Settings Hub
The Settings Hub is available on every plan; some tabs are gated by entitlement.
What this is
Settings is the one place to configure everything that isn't a policy or a rule. It's structured as a tab hub instead of a single long scrolling page — each tab owns one concern, and you can deep-link to any of them.
The six tabs
1. Tenant
Identity and metadata for the tenant itself.
- Name and slug (slug is immutable after creation)
- Plan tier and expiry
- Region (for data residency)
- Contact email for billing / incidents
- Logo upload for the dashboard chrome
2. Tokens
Agent enrollment tokens and API keys.
- Enrollment tokens — generate one-time tokens used by the SDK to register a new agent
- API keys — long-lived keys for server-to-server integration (e.g. CI pipelines publishing policy changes)
- Rotate — generate a new key and invalidate the old after a grace period
Everything here is audited; rotations and deletions appear in the audit log.
3. Limits
Per-tenant enforcement thresholds. Same numbers the Professional-gated features read from.
- Per-agent rate limits — default burst / sustained QPS
- Blast radius defaults — recipient caps, delete depth, cascade limits
- Context Gate defaults — token budget, compression mode, unused-tool threshold
- Escalation timeouts — auto-deny after N minutes if no human decision
Changes take effect on the next request for affected agents; no restart needed.
4. Integrations
Third-party connections.
- SIEM destinations — Splunk, Sentinel, Chronicle, QRadar, Syslog, generic Webhook
- Discovery connectors — IdP (Okta, Entra, Google), SaaS admin APIs, citizen coder platforms
- Notifications — Slack, PagerDuty, email
- Classification — Purview, Cyberhaven (Enterprise only)
Each integration has a Test connection button that runs a live probe and surfaces the result in-line.
5. Auth
Identity provider configuration.
- Authentication provider — Clerk (default) / OIDC / SAML / Password
- SSO — connection strings, certificates, attribute mappings (OIDC / SAML only)
- User auto-provisioning — default role for SSO-sourced users
- Session — token lifetime, refresh cadence
See Authentication for provider specifics.
6. Danger zone
Destructive operations that always require typing the tenant slug to confirm.
- Rotate all tokens — invalidate every enrollment token and API key at once
- Global kill switch — freeze every agent in the tenant (see Kill Switch ...)
- Export audit archive — dump the full retained audit log to S3
- Delete tenant — hard delete (super-admin only, 72-hour grace period)
Permissions
- viewer / analyst — read all tabs except Tokens and Danger zone
- policy_author — read + write Limits and Integrations
- admin — read + write everything except Danger zone
- admin + typed slug confirmation — Danger zone
Related
- User Roles & Invites — who sees what
- Authentication — what lives under the Auth tab
- SIEM Connectors — Integrations tab destinations