Skip to main content

Overview

You can use API tools to create a custom authorization layer that controls access to your AI agent, specific tools, or knowledge base. This allows you to enforce business rules, subscription tiers, or permissions before the agent processes requests.

How It Works

  1. Create an API tool that calls your authorization endpoint
  2. Pass user context (sender.uid, sender.role, custom variables) to your backend
  3. Your backend returns authorization decisions
  4. The agent uses the response to determine what actions are allowed

Pattern 1: Gate Access to the Entire Agent

Create an API tool that checks if a user can access the agent at all. API Tool Configuration: Headers:
Body Template:
Your Backend Response:
Agent Instructions:

Pattern 2: Control Access to Specific Tools

Gate access to sensitive tools based on user permissions. API Tool Configuration: Parameters (defined in API Tool):
Parameters defined in the API tool are sent as query parameters when the API call is made. The agent fills in these values based on the parameter description. In this case, the request would be: GET https://your-api.com/auth/tool-permission?toolName=exportData
Headers:
Your Backend Logic:
Agent Instructions:

Pattern 3: Knowledge Base Access Control

Control access to the knowledge base or validate retrieved information.
Access control can be applied at two levels: gating access to the entire knowledge base, or validating/redacting information after retrieval.

Option A: Gate Access to Knowledge Base

Check if a user can use the knowledge base at all before searching. API Tool Configuration: Body Template:
Your Backend Response:
Agent Instructions:

Option B: Validate Retrieved Information

After retrieving information from the knowledge base, validate whether the user should see it. API Tool Configuration: Parameters (defined in API Tool): Headers:
Your Backend Response:
Or if content should be redacted:
Agent Instructions:

Pattern 4: Rate Limiting / Usage Tracking

Track and limit API usage per user. API Tool: checkUsageQuota Endpoint: https://your-api.com/auth/usage-quota Body Template:
Your Backend Response:

Setting Up Custom Variables for Auth

To pass additional user context beyond the built-in auth variables: User Metadata Variables – Pull from CometChat user metadata
  • Source Type: User Metadata
  • Source Path: subscriptionTier (or your metadata field)
Message Metadata Variables – Pull from message context
  • Source Type: Message Metadata
  • Source Path: sessionToken
Constant Variables – Static configuration values
  • Source Type: Constant
  • Value: Your API key or config value

Best Practices

If your auth API is unreachable, default to denying access rather than allowing it.
  • Cache Decisions – Have your backend cache auth decisions to reduce latency
  • Log Access – Track who accessed what for audit purposes
  • Graceful Degradation – Provide helpful messages when access is denied
  • Use HTTPS – Always use secure endpoints for auth calls

Example Agent Instructions Template