Security model | Agenetix Docs

Agenetix uses fine-grained, hierarchical role-based access control. Every API call is checked against your organization's permission model before executing.

Organization hierarchy#

Everything in Agenetix lives inside an organization. Resources are organized in a hierarchy:

MERMAID

flowchart TD
    Org["Organization"] --> MCP["MCP Servers"]
    Org --> GW["Gateways"]
    Org --> Agent["Agents"]
    Org --> SA["API Keys / Service Accounts"]
    MCP --> Tools["Tools"]
    Agent --> Conv["Conversations"]

Child resources inherit permissions from their parent. For example, if you can edit an MCP server, you can also edit its tools.

Permissions#

Resource	View	Edit	Create	Delete
MCP Servers	Yes	Yes	Yes	Yes
Gateways	Yes	Yes	Yes	Yes
Agents	Yes	Yes	Yes	Yes
Logs	Yes	—	—	—

Permissions are assigned per organization member. You can have different roles across different organizations.

Authentication methods#

Method	Best for	Details
Dashboard login	Interactive users	Email/password session with secure cookies
API keys	Programmatic access, CI/CD	Long-lived keys scoped to an organization. Provide via `X-API-Key` header.
OAuth 2.1 PKCE (coming soon)	CLI interactive login	Browser-based flow with short-lived tokens
Service account tokens (coming soon)	Headless automation	Scoped, time-bound tokens for CI/CD pipelines

Audit trail#

Every change in Agenetix is recorded in the audit log:

Who performed the action (user or API key)
What resource was affected
What changed (field-level diff)
When it happened

You can view audit events in the dashboard or query them via the API.

Concurrent editing safety#

Agenetix prevents accidental overwrites when multiple people edit the same resource simultaneously. If someone else saves a change while you are editing, your save will ask you to refresh and re-apply your changes rather than silently overwriting theirs.