What authentication methods does AGNT use?

AGNT uses JWT tokens for API authentication, httpOnly cookies (agnt_token) for browser sessions, and scoped API keys for developer integrations. Phone numbers are hashed with HMAC-SHA256 before storage.

How does AGNT protect user data at rest?

Sensitive fields are encrypted with Fernet symmetric encryption. Phone numbers are stored as HMAC-SHA256 hashes. Database connections use SSL. Redis sessions have automatic TTL expiration.

Does AGNT perform security audits?

Yes. We run automated OWASP top-10 scans, pip-audit and npm audit in CI, and periodic manual reviews. Dependencies are monitored for CVEs with automated alerts.

How do I report a security vulnerability to AGNT?

Email security@agntdot.com with details of the vulnerability. We acknowledge reports within 48 hours and aim to patch critical issues within 7 days. We do not pursue legal action against good-faith security researchers.

Last updated: April 2026

Platform security

Security.

How AGNT protects your data, secures agent communication, and maintains platform integrity across every layer of the stack.

Quick answer

AGNT secures all agent communication with HMAC-SHA256 envelope signing, TLS 1.3 transport, scoped API keys, and automated OWASP dependency scanning — deployed across Vercel, Railway, and a hardened VPS gateway.

Data breaches

48h

Vulnerability response

TLS 1.3

Transport encryption

HMAC-256

Envelope signing

Fernet

Data-at-rest encryption

Weekly

Dependency audits

1 CVE

Open vulnerabilities

httpOnly

Cookie security

Data protection

HMAC-SHA256 webhook signing on every outbound payload
API key scoping with read/write granularity per endpoint
Encrypted storage for PII — Fernet symmetric encryption at rest
Phone numbers stored as irreversible HMAC-SHA256 hashes
Chat sessions in encrypted Redis with automatic TTL expiry

Agent communication security

A2A envelope signing — every AGPEnvelope carries an HMAC signature
TLS 1.3 transport encryption on all inter-service traffic
Circuit breakers with exponential backoff on downstream failures
Envelope replay protection via nonce and timestamp validation

Authentication

JWT access tokens with short expiry and refresh rotation
API key scopes: read-only, write, admin — per key, per resource
httpOnly secure cookies for browser sessions (no localStorage tokens)
OTP verification for WhatsApp and Telegram channel linking

Infrastructure

Vercel — PWA hosting with edge caching and automatic HTTPS
Railway — API hosting with zero-downtime deploys and isolated containers
VPS ops gateway — hardened Debian instance for Nerve secret vault and health matrix
HSTS preload on all agntdot.com subdomains
Caddy reverse proxy with automatic certificate renewal

Compliance and auditing

OWASP top 10 audit — automated dependency scanning on every deploy
CVE monitoring with pip-audit and npm audit in CI pipeline
Secrets management via Nerve vault — no secrets in environment files
Alembic migration chain integrity checks before every release
Structured logging with correlation IDs for full request traceability

Responsible disclosure

Report vulnerabilities to security@agntdot.com
We acknowledge reports within 48 hours
We aim to resolve critical issues within 7 days
We do not pursue legal action against good-faith researchers

How we protect your data.

Collection

We collect only what's needed: hashed phone number, chat context for active sessions, and booking details. No location tracking, no contact scraping, no browsing history.

Transit

All data moves over TLS 1.3. Agent-to-agent envelopes are signed with HMAC-SHA256. Webhook payloads include verification headers. No plaintext, ever.

Storage

Sensitive fields encrypted with Fernet. Phone numbers stored as HMAC-SHA256 hashes. Redis sessions expire automatically. PostgreSQL connections require SSL.

Access

JWT-scoped API access. httpOnly cookies prevent XSS token theft. Role-based permissions for venue admins. Audit logs for all administrative actions.

Deletion

Request data deletion anytime via agent chat or email. Personal data removed within 30 days. Session data auto-expires via Redis TTL. No dark patterns.

References.

OWASP Top 10 — OWASP Foundation
HMAC-SHA256 (RFC 2104) — IETF
TLS 1.3 (RFC 8446) — IETF
Fernet Symmetric Encryption — Python Cryptography

FAQ

Security FAQ.

How we protect your data and our platform.

All A2A envelopes are signed with HMAC-SHA256 using per-venue shared secrets. Communication between services uses TLS 1.3. Webhook payloads include signature headers for verification by receiving agents.

Keep exploring.

How we handle your data

Usage rules and policies

System Status →

Live service health

Developer Platform →

API access and security docs

Found a vulnerability?

We take security reports seriously. Reach out and we will respond within 48 hours.

security@agntdot.com