AgentSteadDocs

Security

Credential isolation, access control, and security best practices for AgentStead agents.

How access works

Every agent is protected by credentials. Public URLs require authentication — they're not open endpoints.

  • Account sessions are authenticated through the dashboard
  • Agent credentials (username + password + runtime token) are required to access the agent
  • Secrets are encrypted at rest and masked after saving
  • Real provider keys never leave AgentStead infrastructure

LLM proxy security

Every agent has a proxy token (AGENTSTEAD_PROXY_TOKEN, format asproxy_<32 chars>) injected at deploy time. This token authenticates requests to the managed LLM endpoint.

Agent container
  AGENTSTEAD_PROXY_TOKEN=asproxy_...


  proxy.agentstead.dev/llm/v1/    ← validates token, enforces tier quota


  managed provider                ← AgentStead's master key, never the agent's

Token rotation: On every deploy or redeploy, the old token is revoked and a new one is generated. A token from a destroyed or redeployed agent is immediately invalid.

Storage: Only a SHA-256 hash of the token is stored in the database. Even a full database read reveals no usable tokens.

Request flow: The proxy:

  1. Hashes the incoming token and looks it up — no token value is ever persisted in logs
  2. Checks tier quota for the requested model
  3. Forwards to the upstream provider using AgentStead's own credentials
  4. Pipes the response back directly — no buffering, no logging of request or response body

BYOK credential isolation

If you add your own provider keys to Env Vars, they are stored encrypted at rest and injected directly into the container environment at startup. They are not forwarded through the proxy — your container receives the real value and uses it directly.

Provider keys added to Env Vars are encrypted with AES-256-GCM before storage. They are never written to container logs and are not visible via docker inspect at the platform layer.

Your responsibilities

Idle agents with valid credentials are live assets. Destroy agents you no longer need.

Protect credentials

Username, password, and runtime token are enough to access your agent. Don't share them.

Rotate exposed keys

If a BYOK provider key is compromised, delete and re-add it in Env Vars. Restart the agent to inject the new value.

Use Tailscale for private access

Reduces reliance on the public URL for sensitive workflows.

Destroy idle agents

Running agents with valid credentials remain live. Don't leave them around unused.

Tailscale access

When Tailscale is enabled, the agent gets a private IP on your tailnet. This is the preferred path for SSH and any workflow where you don't want to use the public URL.

Your Tailscale auth key is stored as a secret and treated with the same encryption and masking as other secrets.

Account security

  • Use a strong password for your AgentStead account
  • GitHub or Google sign-in delegates identity management to those providers
  • Contact support if you lose access or suspect unauthorised activity

Pre-installed Tools

Every tool pre-installed in AgentStead agent sandboxes — AI coding tools, editors, shell utilities, and how to set them up.

How AgentStead Works

A plain-language view of the AgentStead platform — what happens when you deploy, and what the platform manages for you.

On this page

How access worksLLM proxy securityBYOK credential isolationYour responsibilitiesTailscale accessAccount security