Integrations
Meet your agents where they already run. Two proxies enforce without code changes; Slack brings approvals to your reviewers; SIEM exporters feed your existing security stack.
MCP proxy — enforce without touching the agent
Point your agent at the ActPass MCP proxy instead of the upstream MCP server. The proxy forwards every tools/call through preflight first — allowed calls pass through, everything else is blocked with the reason code. Your agent code does not change; only its MCP config does.
{
"mcpServers": {
"stripe": {
"command": "actpass",
"args": ["mcp", "proxy", "--config", "actpass.gateway.json"],
"env": { "ACTPASS_GATEWAY_KEY": "<gateway-key>" }
}
}
}REST / OpenAPI proxy
For agents that call plain HTTP APIs, route them through the gateway's proxy path. ActPass evaluates the action, injects the vaulted credential server-side (your agent never holds the real API key), sanitizes hop-by-hop headers, and forwards to the configured upstream.
POST /api/proxy/{tenant}/stripe/v1/refunds
Authorization: Bearer apk_... # your ActPass key — NOT the Stripe keyACTPASS_UPSTREAM_STRIPE=https://api.stripe.com
ACTPASS_UPSTREAM_STRIPE_AUTH=bearer # bearer | header | basic | queryCredential injection is the quiet superpower here: vault the Stripe key once via POST /v1/credentials, bind it to the server, and a leaked agent prompt can't leak a key the agent never saw.
Slack approvals
Connect the Slack app and require_approvaldecisions post an interactive message to your review channel — approve or deny without leaving Slack. Every decision flows through the same FSM and lands in the same immutable approval ledger as dashboard decisions, with the reviewer's identity attached.
SIEM & observability
| Destination | How |
|---|---|
| Splunk HEC | Native exporter — events as HEC JSON |
| Datadog Logs | Native exporter with service/source tagging |
| Anything with a webhook | Generic JSON webhook exporter |
| ArcSight / legacy | CEF-formatted export |
| Your metrics stack | OpenTelemetry traces + metrics from the gateway itself |
Configure exporters via GET /v1/integrations/siem and the dashboard. Evidence bundles also export directly as SIEM-JSONL for batch ingestion.
Also in the box
An n8n node for gating workflow actions, plus Microsoft Teams, Vanta, and ServiceNow connectors.
Adjacent platform rollout
Start with the platform that already sits on the risky action path. ActPass should gate execution, collect evidence, and route approvals through the tools your reviewers already use. Do not start by wiring every connector at once.
| Platform | First integration | Security outcome |
|---|---|---|
| MCP servers | Scan configs, then run risky servers behind the ActPass MCP proxy. | No new tool surface executes without preflight. |
| GitHub Actions | Run the scan action on pull requests and fail on high-risk drift. | Agent tool changes become reviewable code changes. |
| n8n | Add Preflight Action before risky workflow nodes, then Record Evidence after. | Workflow automation cannot silently mutate money, tickets, or customer data. |
| Slack / Teams | Post require_approval decisions as signed review cards. | Humans approve in the channel they already monitor. |
| ServiceNow | Map ActPass approvals to change_request records. | Agent-driven production changes enter change management. |
| Vanta / Drata | Export policy decisions, approvals, drift, and evidence bundles. | Compliance sees proof of control operation, not screenshots of policy text. |
n8n automation agents
Install n8n-nodes-actpass, configure the ActPass credential once, and add a preflight step before any node that can run commands, call payments, mutate CRM data, update tickets, or send external messages.
Preflight Action
-> risky workflow node
-> Record Evidence
Require Approval
-> Wait for Approval
-> risky workflow nodeFinancial services and fintech pilots
The strongest first customers are likely fintech and financial-services teams because their agents touch regulated data, money movement, customer-impacting operations, and audit obligations. Good first pilots are refund approvals, dispute investigation, KYC case updates, compliance evidence collection, and developer agents in regulated repos.
Oracle future track
Oracle agent security belongs on the roadmap, not in the current shipped-connector list. Plan it around Oracle Fusion ERP/HCM/SCM workflows, OCI-hosted agents, Oracle Integration Cloud flows, and privileged database or analytics agents. Build only after a design partner confirms the exact Oracle surface.