Skip to content
Agent OS
GitHub Get Started
Operating System

Security & Auth

For the isolation model and trust boundaries, see Security Model.

Resource limits

Section titled “Resource limits”

Cap kernel resources per VM to prevent runaway agents. Resource limits live under limits.resources. Every field is optional and unset fields fall back to built-in defaults.

import { agentOs } from "rivetkit/agent-os";
import { setup } from "rivetkit";
import common from "@rivet-dev/agent-os-common";
import pi from "@rivet-dev/agent-os-pi";


const vm = agentOs({
  options: {
    software: [common, pi],
    limits: {
      resources: {
        cpuCount: 1,
        maxProcesses: 64,
        maxFilesystemBytes: 512 * 1024 * 1024, // 512 MB
        maxWasmMemoryBytes: 256 * 1024 * 1024, // 256 MB
      },
    },
  },
});


export const registry = setup({ use: { vm } });
registry.start();

Network control

Section titled “Network control”

VM network access is governed by kernel Permissions. By default, the VM’s outbound networking is also protected by SSRF checks that block requests to loopback addresses. loopbackExemptPorts exempts specific loopback ports from those checks — for example, to reach a host-side mock server during testing.

import { agentOs } from "rivetkit/agent-os";
import { setup } from "rivetkit";
import common from "@rivet-dev/agent-os-common";


const vm = agentOs({
  options: {
    software: [common],
    loopbackExemptPorts: [8080, 3000],
  },
});


export const registry = setup({ use: { vm } });
registry.start();

Custom authentication

Section titled “Custom authentication”

Use the onBeforeConnect hook to validate clients before they access the agent.

import { agentOs } from "rivetkit/agent-os";
import { setup, UserError } from "rivetkit";
import common from "@rivet-dev/agent-os-common";
import pi from "@rivet-dev/agent-os-pi";


const vm = agentOs({
  onBeforeConnect: async (c, params: { authToken: string }) => {
    const isValid = await verifyToken(params.authToken);
    if (!isValid) {
      throw new UserError("Forbidden", { code: "forbidden" });
    }
  },
  options: { software: [common, pi] },
});


export const registry = setup({ use: { vm } });
registry.start();


async function verifyToken(token: string): Promise<boolean> {
  // Your authentication logic
  return token === "valid-token";
}

See Authentication for createConnState, client usage, and more patterns.

Permission system

Section titled “Permission system”

Agents request permission before using tools. See Permissions for auto-approve, selective approval, and human-in-the-loop patterns.

Preview URL security

Section titled “Preview URL security”

Preview URLs use randomly generated 32-character lowercase alphanumeric (a-z0-9) tokens with configurable expiration. See Networking & Previews for token management.

  • Tokens are stored in SQLite and survive sleep/wake
  • Expired tokens are automatically cleaned up
  • Use expireSignedPreviewUrl to immediately revoke a token

Filesystem isolation

Section titled “Filesystem isolation”

Each VM has its own virtual filesystem. Files are isolated per actor instance.

  • /home/user is persistent and survives sleep/wake
  • Mount boundaries prevent escape via symlinks or path traversal
  • Host directory mounts (if configured) prevent symlink escape beyond the mount point