Integrations

Meet your agents where they already run. Two proxies enforce without code changes; Slack brings approvals to your reviewers; SIEM exporters feed your existing security stack.

MCP proxy — enforce without touching the agent

Point your agent at the ActPass MCP proxy instead of the upstream MCP server. The proxy forwards every tools/call through preflight first — allowed calls pass through, everything else is blocked with the reason code. Your agent code does not change; only its MCP config does.

mcp config (e.g. Claude Desktop)

{
  "mcpServers": {
    "stripe": {
      "command": "npx",
      "args": ["@actpass/cli", "mcp-proxy",
               "--upstream", "https://mcp.stripe.example",
               "--tenant", "your-team-id"],
      "env": { "ACTPASS_API_KEY": "sk_live_..." }
    }
  }
}

Important:The proxy fails closed: if the ActPass API can't be reached, tool calls return BLOCKED rather than passing through unchecked.

REST / OpenAPI proxy

For agents that call plain HTTP APIs, route them through the gateway's proxy path. ActPass evaluates the action, injects the vaulted credential server-side (your agent never holds the real API key), sanitizes hop-by-hop headers, and forwards to the configured upstream.

request

POST /api/proxy/{tenant}/stripe/v1/refunds
Authorization: Bearer sk_live_...   # your ActPass key — NOT the Stripe key

gateway config (env)

ACTPASS_UPSTREAM_STRIPE=https://api.stripe.com
ACTPASS_UPSTREAM_STRIPE_AUTH=bearer   # bearer | header | basic | query

Credential injection is the quiet superpower here: vault the Stripe key once via POST /v1/credentials, bind it to the server, and a leaked agent prompt can't leak a key the agent never saw.

Slack approvals

Connect the Slack app and require_approvaldecisions post an interactive message to your review channel — approve or deny without leaving Slack. Every decision flows through the same FSM and lands in the same immutable approval ledger as dashboard decisions, with the reviewer's identity attached.

SIEM & observability

Destination	How
Splunk HEC	Native exporter — events as HEC JSON
Datadog Logs	Native exporter with service/source tagging
Anything with a webhook	Generic JSON webhook exporter
ArcSight / legacy	CEF-formatted export
Your metrics stack	OpenTelemetry traces + metrics from the gateway itself

Configure exporters via GET /v1/integrations/siem and the dashboard. Evidence bundles also export directly as SIEM-JSONL for batch ingestion.

Also in the box

An n8n node for gating workflow actions, Microsoft Teams, Vanta, and ServiceNow connectors, and a self-hosting kit — Docker image, Helm chart, and Terraform module under infra/, with health probes at /api/health and /api/health/ready for your orchestrator.

FAQ →

Failure modes, data handling, self-hosting.

API Reference →

The HTTP surface behind every integration.