Assumptions
- End users can send hostile or confusing instructions.
- Retrieved content, files, and tool results can contain prompt-injection text.
- An agent may make a bad tool call unless a permission boundary stops it.
- Browser credentials may leak, so browser credentials must be short-lived and narrowly scoped.
- A production integration needs budget, audit, rollback, and troubleshooting controls before it handles real users.
Boundaries
Prompt injection and tool use
Treat prompt injection as expected input, not an exceptional event. Karta’s job is to keep the blast radius small:- A running session does not inherit your account administrator privileges.
- End-user browsers do not receive a
kt_live_...API key. - Approval prompts can pause a turn before a tool action proceeds.
- Sessions and kartas are scoped by organization and agent, so guessed IDs do not cross tenant boundaries.
- Spend caps can stop runaway loops before another turn executes.
Credentials
Use the narrowest credential that can do the job.
See API authentication for route-family
compatibility and Session tokens for the browser
flow.
Network and data exposure
Karta can only enforce boundaries around the platform surface. If your agent has tools that call your own services, your service authorization still matters.- Do not trust a soft
userIdfrom the browser to authorize access to your own systems. Use verified identity. - Do not put provider keys, API keys, identity-verification secrets, or webhook signing secrets in browser code.
- Document what user content your widget sends to Karta and the model provider backing the agent. The chat widget security page has disclosure guidance.
- Use BYOK when your policy requires model-provider credentials under your own provider account. See BYOK.
Operator access
Running an agent platform means Karta’s systems process the content your agents handle. The trust commitment is minimization: operators should not read customer content as part of normal operations, access should be limited and logged, and material account changes should land in the audit log. Review the current public trust posture at karta.sh/trust.Residual risks
No platform boundary removes the need to design the agent carefully.- A tool with broad authority can still do broad damage inside the authority you gave it.
- A shared karta intentionally shares memory between everyone who uses that id.
- A browser session token is narrow and short-lived, but it is still a bearer token for its lifetime.
- BYOK keeps provider credentials under your account, but your provider may still process prompts and outputs under its own terms.
- Logs, transcripts, and workspace exports should be enabled and retained only according to your own policy.

