Skip to content
Lowkey Docs

Security and the trust model

Lowkey runs as an appliance: one box, one customer. It’s your server, your files, your agents, your credentials — nothing is pooled with anyone else’s, and there’s no shared multi-tenant service sitting between you and your data. That one fact shapes everything below. Because the box is yours alone, the model isn’t about walling you off from other tenants — there are none — it’s about keeping you in control of the real power your agents hold.

Agents act with your box’s credentials

Section titled “Agents act with your box’s credentials”

Understand this first. Your agents have a real shell on your box and run with its full credentials — the same files, keys, and tools you’d reach from a terminal. That’s the point: an agent that can actually do the work, not a sandboxed toy. It’s also the responsibility. An agent can read your secrets and change real things, so a box is for a person or a group that mutually trust each other — not for putting strangers together. If you share a box, everyone with access can drive agents that act with its full credentials and can see its files. Add people only if you’d trust them with everything on it.

One task can’t drag down the rest

Section titled “One task can’t drag down the rest”

Each session runs inside its own resource boundary — its own memory budget — so a single runaway turn hits its limit and fails on its own, rather than freezing the box or stalling everyone else’s work. The session is the unit that’s accountable for its own runaway.

Be clear on what this is and isn’t: it’s resource containment (memory), not filesystem isolation. Tasks still share the box’s files and credentials — the budget keeps a runaway from taking the whole box down, it doesn’t fence one task’s reach away from another’s.

Staying in control

Section titled “Staying in control”

The powerful parts are gated so you stay in charge:

  • You can stop anything. Cancel a single turn, stop a running job, or kill all work in a session — three distinct levels, so stopping one thing doesn’t have to mean stopping everything.
  • Sensitive actions pause to ask. Agents are set up to confirm before steps that are hard to undo or that reach outside the box. Treat this as careful default behavior, not an unbreakable wall — the firm control is that you can stop the work.
  • Device control is off by default. Driving the browser or screen on one of your own paired computers has to be turned on, per conversation — an agent can’t reach for it uninvited.
  • Published pages are isolated from your workspace. Pages you publish are served from a separate domain (its own origin), so a published page can never read your Lowkey session, cookies, or files. They’re static only — no code runs.

Your credentials stay on the box

Section titled “Your credentials stay on the box”

Secrets live on your box and are kept out of the way of process lists and logs: provider credentials are handed to a turn through a private, owner-only file the worker reads and deletes, never on a command line journald would capture. Nothing is sent to a Lowkey-operated service — there isn’t one.

Section titled “What to read next”
  • Standing up and maintaining a box → /operator/provisioning/
  • Sharing a box with people → ../multi-user.md