Skip to content

Securing AI Agents

Agents need stricter boundaries than chat applications because they can repeat actions without waiting for a person. GlideflowAI provides an OpenAI- and Anthropic-compatible gateway: requests are authenticated and metered by GlideflowAI, then forwarded to the upstream model provider you select.

An agent can loop, call tools, and read websites, documents, or messages that an attacker may control. Treat the model as a decision-making component that can be mistaken or manipulated, not as a security boundary.

Risk What it can look like Practical first control
Prompt injection A webpage tells the agent to ignore its task and reveal data. Mark retrieved content as untrusted and keep tool policy outside the prompt.
Excessive tool use The agent deletes files, changes production data, or sends messages it should not. Allow-list tools and require approval for consequential actions.
Key leakage A key appears in source control, logs, tool output, or a generated reply. Keep secrets outside prompts and revoke exposed keys immediately.
Runaway spend A retry or planning loop continues making model calls. Set bounded budgets, rate limits, and hard loop limits.

Use a separate API key for each agent or deployment so one leaked credential does not expose every workload. Store keys in a secret manager or server-side environment variable, never in source code, Git history, browser bundles, prompts, or routine logs.

  • Rotate active keys on a regular schedule and whenever a team member or hosting environment changes.
  • Revoke a key immediately if it appears in a repository, screenshot, support message, or agent transcript.
  • Where key-level model, quota, or expiry controls are available, choose the narrowest settings the agent needs.

See Authentication for the bearer-token format.

Give an agent only the tools and arguments required for its current job. Prefer read-only access, narrow directory or database scope, and explicit destination allow-lists over broad shell, network, mailbox, or cloud permissions.

  • Split read and write capabilities into separate tools or credentials.
  • Validate structured tool arguments in application code before execution.
  • Require human approval for deletion, payment, deployment, account changes, and outbound messages.
  • Set maximum steps and stop the run when the task no longer makes progress.

Treat retrieved content as data, not instructions

Section titled “Treat retrieved content as data, not instructions”

Text from a webpage, document, email, ticket, or tool result belongs to the task’s data layer; it does not gain authority because the model can read it. Prompt wording helps, but enforce important boundaries in deterministic application code as well.

  1. Wrap retrieved text in clear delimiters and label its source and trust level; never concatenate it into the system instruction.
  2. Allow-list tools and validate their arguments after the model responds, rejecting destinations or operations outside the task.
  3. Require human review before acting on retrieved requests to reveal secrets, change permissions, send data elsewhere, or override prior policy.

Keep secrets out of the agent context whenever possible, because an injected instruction cannot disclose a value the model never received.

Agents can create accidental denial-of-wallet incidents through recursive planning, retries, or parallel workers. Use per-key budgets and rate limits where available, and add application-side ceilings even when the gateway also enforces limits.

  • Cap calls, tokens, elapsed time, retries, and concurrent workers for every run.
  • Back off on 429 and transient upstream errors instead of retrying immediately.
  • Review usage logs for unexpected models, bursts, or agents that consume budget without completing tasks.
  • Alert before the budget is exhausted, then stop automatically at the hard limit.

See Errors & Rate Limits for response handling guidance.

GlideflowAI is intentionally part of the request path: the gateway authenticates and meters the call before forwarding it to the selected third-party model provider. You remain responsible for deciding whether that complete routing chain is appropriate for the data in each agent workflow.

  • Do not send regulated records, production secrets, or unnecessary personal data without an approved compliance review.
  • Redact identifiers and minimize retrieved context before it reaches any model provider.
  • Separate tenants and environments so one agent cannot retrieve another user’s context.
  • Confirm the upstream provider and its terms before processing sensitive workloads.

Read Data & Privacy for the full request path and workloads that are not a good fit.

Send model traffic only over HTTPS to the official endpoint, https://api.glideflowai.com/v1, and reject configuration that silently downgrades or redirects it. Keep TLS verification enabled and avoid copying bearer credentials into URLs, query strings, analytics, or error reports.

For the remote MCP integration, authenticate with a bearer key over HTTPS. The integration passes the key through for the request and does not store it; your MCP client and local configuration still need appropriate secret handling.

  • Pin the base URL in deployment configuration rather than accepting it from untrusted content.
  • Load the bearer key from a secret store or protected environment variable.
  • Remove authorization headers and prompt bodies from routine application logs.
  • One dedicated, revocable key is used for each agent or deployment.
  • No API key or production secret is present in code, prompts, logs, or browser bundles.
  • Tools and destinations are allow-listed with the minimum required permissions.
  • Destructive, financial, publishing, and messaging actions require human approval.
  • Retrieved content is labeled untrusted and cannot directly change policy.
  • Each run has hard limits for steps, retries, time, concurrency, and spend.
  • Sensitive data is minimized and the full upstream routing chain is approved.
  • Production traffic uses HTTPS and the official GlideflowAI endpoint only.