Security is a foundational pillar of the Agentforce Context Protocol (ACP). The ACP security model is designed to ensure that all interactions between Agentforce agents, Connectors, and target systems are authenticated, authorized, and conducted securely, leveraging robust enterprise-grade security practices, particularly those inherent to the Salesforce platform.

Core Security Principles

ACP’s security model adheres to several key principles:

  • Defense in Depth: Multiple layers of security controls are applied.
  • Principle of Least Privilege: Agents and Connectors should only have the permissions necessary to perform their intended functions.
  • Secure by Default: Configurations and practices aim for a high security posture out-of-the-box.
  • Leverage Platform Security: ACP integrates with and extends the security capabilities of the underlying platforms, especially Salesforce.

Authentication

Authentication verifies the identity of the entities involved in an ACP interaction.

  1. Agent Authentication:

    • The mechanism for authenticating the AI agent itself often depends on the environment hosting the agent.
    • When agents interact with ACP Connectors hosted within Salesforce, the agent’s calls to these Connectors are typically authenticated via Salesforce’s standard mechanisms (e.g., OAuth 2.0 flows, JWT Bearer Flow, or session-based authentication if the agent is operating within a Salesforce user’s session).

  2. Connector Authentication to Target Systems:

    • Connecting ACP to a target system is a user-driven process. A user with appropriate permissions establishes a “Connection” by authenticating to the target system through a guided setup (e.g., via OAuth 2.0, providing an API Key, or using a Bearer Token, depending on the target system’s requirements).
    • Crucially, once this initial authentication is successfully completed by the user, ACP automatically leverages Salesforce Named Credentials under the hood to securely store and manage the resulting authentication details (like tokens or keys). This abstracts the complexity and enhances security, as users don’t handle raw credentials directly in ongoing ACP configurations; instead, they benefit from Salesforce’s robust and secure credential management system.
    • The Connector then uses these securely managed credentials via the corresponding Named Credential for all subsequent interactions with the target system.

Authorization

Authorization determines what an authenticated entity is allowed to do within ACP and the target systems.

  1. Agent and User Permissions:

    • By default, an AI agent operating within ACP inherits the permissions of the user who is invoking or interacting with the agent. This means that any Tool executed by the agent on behalf of the user will respect that user’s specific access rights and visibility within the target systems (e.g., Salesforce record access based on sharing rules, field-level security).
    • This user context propagation is a key security feature, ensuring that agents cannot bypass existing user-level permissions.
    • While inheriting user permissions is the standard, the ACP framework allows for customized permission models in specific, administrator-configured scenarios. For example, an agent might be configured to operate with a specific system-level context for certain background tasks, but this would be an explicit setup rather than the default.

  2. Tool Access Control:

    • Access to specific Tools can be further controlled. If a Connector is implemented as an Apex class in Salesforce, standard Salesforce mechanisms like profiles and permission sets can restrict which users (and therefore which agents acting on their behalf) can execute certain Tools.

  3. Connector Authorization within Target Systems:

    • As established during authentication, Connectors use credentials (managed by Named Credentials) that are tied to a specific identity in the target system.
    • The Connector, therefore, operates with the permissions granted to that specific identity in the target system. When combined with the agent inheriting user permissions, this creates a layered security model: the action must generally be permitted for both the invoking user and the identity configured in the Named Credential for the Connection.

Secure Communication

  • Encryption in Transit: All communication between the AI agent and ACP Connectors, and between Connectors and target systems, MUST use strong encryption protocols like HTTPS (TLS 1.2 or higher) to protect data confidentiality and integrity during transmission.
  • Data Protection: Sensitive data handled by ACP (e.g., parameters in requests, data in responses) should be treated according to data protection best practices and any relevant compliance requirements (e.g., GDPR, CCPA).

Connector Security Responsibilities

While ACP provides a secure framework, developers creating custom Connectors must still adhere to security best practices:

  • Ensure their Connector logic correctly utilizes the established Named Credentials for authentication.
  • Handle any sensitive data passed to or from the target system securely within the Connector’s processing logic.
  • Validate and sanitize all inputs received from agents before passing them to the target system.
  • Implement proper error handling that doesn’t inadvertently leak sensitive information.

Auditing and Logging

  • Interactions via ACP should be auditable. Connectors can log key events (e.g., Tool invocations, errors) to the logging systems of the platform they run on (e.g., Salesforce Event Monitoring or debug logs, configured appropriately to avoid exposing sensitive data in logs).
  • This allows administrators to monitor ACP usage, troubleshoot issues, and detect suspicious activities.

By combining these elements, the ACP security model aims to provide a trustworthy framework for Agentforce agents to interact with enterprise systems, ensuring that access is controlled, data is protected, and actions are accountable.

Return to Core Concepts Overview.