Agent Management

Time-scoped credentials

Time-scoped credentials restrict when your agent's endpoint credentials are available for use. Outside the defined time window, the proxy rejects forwarded calls — adding an extra layer of security for sensitive endpoints.

Time-scoped credentials are configured from the Credential Security section on the Settings tab of your agent's manage page.

Two modes

Time-scoped access supports two modes, each suited to different operational patterns:

Business hours

Credentials are available during specific hours on selected days of the week. Configure which days (Monday through Friday checkboxes), a start hour, and an end hour. The proxy checks the current time in your configured timezone before every call.

Scheduled only

Credentials are available only near a recent schedule trigger. The live configuration stores a window in seconds, and the proxy checks whether one of this agent's schedules fired recently enough to unlock the credential. Outside that window, the call is rejected before credential injection.

Business hours configuration

1

Select the time scope mode

In the Credential Security section, choose Business Hours from the mode selector.

2

Choose active days

Check the days of the week when credentials should be active. Each day (Monday through Sunday) has its own checkbox. Typical business hours use Monday through Friday.

3

Set start and end hours

Select the start hour and end hour using the hour pickers. Hours are in 24-hour format. For example, 09:00 to 17:00 covers a standard business day.

4

Set the timezone

Select the timezone that the hours are evaluated in. All time checks use this timezone — not UTC. Choose the timezone where your operations team works.

What happens outside the window

When a proxy call arrives outside the configured time window, the proxy rejects the request before it reaches your external endpoint. The caller receives an error response indicating that the agent's credentials are not available at the current time. The request is never forwarded.

Time-scoped restrictions are evaluated before the proxy injects stored endpoint credentials. There is no per-route bypass for a stored credential once time-scoping is enabled.

Timezone handling

The timezone you configure determines when the window opens and closes. If you select "America/New_York" with hours 09:00 to 17:00, credentials are active from 9 AM to 5 PM Eastern regardless of where the caller is located. Daylight saving time adjustments are handled automatically.

Configuration walkthrough

The Credential Security section appears on the Settings tab below the Endpoint Credentials fields. Select a mode to reveal its configuration options. Changes take effect immediately after saving — no restart or re-registration is required.

To disable time-scoping, switch the mode back to the default (no restriction). Credentials return to being available at all times.

Next

For endpoints that support OAuth2, see OAuth2 credentials →