Security

Single-tenant model

For services billable through AgentDNS in v1, we hold the API credentials with the provider — AgentDNS is the customer of record. We re-bill end users for what they consume, and we identify them back to providers via supported user-tagging fields whenever available (e.g. OpenAI user, Anthropic metadata.user_id).

For catalog-only services (anything outside the v1 list), users provide their own API key (BYO). AgentDNS never sees any provider billing — it only proxies the call.

Credential storage

• •User OAuth tokens and BYO API keys are stored locally on the user's machine, in ~/.agent-gateway/. They are never synced to any AgentDNS server. Cloud sync was removed in v0.7.x.
• •Server-side BYO blobs (when a user opts to push their key to the registry for cross-machine use) are encrypted at rest in the user_service_enablement.byo_credential_blob column.
• •Provider credentials we own (for v1 paid services) live in the registry's service_credentials table, encrypted at rest, rotated periodically.
• •Card details are stored only by Stripe. AgentDNS holds a stripe_customer_id and never sees PAN data.

Acceptable Use Policy

Because we resell paid services on behalf of users, abuse of those services lands on our account. Our Acceptable Use Policy covers spam, generated-content abuse, scraping, and fraud — and gives us the right to suspend any user causing provider-side incidents.

We pass per-user identifiers to providers wherever supported, so abuse can be tracked individually and we can co-operate with provider abuse desks at user granularity rather than account-wide.

Trust Levels

Every service in the registry has a trust level. By default, only trusted services (verified + community) appear in search results.

Rate limits

Public registry endpoints are rate-limited per-IP. The gateway additionally enforces per-user sliding-window limits on every provider call so a single user cannot exhaust shared provider quotas. Defaults are conservative (e.g. provider-limit / 100) and are tightened service-by-service if abuse is detected.

When rate limited, the API returns HTTP 429 with a Retry-After header indicating when you can retry.

Domain Protection

To prevent domain squatting, manual submissions are blocked for major domains (Google, Amazon, Stripe, GitHub, etc.). To register a protected domain, use auto-discover mode — the service must actually host a /.well-known/agent manifest, proving ownership.

Admin-blocked domains are rejected in all submission modes.

Input Validation

All inputs are validated and sanitized before processing.

• ✓All URLs must use HTTPS (no HTTP, javascript:, data:, or file: schemes)
• ✓SSRF protection: localhost and private IPs are rejected
• ✓HTML tags are stripped from all text fields
• ✓Detail URLs must be relative or same-domain HTTPS
• ✓Domain format validation (no IPs, no ports)

Reporting

Found a service that violates our policies or appears malicious? You can report it directly from the service detail page using the "Report" button, or via the API:

POST /api/reports
Content-Type: application/json

{
  "domain": "suspicious-service.com",
  "reason": "Phishing — impersonating a legitimate service"
}

Reports are reviewed by the AgentDNS team. Confirmed violations result in the service being blocked.

Security Headers

All responses include security headers: Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, and Referrer-Policy. CORS is enabled for API endpoints to support cross-origin agent requests.