Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.agentmark.co/llms.txt

Use this file to discover all available pages before exploring further.

Authentication

AgentMark supports email/password authentication for all tiers and SAML 2.0 SSO for Team and Enterprise tiers.

SSO (Team and Enterprise)

Configure SAML 2.0 single sign-on for your organization:
  • Supported providers: Azure AD, Okta, Google Workspace, and any SAML 2.0-compliant IdP
  • Domain allowlisting: restrict sign-in to specific email domains
  • Enforcement mode: require SSO for all org members (no password fallback)
  • Attribute mapping: map IdP attributes (full name, first/last name) to AgentMark profiles
To configure SSO, navigate to Settings → SSO in the AgentMark Dashboard.

Data protection

PII masking

Redact sensitive data from traces before it leaves your application. Masking runs in your application process, so configured attributes are redacted before the OTel exporter sends them. 
import { AgentMarkSDK, createPiiMasker } from '@agentmark-ai/sdk';

const sdk = new AgentMarkSDK({
  apiKey: process.env.AGENTMARK_API_KEY!,
  appId: process.env.AGENTMARK_APP_ID!,
  mask: createPiiMasker({ email: true, ssn: true }),
});
sdk.initTracing();
For a zero-code option, set AGENTMARK_HIDE_INPUTS=true or AGENTMARK_HIDE_OUTPUTS=true to redact LLM request inputs or response outputs (the gen_ai.request.* and gen_ai.response.* attributes) to [REDACTED] before export. Full PII masking docs →

Encryption

  • In transit: all API communication uses TLS 1.2+ (terminated at Cloudflare)
  • At rest: data stored in Supabase (PostgreSQL) and ClickHouse with provider-managed encryption at rest

Provider API keys (managed deployments)

Every AgentMark app runs as a managed deployment. The AI provider keys you configure (OPENAI_API_KEY, ANTHROPIC_API_KEY, etc.) are stored as encrypted secrets in our vault, using authenticated encryption with a root key held outside the application database.
  • Scoped per app — one app’s keys are never visible to another
  • Decrypted only when needed — values are pulled from the vault at build time and injected into the handler runtime, or when an authorized dashboard user explicitly clicks “reveal” on a single variable
  • Never written to logs — env var values are excluded from build logs, request logs, and trace exports
  • Deleted on demand — removing a variable from the dashboard deletes the underlying vault secret in the same transaction

AgentMark API key security

AgentMark API keys (the keys your code uses to authenticate with AgentMark) are issued with per-tier rate limiting and scoped to individual apps — no single key grants access across your organization. Each key carries a permission set that controls which API endpoints it can call. Choose a preset role (SDK, Read-Only, Full Access) or build a Custom permission set. The gateway enforces these permissions on every request and returns 403 when a key lacks the required permission. See the API keys walkthrough and Users and access control for details.

Data residency

If you have regional hosting, on-prem, or data residency requirements, contact us — Enterprise deals can accommodate custom arrangements.

Data retention

Data retention varies by tier:
TierRetention
Hobby7 days
Growth90 days
Team90 days
EnterpriseConfigurable

Temporary support access

When Enterprise customers need hands-on support, AgentMark support engineers can grant themselves temporary read-only access to a tenant’s data. Access auto-expires after 24 hours and requires customer permission confirmation. All access grants are recorded in an immutable audit log.

Have Questions?

We’re here to help! Choose the best way to reach us: