Business API Tool
Once an agent knows who the user is, it can do real work for them. The Business API tool lets the agent call your existing API — to fetch an order, check a balance, or update a preference — with the verified user identity attached automatically and your credentials kept server-side.
Set it up
- In Studio open your agent → Connections → Connected API.
- Set the base URL and an API credential (stored encrypted, never returned).
- Import an OpenAPI 3.x document, or add operations by hand.
- Enable only the operations the agent should use — everything imports disabled by default.
Curating operations
Each operation has independent controls:
- Enabled — whether the agent may call it at all.
- Status —
allowed,restricted, orhidden. - Sensitivity — return the full value, summarise only, or redact specific fields before the model sees them.
- Confirm — require the user to approve before the call runs (recommended for anything that writes).
- Rate limits — per conversation and per day.
Injected user context
For an authenticated session, Buddy attaches the verified identity to the upstream request as headers — your API never has to trust anything the model says:
X-Platform-User-Id: user_123
X-Platform-User-Email: ada@example.com
X-Platform-User-Role: customer
X-Platform-Session-Id: sess_…Read vs. write
Safe methods (GET, HEAD, OPTIONS)
run directly. Any other method — or any operation you mark
Confirm — pauses for explicit user approval before executing.
When a call fails
Upstream errors never leak to the user. The agent shows your configured fallback message and the raw error is recorded only as metadata in the request log (no request or response bodies are stored).
Platform safeguards
- A per-session call ceiling prevents runaway loops.
- All outbound calls go through an SSRF guard that blocks private/internal addresses.
- Responses are truncated to a safe size before reaching the model.