What security measures are used in agent API calls?

Last updated: June 25, 2025

To learn more about agent API calls, see 📄 How do the API actions work?

Credentials

Authorization credentials (e.g. a Bearer token) can be added to the header of your API call and will be stored securely.

CleanShot 2025-06-25 at 13.52.26@2x.png

Request Parameters

You can use variables, issue fields, or static strings in the Request Body. Variables can only be updated by the AI Agent in steps they are explicitly referenced in.

image.png

Don't use user-provided information to perform authentication or data scoping. Use account properties that you have populated directly in Pylon, for example an organization_id to scope API calls.

Response Data Access

The AI agent will only access the data explicitly selected in the action's response payload. You can omit any fields you wish to restrict, and it will not be shared with the agent.

For instance, if an API call returns three fields (A, B, and C) and field C contains sensitive information, you can exclude it from the response data to ensure the agent cannot access it.

All API calls are made server-side and information is not passed to the AI unless specified in the response data.