Workspace Management
How Does the Permission System Work?
Agently uses a resource-action permission matrix to control access. Resources include workspaces, pages, spaces, knowledge, AI employees, and settings. Actions include create, read, update, delete, and manage. Permissions are enforced at the API level on every request.
How Is Service-to-Service Communication Secured?
Internal communication between Agently's services uses API key authentication, ensuring that the AI service can only access backend data through authorized channels.
How Does Rate Limiting Work?
API requests are rate-limited per user to prevent abuse
Sensitive endpoints (like authentication) have stricter limits
Real-time connections (SSE streams for messaging and notifications) are limited to prevent resource exhaustion
What Monitoring and Error Tracking Is in Place?
Error tracking monitors and helps quickly resolve issues
Request logging includes correlation IDs for debugging without exposing sensitive data
Security headers (via Helmet.js) protect against common web vulnerabilities
What Security Controls Do I Have?
Action | How |
|---|---|
Revoke an integration | Settings > Integrations > Disconnect |
Remove a team member | Settings > Team > Remove |
Delete a conversation | Click delete on any conversation |
Delete workspace data | Settings > Delete Workspace |
Sign out of all sessions | Sign out from your account |
Review agent actions | Check your Inbox for decisions and activity |
Have Security Questions?
If you have security concerns or questions about how your data is handled, reach out through the in-app chat widget or contact us at our support channels.
Related Pages
Integrations — How integrations are connected and secured
Workspace Management — Roles and access control
Inbox & Notifications — The Decisions approval system
FAQ — Common questions and troubleshooting
Join our Community Forum
Any other questions? Get in touch