> ## Documentation Index
> Fetch the complete documentation index at: https://docs.argentos.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Security Overview

> How ArgentOS protects your system — sandboxing, authentication, and secret management.

## Overview

ArgentOS gives an AI agent significant power over your system -- command execution, file access, web browsing, and network communication. Security is built into every layer to ensure this power is used responsibly.

## Security Layers

<CardGroup cols={3}>
  <Card title="Sandboxing" icon="box" href="/security/sandboxing">
    Control what tools the agent can use and what operations require approval
  </Card>

  <Card title="Authentication" icon="key" href="/security/auth">
    Multiple authentication mechanisms protect different parts of the system
  </Card>

  <Card title="Secret Management" icon="vault" href="/security/secrets">
    Secure handling of API keys, tokens, and credentials
  </Card>
</CardGroup>

## Threat Model

| Threat                           | Mitigation                                    |
| -------------------------------- | --------------------------------------------- |
| Agent executing harmful commands | Sandboxing, tool policies, approval workflows |
| Unauthorized gateway access      | Gateway auth tokens, network restrictions     |
| API key exposure                 | Local-only storage, file permissions          |
| Memory data leakage              | Local SQLite, no external transmission        |
| Channel impersonation            | User allowlists, channel pairing              |

## Default Security Posture

Out of the box, ArgentOS ships with:

* **Sandboxed mode** for tool execution
* **Gateway auth** enabled
* **Localhost-only** binding (no remote access by default)
* **User allowlists** empty (allows all, but easy to restrict)
* **API keys** stored with user-only file permissions

## Security Best Practices

<Warning>
  Follow these practices for a secure deployment:
</Warning>

1. **Enable gateway authentication** -- Always use an auth token
2. **Use sandboxed mode** -- Require approval for destructive operations
3. **Restrict channel access** -- Set `allowedUsers` on each channel
4. **Use Tailscale for remote access** -- Never expose the gateway directly to the internet
5. **Rotate API keys** periodically
6. **Monitor gateway logs** for unusual activity
7. **Keep ArgentOS updated** for security patches

## Principle of Least Privilege

Configure each agent with the minimum tools and permissions it needs:

| Agent Type      | Recommended Mode | Details                      |
| --------------- | ---------------- | ---------------------------- |
| Customer-facing | Locked           | No exec, no browser          |
| Personal        | Sandboxed        | Approval for destructive ops |
| Development     | Unrestricted     | Controlled environment only  |

## Reporting Security Issues

Report security vulnerabilities to [security@argentos.ai](mailto:security@argentos.ai). Do not open public issues for security reports.
