Security Overview
Every request to Agent Studio runs as the person who made it. Each service re-checks that person’s permissions, so an agent can only reach the agents, tools, and data products its user could already open in Alation.
The stored-credential swap at the warehouse is the only place identity changes hands. Trace it hop by hop in the interactive authorization explorer, or in prose in the request lifecycle.
In this section
Section titled “In this section”Request lifecycleWhat happens at each hop when a user asks a question, with the identity carried on the wire.Identity and permissionsRoles, credentials, per-object grants, and the full permission matrices.Authorization explorerClick through the full authorization graph, hop by hop, in your browser.Data handling and complianceWhat reaches the LLM, where chat data lives, retention, and the compliance posture.Slack securityThe identity model applied to the Slack channel.Plugin securityThe local CLI architecture, OAuth + PKCE flow, and RBAC enforcement for plugins.Audit and usageInteraction logs for every request, and how tool calls are metered against your quota.
Related pages
Section titled “Related pages”- Architecture overview — the system layout these controls run on, including deployment models.
- Creating OAuth clients — set up user-initiated or machine-to-machine clients.
- Permission matrices — who can create, edit, delete, and publish agents, tools, and flows.