## Security best practices Follow these best practices to maximize the security of your Agen for SaaS deployment. ### Authentication - **Use a production-ready auth provider** — Configure Frontegg or a trusted OIDC provider. Never skip authentication in production. - **Configure custom domains** — Use custom domains for both your authentication endpoint and MCP Gateway to maintain your brand and avoid exposing internal infrastructure. - **Validate backend signatures** — Implement backend signature verification to confirm that requests to your APIs originate from your MCP Gateway. ### Access control - **Apply least privilege** — Only grant access to tools that each role or permission genuinely requires. - **Map sensitive tools explicitly** — Create access control rules for all tools that perform write operations (POST, PUT, DELETE) or access sensitive data. - **Choose mapping types carefully** — The mapping type (roles vs. permissions) is permanent. Plan your access control strategy before creating rules. - **Review rules regularly** — As your tool catalog grows, audit access control rules to ensure they still reflect security requirements. ### Policies - **Require approval for destructive operations** — Use the "Request approval" action for tools that delete data, modify configurations, or make financial transactions. - **Use step-up for high-value actions** — Require additional authentication for operations that exceed value thresholds or access sensitive resources. - **Combine conditions** — Use multiple AND conditions to create precise targeting (e.g., high amount AND external IP AND non-admin role). - **Test policies before activation** — Create policies in a disabled state, review the targeting, then activate. ### Data protection - **Enable masking for all compliance-regulated data** — Apply PHI, PII, GDPR, and PCI masking to tools that handle sensitive data. - **Use targeting for regional compliance** — Apply data protection policies conditionally based on geography (e.g., GDPR masking for EU users). - **Audit data protection effectiveness** — Use monitoring logs to verify that masking is being applied to the expected tool responses. ### Hooks - **Use Fail Closed for security hooks** — If a hook enforces a security requirement, configure it to block requests when the hook fails. - **Keep hooks fast** — Minimize external calls and processing time to avoid adding latency to tool calls. - **Test thoroughly** — Use the Test button to validate hook logic before activating in production. ### Approval flows - **Define multiple approval steps** — For high-risk operations, require approval from more than one person or team. - **Enable notifications** — Configure email or SMS channels to ensure approvers are notified promptly. - **Set auto-approve timeouts judiciously** — Only use auto-approve for low-risk flows where delays are more harmful than the lack of review. - **Enable requester notifications** — Let users know when their requests are approved or rejected to maintain transparency. ### Monitoring - **Stream logs to your SIEM** — Use log streaming to centralize Agen for SaaS events alongside your existing security monitoring. - **Set up alerts** — Configure alerts for unusual patterns (e.g., spike in denials, approval timeouts, hook failures). - **Review logs regularly** — Periodically audit tool call patterns, policy enforcement, and approval trends. ### Related topics - [Security model](/agen-for-saas/security-compliance/security-model) - [Compliance](/agen-for-saas/security-compliance/compliance) - [Security and compliance overview](/agen-for-saas/security-compliance/overview)