Respects your access controls

Security by design

yak doesn't bypass your security model—it works within it. Tool calls receive the original request object, so you authenticate with cookies, headers, or tokens. The AI only accesses what the user can access.

Read the docs

Works withChat & voiceAll SDKsYour auth, not ourstRPC allowlistOrigin validation

How it works

User asks: "Show my orders"

Tool receives Request with user's cookies/headers

Your auth middleware validates—only their data returned

No service accounts or elevated access

What you get

Tool calls receive the original Request object
Use your existing auth (Clerk, Auth.js, custom)
Allowlist specific procedures—block the rest
Origin validation for all postMessage communication
Built-in redirect protection against open redirect attacks

How it works

Wire tools to your existing auth

Your tool adapter receives the original Request object, so the same session lookup, cookies, headers, or tokens that protect your app gate every tool call—and you allowlist exactly which procedures the assistant can reach.

The widget loads sandboxed and origin-checked

The chat widget runs in an isolated iframe and yak rejects any postMessage that isn't from an expected origin, while your app's allowedOrigins allowlist is enforced server-side for both chat and voice requests.

Each call runs with the user's own access

Tool inputs are validated against your Zod-derived schemas, redirects to external or protocol-relative URLs are blocked, and the procedure executes on your server under the caller's permissions—so the AI can never reach data the user couldn't.