Skip to main content

Securing AI agents

Use the @secureAiAgent decorator to designate a function as securing a given agent.

Securing your data is vital when using the Squid Client to create AI agents and enable chatting. The AI agent and the chats conducted with them can contain sensitive information, so it's crucial to restrict access and updates to prevent unauthorized usage or modification.

Unless an AI agent has been set to public, access will be restricted by default and won't work without explicit rules that set access permissions. (Feel free to try it!)

Squid provides a @secureAiAgent decorator that you can use to set security rules. These rules prevent unauthorized users from updating agents or conducting unauthorized chats, protecting the integrity of your data.

tip

Before trying to secure the AI agent, make sure the public setting of the agent you want to secure is toggled to OFF and that you've set up your backend, as this will be required to set security rules for your AI agent.

Securing chats

To manage chat permissions, use the @secureAiAgent decorator. To open up chat for all users to all agents, add the following to your backend:

import { secureAiAgent, SquidService } from '@squidcloud/backend';

export class ExampleService extends SquidService {
@secureAiAgent()
allowChat(): boolean {
return true;
}
}

To restrict chat only to authenticated users, use the Squid backend's isAuthenticated() method. This method returns a boolean indicating whether the client attempting to take an action is authenticated.

@secureAiAgent()
allowChat(): boolean {
return this.isAuthenticated();
}

Opening or closing access to all of your agents is very broad though, so it is recommended that you specify the Agent ID for which you are configuring the access security. To do so, add the AI agent's ID to the @secureAiAgent decorator:

@secureAiAgent('AGENT_ID')

Conditional checks

The API allows the client to send various options with their query, which can be something you want to lock down.

For example, the query options are able to specify using a different AI model than the one that was set for the agent. To lock that down, this method checks if options.model is given a value, and fails if it does.

@secureAiAgent()
immutableModel(context: SecureAiAgentContext): boolean {
if (context.options?.model !== undefined) {
// Don't allow overriding the model that was configured for the agent.
return false;
}
return this.isAuthenticated();
}

There are many other options, and if you are unsure where to begin, then the safest thing to do is to disallow any options at all.

@secureAiAgent()
immutableAgent(context: SecureAiAgentContext): boolean {
const options = context.options || {};
if (Object.keys(options).length > 0) {
// Don't allow any options
return false;
}
return this.isAuthenticated();
}

To learn more, take a look at all of the other options you can block or allow.