Skip to content
Argy
Start for free

Security Model

Identity, access control, auditability, and platform security by design.

Argy treats security as a platform pillar: identity, governance, traceability, and guardrails are designed into the product.

Identity & Access (IAM)

Passwordless-first authentication

Argy is passwordless-first:

  • WebAuthn / Passkeys (primary)
  • Magic link (onboarding, recovery, fallback — disabled when SSO is active)
  • OIDC per tenant (Microsoft Entra ID, Okta, Google Workspace)
  • SAML 2.0 per tenant (enterprise SSO)
  • Device Flow (RFC 8628) for agents and terminals

Password authentication is explicitly disabled.

Per-tenant SSO

Argy supports a distinct IdP per tenant: each organization can connect its own identity provider without affecting other tenants.

Users only enter their email address. Argy automatically resolves the IdP and redirects them seamlessly — no manual action is required from end users.

When SSO is active for a tenant, magic links are automatically disabled.

SSO configuration is managed by an administrator (PLATFORM_ADMIN) via the Argy API. Supported protocols are OIDC (Authorization Code + PKCE) and SAML 2.0. Users are automatically provisioned on first login (Just-in-Time).

For step-by-step setup instructions, see SSO Configuration.

RBAC roles

Typical roles include:

  • PLATFORM_ADMIN
  • PLATFORM_ENGINEER
  • PLATFORM_PM
  • PLATFORM_USER
  • COMPLIANCE_APPROVER

Argy supports SCIM for provisioning users and groups.

Multi-tenancy & Data Isolation

Argy enforces tenant isolation at multiple layers:

  • Database: complete data isolation per tenant
  • API: tenant context validated on every request
  • Object storage: per-tenant partitioning
  • LLM governance: quotas and filters per tenant and organization

Auditability

  • Every action is logged with context (who/what/when/resource).
  • LLM requests are traceable (user, model, tenant) with correlation IDs.
  • Minimum retention: 90 days, exportable as CSV.
  • Optional encryption for request/response content.

Transport & Data Encryption

  • TLS 1.2+ for all HTTP traffic
  • Encryption at rest for credentials and secrets
  • Tokens signed with asymmetric algorithm (RS256)
  • Short-lived sessions with automatic expiry

Service-to-service Security

Internal service calls are protected with HMAC signing to prevent replay and tampering.

Kubernetes Hardening (Self-Hosted / On-Prem)

When deployed on Kubernetes, Argy services follow hardening best practices:

  • Pod Disruption Budgets (PDB)
  • Default-deny Network Policies with per-service rules
  • Non-root containers, read-only root filesystem, dropped capabilities
  • Anti-affinity to spread critical services across nodes

Security Scanning

Argy includes security tooling such as:

  • Trivy vulnerability scanning (images, filesystem, IaC)
  • Gitleaks secret detection
  • SBOM generation

Execution Agents

Execution agents can run in SaaS-managed or self-hosted modes. They are protected by:

  • Isolated workspace per run
  • Read-only filesystem (except working directory)
  • Non-root execution

To see how governance and guardrails translate into outcomes, browse the use cases.