ViksaAIDocs
Start now

Access & security

How Volt decides who can use channel bots and how credentials are protected.

Layers of access control#

LayerWhat it controls
Volt admin (dashboard)Installing or uninstalling a channel connection requires chat module permission.
Slack access grantsSlack users need an email grant or project membership (email match via auth-service).
Channel grants (all channels)Slack, WhatsApp, Telegram, Teams, Instagram — per-channel identity grants (channel_grants_v1).
Agent catalogOnly agents registered in builder-service for that project can be dispatched.
Platform RBACOrg/project roles apply the same as the web app for sensitive operations.

Slack: access grants#

Before processing a Slack message, volt-engine-service resolves the user's email and checks channel access grants (or project membership). Fail-closed if access cannot be verified.

Channel Hub: channel_grants_v1#

All Tier 1 connectors — including Slack — use a unified access model. Configure grants in Volt → Channel Hub → Access for each connected channel.

  • Allow all users (*) — any sender on that channel gets the agents listed in the grant (or all agents with *).
  • Per-user grants — identity must match the channel-specific format below.
  • Project members — when "Viksa project members get all agents" is enabled, logged-in project members bypass per-channel identity for agent list filtering (webhook channels still require a grant or membership path at the gate).
ChannelGrant identity format
SlackWork email (must match Slack profile email)
WhatsAppE.164 phone, e.g. +14155551234
TelegramNumeric user ID (from @userinfobot), not @username
TeamsWork email or Azure AD object ID (GUID)
InstagramScoped sender ID from Meta webhooks (numeric string)

Credential storage#

  • Slack and other channel credentials are encrypted at rest in channel_connections (MongoDB).
  • Webhook queue payloads never contain decrypted secrets — workers reload credentials by project scope at processing time.
  • No per-project runtime pods — volt-engine-service handles HTTPS ingress and credential decryption at processing time.

Routing isolation#

Each routing key (Slack App ID, Teams App ID, WhatsApp phone number ID, Telegram tenant key, Instagram account ID) maps to exactly one project. Two projects cannot register the same provider identity.