Skip to content
Akurion Akurion
Docs

Security and Governance

Security and Governance

Akurion is designed for enterprise knowledge workflows where access boundaries and source governance matter.

Access Model

Akurion uses:

  • Users
  • Subscriptions/workspaces
  • Projects
  • Project memberships
  • Roles
  • Organization admins
  • SSO connections and domains
  • Project API keys
  • Subscription API keys

Project access is enforced server-side for sensitive actions and queries.

API Keys

Akurion supports two API key scopes:

Key typePurpose
Project keyDirectly accesses one project.
Subscription keyAccesses all or selected projects in a workspace. Project context is required for project-level tools.

API key security behavior:

  • Plaintext is shown once at creation.
  • Runtime validation uses hashed key artifacts.
  • Keys can include permissions, credit budgets, rate limits, project scope, and expiration.
  • Subscription keys can be scoped to all projects or selected projects.

SSO and Organization Controls

Akurion includes control-plane support for organization SSO:

  • OIDC start, callback, and token exchange endpoints.
  • SSO domains.
  • SSO user links.
  • Subscription admin assignments.
  • Workspace naming.

Encryption and Secrets

Projects can enable encryption settings for sensitive content. Runtime services use Secret Manager references for operational credentials.

Operational guidance:

  • Do not put secrets in code, Dockerfiles, logs, docs, or screenshots.
  • Use managed credentials, workload identity, or secret references.
  • Rotate API keys and OAuth credentials when access changes.
  • Use source-specific credentials with least privilege.

Credits and Rate Limits

API and MCP requests are rate limited and credit tracked. Tool calls report credit usage metadata where available.

Credit tracking helps teams:

  • Allocate usage by project.
  • Monitor high-cost workflows.
  • Understand API and chat usage.
  • Prevent runaway agent loops.

Audit and Operations

Enterprise deployments should review:

  • API key creation, update, deletion, and usage.
  • Data source creation, updates, resyncs, and deletion.
  • File access and signed URL generation.
  • Graph edits and rebuilds.
  • Workflow runs and retries.
  • Admin changes.
  • Failed syncs and retry escalations.

Data Handling Best Practices

  • Start pilots with a focused project and limited source scope.
  • Use metadata filters and project instructions for governance.
  • Disable web search for confidential projects.
  • Limit admin roles.
  • Use selected-project subscription keys for integrations.
  • Review source health and file status regularly.
  • Remove stale sources and unused keys.