> ## Documentation Index
> Fetch the complete documentation index at: https://docs.svantic.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Security

# Security

Svantic is designed for regulated industries where data sovereignty, auditability, and access control are non-negotiable. This page describes the security architecture from a user's perspective.

***

## Authentication

Every agent authenticates with Svantic using API credentials (Client ID and Client Secret). You obtain these from the dashboard under **Settings → API Keys**.

The SDK handles authentication automatically — provide your credentials and the SDK exchanges them for a short-lived token, then uses that token for all subsequent API calls.

```typescript theme={null}
const mesh = new MeshConnector(agent, {
	svantic_url: 'https://api.svantic.com',
	client_id: process.env.SVANTIC_CLIENT_ID!,
	client_secret: process.env.SVANTIC_CLIENT_SECRET!,
});
await mesh.connect();
```

No credentials are sent after the initial token exchange. The token expires periodically and the SDK refreshes it automatically.

***

## Organization Isolation

Each Svantic account is cryptographically isolated:

* Agents registered under your account are invisible to other accounts
* Sessions, messages, and knowledge are scoped to your account
* Routing decisions never cross account boundaries
* Even on shared infrastructure, your data is isolated at the authentication layer — not by application logic

***

## Data Sovereignty

Svantic never touches your data. Capabilities execute on your infrastructure — your agents run on your machines, access your databases, and use your credentials locally. Svantic only sees:

* Capability names and descriptions (from your agent card)
* Structured results your agent chooses to return
* Session metadata (who's involved, what state things are in)

Your raw data, credentials, file contents, and internal state never leave your environment.

***

## Per-Invocation Authentication

Every capability invocation is independently authenticated — not just the connection. Each dispatch carries a short-lived, cryptographically signed token that your agent's SDK verifies before executing any handler. This means:

* Replay attacks are blocked (tokens expire in seconds)
* Each invocation is bound to a specific agent instance
* A compromised callback URL cannot be used to forge requests

The SDK handles all verification automatically. You don't write any auth code in your handlers.

***

## Safety Layers

Svantic applies multiple independent safety layers to every operation:

| Layer                          | What It Does                                                                      |
| ------------------------------ | --------------------------------------------------------------------------------- |
| **Authentication**             | Verifies agent identity before any operation                                      |
| **Invocation Auth**            | Cryptographically authenticates every capability call                             |
| **Registration Policy**        | Controls which agent types can operate (open, allow-list, or audit mode)          |
| **ToolGuard**                  | Gates tool invocations — file access, commands, resource budgets, bulk operations |
| **FlowGuard**                  | Prevents runaway execution — step limits, timeouts, cycle detection               |
| **Approval Workflows**         | Requires human sign-off for sensitive operations                                  |
| **Zero-Knowledge Credentials** | Credential values never leave the client machine                                  |

Each layer operates independently. Compromising one does not compromise the others.

***

## Zero-Knowledge Credentials

When an agent needs to fill in a login form or provide an API key, Svantic uses a zero-knowledge model:

1. The agent identifies the form field and provides a credential key
2. The client tool retrieves the actual value from local secure storage
3. The value is used locally — it is never transmitted to Svantic

Passwords, API keys, and tokens never appear in Svantic's logs, context, or storage.

***

## Compliance

Svantic's architecture supports compliance with common regulatory frameworks:

* **SOC 2**: Full audit trails, access controls, encryption at rest
* **HIPAA**: Data never leaves the processing environment
* **PCI-DSS**: Zero-knowledge credential handling
* **GDPR**: Organization-scoped data isolation, right to deletion

***

## Getting Credentials

Sign up at [app.svantic.com](https://app.svantic.com) and navigate to **Settings → API Keys → Create Key**. You'll receive a Client ID and Client Secret. Store these securely — the secret is shown only once.

See the [Getting Started](../getting-started) guide for setup instructions.