# Trust and Security Cakewalk Agent Access enforces trust through structural choices: Agents never see real credentials, the MCP Gateway is the choke point and the audit trail is immutable. This page explains the parts and the boundaries. *** ### 📖 Key Concepts * **Credential Mediation**: Agents never receive real tokens. The gateway holds credentials in a vault and injects them into outbound requests at proxy time. * **Reference ID**: The opaque, session-scoped identifier the Agent holds in place of the real credential. Useless outside the gateway. * **Vault**: The encrypted store where Cakewalk holds OAuth tokens. The vault is stateful; the gateway is stateless. * **Layer boundary**: Cakewalk governs access. Downstream apps enforce what happens once access is granted. :bulb: *Why this matters:* Prompt injection is the primary risk for Agents. With real tokens in an Agent's context, a poisoned document can exfiltrate credentials. With reference IDs, the same attack returns a useless string. *** ### 🗝️ Credential Mediation Credentials live in the Cakewalk vault. Agents receive a reference ID: a session-scoped, principal-bound identifier that means nothing to anyone outside the gateway. On every tool call: 1. The Agent presents its reference ID. 2. The gateway looks up the real credential. 3. The gateway injects the credential into the outbound HTTP request. 4. The downstream Connection sees a request that looks like the User made it directly. 5. The Agent sees the response. The credential never reaches the Agent. This is the structural mitigation for prompt injection. If the Agent's context is compromised, no real credential can be stolen. The reference ID expires when the session ends. *** ### 🛡️ The Vault The vault is where credentials are stored at rest: * **Envelope encryption**: Each credential is encrypted with a fresh AES-256-GCM data key. The data key is wrapped with an RSA public key from Cakewalk's key service. * **Per-tenant isolation**: Each customer's credentials are scoped to their tenant. * **OAuth only**: Cakewalk ships OAuth Connections. * **Rotation**: OAuth refresh is handled transparently. The Agent is unaffected when a token rotates. Credentials belong to the User. When an Agent's reference ID is revoked, the credential stays in the vault. The User can use it on the next session. *** ### 🧱 The Layer Boundary Cakewalk operates at one layer. Other systems operate at adjacent layers. The boundary is intentional. | Layer | Who owns it | Example | | ------------------------ | --------------------------------- | ---------------------------------------------------------------- | | **Access governance** | Cakewalk | Should this Agent be allowed to call this tool? | | **Action enforcement** | Downstream app or runtime partner | Within the granted scope, is this specific operation acceptable? | | **Resource permissions** | Downstream app | Can the User access this specific record? | Cakewalk decides whether a tool call passes the gateway and under what action-type constraints. What the Agent does within those constraints at the resource level (this Salesforce record, this GitHub repo, this Notion page) is the downstream app's responsibility. *** ### 📜 Audit Immutability Every tool call produces an [audit event](/docs/ai-agent-access/concepts/audit-log.md). Audit events are immutable: * Cannot be edited after they are written * Survive Policy changes, User offboarding and Agent restriction * Retain the Policy that fired at the time of the call, not the current Policy Audit is the output of enforcement. Every tool call that passes the gateway leaves a complete record. Tool calls that bypass the gateway, such as direct API access with a leaked credential, are not captured. *** ### 🚧 Scope Boundaries Cakewalk governs access at the Connection and tool-call level. Three things sit outside this scope: * **Resource-level access.** Per-record permissions (this Salesforce record, this GitHub repo, this Notion page) stay with the downstream app. * **Compositional risk.** Each tool call is evaluated independently. Decisions based on an Agent's accumulated access path across a session are not part of the current evaluation model. * **Agent-to-agent delegation.** Sessions are single-Agent. Recursive delegation chains are out of scope. *** ### Related Concepts * [The MCP Gateway](/docs/ai-agent-access/concepts/the-mcp-gateway.md): the choke point credential mediation runs through * [The Tool Call Lifecycle](/docs/ai-agent-access/concepts/the-tool-call-lifecycle.md): where credential injection happens (Step 5) * [Audit Log](/docs/ai-agent-access/concepts/audit-log.md): the immutable record of every tool call * [Policies](/docs/ai-agent-access/concepts/policies.md): what gets enforced at the gateway --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.cakewalk.security/docs/ai-agent-access/concepts/trust-and-security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.