Managing Permissions
Every tool runs in a sandbox that has no network access and no environment variables by default. You explicitly grant the permissions each tool needs. This guide covers how to configure network access and environment variables.
Before you begin
- You need to be editing a tool version (the permissions tab is on the tool edit page).
- You need to know which external domains your tool calls and what credentials it needs.
Opening the permissions panel
Navigate to Tools, click the tool, click Edit on the version you want to configure, then click the Permissions tab in the right panel.
The panel has two sections: Network Access and Environment Variables.
Configuring network access
Network access controls which domains your tool can make HTTP requests to. If your tool calls an external API, you must add that API's domain here.
Adding a domain
- In the Network Access section, type the domain in the text field (for example,
api.example.com). - Click Add or press Enter.
- The domain appears in the list above.
Using wildcards
You can use wildcards to allow access to all subdomains of a domain. For example, *.example.com allows requests to api.example.com, data.example.com, and any other subdomain.
Removing a domain
Hover over a domain in the list and click the trash icon to remove it.
Configuring environment variables
Environment variables let your tool access API keys, tokens, and other credentials securely. The values are injected at runtime and never appear in your code or logs.
Security: Always enter credential values in the Permissions tab, never in chat. The value input on this tab is masked, and the secret is stored on the server -- it is never sent to the LLM and never written to your chat history. Pasting an API key into a chat message (for example, "Set
API_KEYtosk_live_...") exposes it to the model, any logs that capture model input, and anyone with access to the conversation. Do the same for domains on the network whitelist: configure them here so the full permission set lives in one reviewable place.
Adding a custom variable
- In the Environment Variables section, make sure the Custom Value tab is selected.
- Enter the Variable Name (for example,
API_KEY). Names are automatically uppercased. - Enter the Value. This field is masked for security.
- Click Add Custom Variable.
The variable appears in the list with a purple "Custom" badge.
Adding a variable from a connection
If your workspace has data connections configured (for example, an API key stored in a connection), you can link an environment variable to it.
- Click the From Connection tab.
- Enter the Variable Name (for example,
OPENAI_API_KEY). - Select the Connection from the dropdown. Each connection shows its provider name and scope (Workspace or Personal).
- If the connection has multiple fields, select the Field you want.
- Click Add Environment Variable.
The variable appears in the list with a blue "Connection" badge and shows which connection field it is linked to.
Connection-linked variables are resolved at runtime. If the connection's credentials are rotated, the tool automatically picks up the new values.
Removing a variable
Hover over a variable in the list and click the trash icon to remove it.
How permissions are resolved
If the same environment variable is configured at both the workspace level and the user level, the user-level value takes precedence. This allows individual users to override workspace defaults when needed.
Permission levels
| Scope | What it means |
|---|---|
| Workspace | Available to all executions of the tool within the workspace |
| User override | Available only when a specific user triggers the tool. Overrides the workspace value. |