Security best practices

Copy

• Copy for LLM

  Copy page as Markdown for LLMs
• View as Markdown

  Open this page as Markdown
• Open in ChatGPT

  Get insights from ChatGPT
• Open in Claude

  Get insights from Claude
• Connect to Cursor

  Install MCP server on Cursor
• Connect to VS Code

  Install MCP server on VS Code

Follow these best practices to maximize the security of your Agen for SaaS deployment.

Authentication

• Use a production-ready auth provider — Configure Frontegg or a trusted OIDC provider. Never skip authentication in production.
• Configure custom domains — Use custom domains for both your authentication endpoint and MCP Gateway to maintain your brand and avoid exposing internal infrastructure.
• Validate backend signatures — Implement backend signature verification to confirm that requests to your APIs originate from your MCP Gateway.

Access control

• Apply least privilege — Only grant access to tools that each role or permission genuinely requires.
• Map sensitive tools explicitly — Create access control rules for all tools that perform write operations (POST, PUT, DELETE) or access sensitive data.
• Choose mapping types carefully — The mapping type (roles vs. permissions) is permanent. Plan your access control strategy before creating rules.
• Review rules regularly — As your tool catalog grows, audit access control rules to ensure they still reflect security requirements.

Policies

• Require approval for destructive operations — Use the "Request approval" action for tools that delete data, modify configurations, or make financial transactions.
• Use step-up for high-value actions — Require additional authentication for operations that exceed value thresholds or access sensitive resources.
• Combine conditions — Use multiple AND conditions to create precise targeting (e.g., high amount AND external IP AND non-admin role).
• Test policies before activation — Create policies in a disabled state, review the targeting, then activate.

Data protection

• Enable masking for all compliance-regulated data — Apply PHI, PII, GDPR, and PCI masking to tools that handle sensitive data.
• Use targeting for regional compliance — Apply data protection policies conditionally based on geography (e.g., GDPR masking for EU users).
• Audit data protection effectiveness — Use monitoring logs to verify that masking is being applied to the expected tool responses.

Hooks

• Use Fail Closed for security hooks — If a hook enforces a security requirement, configure it to block requests when the hook fails.
• Keep hooks fast — Minimize external calls and processing time to avoid adding latency to tool calls.
• Test thoroughly — Use the Test button to validate hook logic before activating in production.

Approval flows

• Define multiple approval steps — For high-risk operations, require approval from more than one person or team.
• Enable notifications — Configure email or SMS channels to ensure approvers are notified promptly.
• Set auto-approve timeouts judiciously — Only use auto-approve for low-risk flows where delays are more harmful than the lack of review.
• Enable requester notifications — Let users know when their requests are approved or rejected to maintain transparency.

Monitoring

• Stream logs to your SIEM — Use log streaming to centralize Agen for SaaS events alongside your existing security monitoring.
• Set up alerts — Configure alerts for unusual patterns (e.g., spike in denials, approval timeouts, hook failures).
• Review logs regularly — Periodically audit tool call patterns, policy enforcement, and approval trends.

Related topics

• Security model
• Compliance
• Security and compliance overview