Security Best Practices

Overview

Security is critical when integrating AGI Agents. Follow these best practices to protect API keys and user data.

Protect API Keys

Never expose API keys in client-side code, public repositories, or logs.

Use Environment Variables

JavaScript
Python
Bad Examples

// Good - Environment Variables
const API_KEY = process.env.AGI_API_KEY;

if (!API_KEY) {
  throw new Error('AGI_API_KEY environment variable not set');
}

const headers = { 'Authorization': `Bearer ${API_KEY}` };

# Good - Environment Variables
import os

API_KEY = os.environ.get("AGI_API_KEY")

if not API_KEY:
    raise ValueError("AGI_API_KEY environment variable not set")

headers = {"Authorization": f"Bearer {API_KEY}"}

// ❌ NEVER DO THIS
const API_KEY = "sk_live_abc123..."; // Exposed in code!

// ❌ NEVER DO THIS
const headers = {"Authorization": "Bearer sk_live_abc123..."};

# ❌ NEVER DO THIS
API_KEY = "sk_live_abc123..."  # Exposed in code!

# ❌ NEVER DO THIS
headers = {"Authorization": "Bearer sk_live_abc123..."}

Use .env Files (Never Commit)

JavaScript
Python
.env File
.gitignore

// Install: npm install dotenv
import 'dotenv/config';

const API_KEY = process.env.AGI_API_KEY;

# Install: pip install python-dotenv
from dotenv import load_dotenv
import os

load_dotenv()  # Load from .env file
API_KEY = os.getenv("AGI_API_KEY")

# .env file
AGI_API_KEY=sk_live_your_key_here

# .gitignore - ALWAYS IGNORE
.env
.env.local
*.key

Validate User Input

Always validate user input before sending to agents.

JavaScript
Python
HTTPie

function sanitizeInput(userInput) {
  if (typeof userInput !== 'string') {
    throw new Error('Input must be string');
  }
  
  if (userInput.length > 5000) {
    throw new Error('Input too long (max 5000 chars)');
  }
  
  // Remove control characters
  return userInput.replace(/[\x00-\x1f\x7f-\x9f]/g, '');
}

// Usage
try {
  const safeInput = sanitizeInput(userQuery);
  await client.sendMessage(sessionId, safeInput);
} catch (e) {
  return { error: `Invalid input: ${e.message}`, status: 400 };
}

def sanitize_input(user_input: str) -> str:
    if not isinstance(user_input, str):
        raise ValueError("Input must be string")
    
    if len(user_input) > 5000:
        raise ValueError("Input too long (max 5000 chars)")
    
    import re
    user_input = re.sub(r'[\x00-\x1f\x7f-\x9f]', '', user_input)
    
    return user_input

# Usage
try:
    safe_input = sanitize_input(user_query)
    send_message(session_id, safe_input)
except ValueError as e:
    return {"error": f"Invalid input: {e}"}, 400

# Validate input length before sending
if [ ${#USER_INPUT} -gt 5000 ]; then
  echo "Input too long"
  exit 1
fi

http POST https://api.agi.tech/v1/sessions/$SESSION_ID/message \
  Authorization:"Bearer $AGI_API_KEY" \
  message="$USER_INPUT"

Validate URLs

Ensure URLs are safe before sending to agents.

JavaScript
Python
HTTPie

function validateUrl(url) {
  if (url.length > 2000) {
    throw new Error('URL too long');
  }
  
  // Must start with http:// or https://
  if (!/^https?:\/\//.test(url)) {
    throw new Error('URL must start with http:// or https://');
  }
  
  // Block localhost and internal IPs
  if (/(localhost|127\.0\.0\.1|192\.168\.|10\.)/.test(url)) {
    throw new Error('Internal URLs not allowed');
  }
  
  return true;
}

import re

def validate_url(url: str) -> bool:
    if len(url) > 2000:
        raise ValueError("URL too long")
    
    if not re.match(r'^https?://', url):
        raise ValueError("URL must start with http:// or https://")
    
    if re.search(r'(localhost|127\.0\.0\.1|192\.168\.|10\.)', url):
        raise ValueError("Internal URLs not allowed")
    
    return True

# Validate URL before sending
if [[ ! "$URL" =~ ^https?:// ]]; then
  echo "URL must start with http:// or https://"
  exit 1
fi

if [[ "$URL" =~ (localhost|127\.0\.0\.1|192\.168\.|10\.) ]]; then
  echo "Internal URLs not allowed"
  exit 1
fi

Best Practices

Use Environment Variables

Never hardcode API keys in your code

Validate Input

Always validate and sanitize user input

Use HTTPS

Always use HTTPS endpoints for webhooks

Don't Log Keys

Never log API keys or sensitive data

Error Handling

Handle failures gracefully

API Reference

Complete API documentation

Getting Started

Use Cases

Best Practices

Advanced

Troubleshooting

Overview

Protect API Keys

Use Environment Variables

Use .env Files (Never Commit)

Validate User Input

Validate URLs

Best Practices

Use Environment Variables

Validate Input

Use HTTPS

Don't Log Keys

Error Handling

API Reference

Getting Started

Use Cases

Best Practices

Advanced

Troubleshooting

​Overview

​Protect API Keys

​Use Environment Variables

​Use .env Files (Never Commit)

​Validate User Input

​Validate URLs

​Best Practices

Use Environment Variables

Validate Input

Use HTTPS

Don't Log Keys

​Related Guides

Error Handling

API Reference

Overview

Protect API Keys

Use Environment Variables

Use .env Files (Never Commit)

Validate User Input

Validate URLs

Best Practices

Related Guides