Get started / Security

Security

AgentParley is built to run agents that touch real systems. Security isn't a layer on top — it's in the design.

Self-hosted by default

AgentParley runs on your hardware, inside your network. There is no hosted control plane and no phone-home. Your agents, your data, and your credentials never leave your environment unless you explicitly wire a channel or provider that sends them somewhere.

Encrypted vault for secrets

Model API keys, channel bot tokens, and provider credentials live in an encrypted vaultunder the home directory — never in parley.yaml, never in logs, and never placed in a model's context. Plugins declare the secret fields they need and read them back through a trusted settings path, so secret names are never hardcoded and agent input can never reach them.

The trusted secret path takes operator-set scope/keys only — never agent-supplied strings — so a prompt-injected agent can't trick the system into resolving a secret it shouldn't.

Human approval gates

High-impact actions can require explicit human sign-off before they run. A skill that needs approval parks the session AwaitingApproval and surfaces the request in the console; the action only executes once a human approves. Shell access is the canonical example — the command is shown, and nothing runs until you say so.

Default-deny channel access

Channels are default-deny: an inbound sender must be on the agent's authorized-senders allowlist for that channel instance before a message is ever handed to the agent. An unknown Telegram user talking to your bot gets nothing.

Scoped API access

The API and console are guarded by two token scopes: admin (full control) and read(observe sessions, hold no keys). Hand teammates a read token to watch the Observer without the ability to change anything. Rotate either token at any time. Tokens are never returned from the API in readable form.

Spend caps

Per-agent (or global) budgets guard against a runaway mission. A cap can warn (log and continue) or refuse (block the turn) once cumulative spend crosses the threshold, so a loop can't quietly burn through your model budget.

Auditable by construction

The raw, append-only conversation log is never destroyed. Compaction rewrites only the working context an agent sees next turn — the full history remains for replay and audit. Every model call, skill invocation, and message delivery is recorded with its tokens, cost, and provenance.

← Previous

Configuration

Core concepts