Filepad is built around the principle that agents should have exactly the access they need — no more — and that every change they make should be auditable. This page covers the security model at a product level.
Security principles
Least privilege by default
Access is granted deliberately. Agent Access keys are workspace-scoped and carry only the scopes they need. Users access only workspaces they've been invited to. Both follow the same principle: no ambient access.
Proposals before writes
The diff-and-approval model is a security control, not just a UX feature. Agents that use files:propose cannot alter files unilaterally. Every change is staged, attributed, and requires a human decision.
Auditability as a first-class feature
Every key action — proposal created, accepted, rejected, key rotated, scope changed — is logged with attribution and timestamp. You always know what changed, when, and who authorized it.
User authentication
- SSO via Microsoft Entra ID for enterprise environments
- Role-based access within workspaces: viewer, editor, admin, owner
- Workspace isolation - users only see workspaces they've been granted access to
Agent Access API security
External agents authenticate via HMAC-SHA256 signed requests using Agent Access keys:
- Per-workspace keys - a key for workspace A cannot access workspace B
- Scoped Agent Access - each key is granted only the permissions it needs, such as
env:read,artifacts:write,files:propose, orevents.write - Scope enforcement - every endpoint checks scopes before touching any data
- Anti-enumeration - workspace mismatches always return
404, never403, preventing probing for workspace existence - Revoked keys - return
401uniformly with no information leakage about key validity - Rate limiting - per-workspace, per-agent throttling on external requests
- Audit trail - key creation, rotation, revocation, scope changes, and signed requests are logged
The workspace agent UI itself uses normal Filepad session auth rather than integration keys; its thread/job routes live under /workspaces/:workspaceId/agent/....
Key lifecycle
Workspace admins can:
- Create Agent Access keys with specific scopes
- Rotate secrets without revoking (zero-downtime rotation)
- Patch scopes to adjust permissions without re-issuing keys
- Revoke keys immediately when access should end
Data handling
- Your documents never train our models
- Enterprise isolation is the foundation, not an afterthought
- Agent Access secrets are encrypted at rest with AES-256-GCM
Next steps
- Agent Access overview - How external agents connect
- Agent Access API v1 reference - Full endpoint documentation
- API reference - High-level API architecture