Skip to content

Managing access & security

This page covers how to see what’s connected, how to cut access off, and the security guarantees behind AI / Agent access.

  • Seeing what’s connected
  • Revoking access
  • The security model
  • Who can use it

The LLM / API Access page (under Settings) has two lists:

  • Active keys — every API key (asmk_…) used by desktop and CLI clients and your own scripts, with its label, scope, who created it, and when.
  • Connected apps — every web-chat connection (claude.ai / ChatGPT), with the app name, who granted it, when, and the scope.

Both lists have a trash icon on each row.

  • Revoke a key — the key stops working on its next request. The row is shown struck through and marked revoked.
  • Revoke a connected app — the connection is torn down immediately; the app can no longer read or change your data and cannot silently reconnect.

Revoke access whenever a device is lost, a teammate leaves, or you simply no longer use a connection.

AI / Agent access is built to be safe to hand to an outside assistant:

  • Read-only by default. A connection can only change data if you explicitly granted it read & write scope — chosen when you create an API key or generate a web-chat connection code. Write access covers exactly the surfaces described in Operating BOMs & sub-assemblies and Operating raw materials & stock; read-only connections can’t see or use any of it.
  • Scoped to one store. Every key and connection is pinned to your single store. An assistant can never reach another merchant’s data.
  • Keys shown once. The plaintext key is displayed only at creation and never stored, so it can’t leak from Assemblified later.
  • Sandboxed execution. When your assistant runs a program (run), it executes in an isolated sandbox with no access to anything beyond the data described in What the assistant can read. It can’t reach the internet, your secrets, or the wider system.
  • Revocable. Any key or connection can be cut off at any time, and revocation takes effect on the next request.
  • Removed on uninstall. If you uninstall Assemblified, every key and connection is invalidated along with it.

AI / Agent access requires an active Assemblified subscription. It’s currently in open beta, and access may move to the Enhanced plan in the future. Open Settings → LLM / API Access to create API keys, generate web-chat connection codes, and revoke them at any time.