← Back to Home

Acceptable Use Policy

Last Updated: March 24, 2026

Table of Contents

  1. Introduction
  2. Authorized Use
  3. Prohibited Activities
  4. Tool Execution Guidelines
  5. Data Handling
  6. Security Requirements
  7. Enforcement
  8. Reporting Violations
  9. Contact

1. Introduction

This Acceptable Use Policy governs your use of the oakallow API and related services. oakallow exists to make AI agent execution safer through permissions, approvals, and audit trails. We expect all users to use the Service responsibly and in a manner consistent with its security-first purpose.

2. Authorized Use

You May Use oakallow To:

  • ✓ Implement permission checks for AI agent tool execution
  • ✓ Build approval workflows requiring human oversight
  • ✓ Generate cryptographic execution tokens for auditable actions
  • ✓ Maintain audit logs of all tool executions
  • ✓ Define granular permission rules for multi-tenant applications
  • ✓ Integrate with your own applications via our documented REST API

3. Prohibited Activities

You Must Not:

  • ✗ Use oakallow to authorize harmful, illegal, or destructive operations
  • ✗ Build systems that circumvent or automate approval of dangerous tool executions
  • ✗ Auto-approve tool executions that the permission system flagged as requiring human review
  • ✗ Attempt to access other developers' data, organizations, or permission rules
  • ✗ Reverse-engineer, decompile, or attempt to extract the source code of the Service
  • ✗ Use the API for denial-of-service attacks, vulnerability scanning, or penetration testing without written authorization
  • ✗ Share API keys publicly or embed them in client-side code
  • ✗ Create multiple accounts to circumvent rate limits or billing

4. Tool Execution Guidelines

oakallow is designed to ensure AI agents ask before they act. When the permission system returns requires_approval, your system must route that request to a human decision-maker. Automatically approving these requests defeats the purpose of the permission system and violates this policy.

Tools with disabled permission must not be executed under any circumstances. If a tool is disabled, do not attempt to bypass the restriction.

5. Data Handling

Do not submit sensitive personal data (Social Security numbers, passwords, health records) as tool parameters. oakallow processes tool parameter data for permission resolution and logs it for audit purposes. If your use case involves sensitive data, ensure you have appropriate data handling agreements in place with your end users.

6. Security Requirements

  • Store API keys securely (environment variables, secrets managers)
  • Use HTTPS for all API communication
  • Rotate API keys periodically and immediately after any suspected compromise
  • Validate HMAC-signed execution tokens before executing tools
  • Implement appropriate access controls within your own systems

7. Enforcement

Violations May Result In:

  • Warning and request to correct the behavior
  • Temporary suspension of API access
  • Permanent account termination
  • Legal action in severe cases

We will always attempt to contact you before taking action, except in cases involving immediate security risk or legal obligation.

8. Reporting Violations

If you become aware of any violation of this policy or a security incident, please report it immediately to security@oakallow.io. We take all reports seriously and will investigate promptly.

9. Contact

✉️

Policy Questions

legal@oakallow.io
🛡️

Security Reports

security@oakallow.io

Related Policies

AboutPrivacy PolicyTerms of Service