Overview
You can use API tools to create a custom authorization layer that controls access to your AI agent, specific tools, or knowledge base. This allows you to enforce business rules, subscription tiers, or permissions before the agent processes requests.How It Works
- Create an API tool that calls your authorization endpoint
- Pass user context (
sender.uid,sender.role, custom variables) to your backend - Your backend returns authorization decisions
- The agent uses the response to determine what actions are allowed
Pattern 1: Gate Access to the Entire Agent
Create an API tool that checks if a user can access the agent at all. API Tool Configuration:
Headers:
Pattern 2: Control Access to Specific Tools
Gate access to sensitive tools based on user permissions. API Tool Configuration:
Parameters (defined in API Tool):
Parameters defined in the API tool are sent as query parameters when the API call is made. The agent fills in these values based on the parameter description. In this case, the request would be:
GET https://your-api.com/auth/tool-permission?toolName=exportDataPattern 3: Knowledge Base Access Control
Control access to the knowledge base or validate retrieved information.Access control can be applied at two levels: gating access to the entire knowledge base, or validating/redacting information after retrieval.
Option A: Gate Access to Knowledge Base
Check if a user can use the knowledge base at all before searching. API Tool Configuration:
Body Template:
Option B: Validate Retrieved Information
After retrieving information from the knowledge base, validate whether the user should see it. API Tool Configuration:
Parameters (defined in API Tool):
Headers:
Pattern 4: Rate Limiting / Usage Tracking
Track and limit API usage per user. API Tool:checkUsageQuota
Endpoint: https://your-api.com/auth/usage-quota
Body Template:
Setting Up Custom Variables for Auth
To pass additional user context beyond the built-in auth variables: User Metadata Variables – Pull from CometChat user metadata- Source Type:
User Metadata - Source Path:
subscriptionTier(or your metadata field)
- Source Type:
Message Metadata - Source Path:
sessionToken
- Source Type:
Constant - Value: Your API key or config value
Best Practices
If your auth API is unreachable, default to denying access rather than allowing it.
- Cache Decisions – Have your backend cache auth decisions to reduce latency
- Log Access – Track who accessed what for audit purposes
- Graceful Degradation – Provide helpful messages when access is denied
- Use HTTPS – Always use secure endpoints for auth calls