Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.svantic.com/llms.txt

Use this file to discover all available pages before exploring further.

Security

Svantic is designed for regulated industries where data sovereignty, auditability, and access control are non-negotiable. This page describes the security architecture from a user’s perspective.

Authentication

Every agent authenticates with Svantic using API credentials (Client ID and Client Secret). You obtain these from the dashboard under Settings → API Keys. The SDK handles authentication automatically — provide your credentials and the SDK exchanges them for a short-lived token, then uses that token for all subsequent API calls. 
const mesh = new MeshConnector(agent, {
	svantic_url: 'https://api.svantic.com',
	client_id: process.env.SVANTIC_CLIENT_ID!,
	client_secret: process.env.SVANTIC_CLIENT_SECRET!,
});
await mesh.connect();
No credentials are sent after the initial token exchange. The token expires periodically and the SDK refreshes it automatically.

Organization Isolation

Each Svantic account is cryptographically isolated:
  • Agents registered under your account are invisible to other accounts
  • Sessions, messages, and knowledge are scoped to your account
  • Routing decisions never cross account boundaries
  • Even on shared infrastructure, your data is isolated at the authentication layer — not by application logic

Data Sovereignty

Svantic never touches your data. Capabilities execute on your infrastructure — your agents run on your machines, access your databases, and use your credentials locally. Svantic only sees:
  • Capability names and descriptions (from your agent card)
  • Structured results your agent chooses to return
  • Session metadata (who’s involved, what state things are in)
Your raw data, credentials, file contents, and internal state never leave your environment.

Per-Invocation Authentication

Every capability invocation is independently authenticated — not just the connection. Each dispatch carries a short-lived, cryptographically signed token that your agent’s SDK verifies before executing any handler. This means:
  • Replay attacks are blocked (tokens expire in seconds)
  • Each invocation is bound to a specific agent instance
  • A compromised callback URL cannot be used to forge requests
The SDK handles all verification automatically. You don’t write any auth code in your handlers.

Safety Layers

Svantic applies multiple independent safety layers to every operation:
LayerWhat It Does
AuthenticationVerifies agent identity before any operation
Invocation AuthCryptographically authenticates every capability call
Registration PolicyControls which agent types can operate (open, allow-list, or audit mode)
ToolGuardGates tool invocations — file access, commands, resource budgets, bulk operations
FlowGuardPrevents runaway execution — step limits, timeouts, cycle detection
Approval WorkflowsRequires human sign-off for sensitive operations
Zero-Knowledge CredentialsCredential values never leave the client machine
Each layer operates independently. Compromising one does not compromise the others.

Zero-Knowledge Credentials

When an agent needs to fill in a login form or provide an API key, Svantic uses a zero-knowledge model:
  1. The agent identifies the form field and provides a credential key
  2. The client tool retrieves the actual value from local secure storage
  3. The value is used locally — it is never transmitted to Svantic
Passwords, API keys, and tokens never appear in Svantic’s logs, context, or storage.

Compliance

Svantic’s architecture supports compliance with common regulatory frameworks:
  • SOC 2: Full audit trails, access controls, encryption at rest
  • HIPAA: Data never leaves the processing environment
  • PCI-DSS: Zero-knowledge credential handling
  • GDPR: Organization-scoped data isolation, right to deletion

Getting Credentials

Sign up at app.svantic.com and navigate to Settings → API Keys → Create Key. You’ll receive a Client ID and Client Secret. Store these securely — the secret is shown only once. See the Getting Started guide for setup instructions.