Access & security
How Volt decides who can use channel bots and how credentials are protected.
Layers of access control#
| Layer | What it controls |
|---|---|
| Volt admin (dashboard) | Installing or uninstalling a channel connection requires chat module permission. |
| Slack access grants | Slack users need an email grant or project membership (email match via auth-service). |
| Channel grants (all channels) | Slack, WhatsApp, Telegram, Teams, Instagram — per-channel identity grants (channel_grants_v1). |
| Agent catalog | Only agents registered in builder-service for that project can be dispatched. |
| Platform RBAC | Org/project roles apply the same as the web app for sensitive operations. |
Slack: access grants#
Before processing a Slack message, volt-engine-service resolves the user's email and checks channel access grants (or project membership). Fail-closed if access cannot be verified.
Channel Hub: channel_grants_v1#
All Tier 1 connectors — including Slack — use a unified access model. Configure grants in Volt → Channel Hub → Access for each connected channel.
- Allow all users (*) — any sender on that channel gets the agents listed in the grant (or all agents with
*). - Per-user grants — identity must match the channel-specific format below.
- Project members — when "Viksa project members get all agents" is enabled, logged-in project members bypass per-channel identity for agent list filtering (webhook channels still require a grant or membership path at the gate).
| Channel | Grant identity format |
|---|---|
| Slack | Work email (must match Slack profile email) |
| E.164 phone, e.g. +14155551234 | |
| Telegram | Numeric user ID (from @userinfobot), not @username |
| Teams | Work email or Azure AD object ID (GUID) |
| Scoped sender ID from Meta webhooks (numeric string) |
Credential storage#
- Slack and other channel credentials are encrypted at rest in
channel_connections(MongoDB). - Webhook queue payloads never contain decrypted secrets — workers reload credentials by project scope at processing time.
- No per-project runtime pods — volt-engine-service handles HTTPS ingress and credential decryption at processing time.
Routing isolation#
Each routing key (Slack App ID, Teams App ID, WhatsApp phone number ID, Telegram tenant key, Instagram account ID) maps to exactly one project. Two projects cannot register the same provider identity.