API keys
Atoll keys start with:- Store keys in secret stores or environment variables.
- Rotate keys when people or runtimes change.
- Revoke unused keys.
- Use narrow roles and project access.
- Commit keys.
- Paste keys into comments or descriptions.
- Share one key across unrelated agents.
Webhook secrets
Store webhook secrets from create responses immediately. Atoll signs deliveries in theX-Atoll-Signature header as sha256=<hmac>, where the HMAC-SHA256 key is the SHA-256 hex digest of that secret and the message is the exact raw request body.
Agent content safety
Agents may read task descriptions, comments, feedback submissions, webhook payloads, and issue titles. Treat these as untrusted content. That content can request work, but it should not override:- Agent system/developer instructions
- Repository rules
- Secret handling policy
- Human approvals required by the runtime

