← Back to Dashboard

Settings

Configure your organization, branding, authentication, models, security, and deployment options.

On This Page

Overview

The Settings page is organized into tabs, each controlling a different aspect of your AgenticMail Enterprise instance. Changes in most tabs are saved immediately when you click the save button.

TabWhat It Controls
GeneralCompany name, domain, branding (logo, favicon, colors), email signatures
ModelsLLM providers, model pricing, API key management for AI services
API KeysCreate and revoke API keys for programmatic access to your instance
AuthenticationSSO (SAML 2.0, OIDC), two-factor authentication
PlatformPlatform-level configuration
Email & DomainOrganization-wide OAuth email config (Google Workspace / Microsoft 365)
DeploymentsDeploy credentials for Docker, Kubernetes, cloud platforms
SecuritySecurity system configuration, event monitoring, port scanning
Tool SecurityPath sandboxing, SSRF protection, command sanitization
Network & FirewallIP allowlists/blocklists, rate limiting, geo-blocking

General & Branding

Organization Settings

Set your company name, domain, subdomain, and plan tier. The plan tier controls agent limits:

PlanAgent Limit
Self-HostedUnlimited
EnterpriseUnlimited + Support
Team25 agents
Free3 agents

White-Label Branding

Customize the dashboard to match your brand:

Auto-generation: When you upload a logo, the system automatically creates favicon.ico and all required app icon sizes (16px, 32px, 48px, 180px, 192px, 512px). No manual conversion needed.

Email Signature Template

Define a shared HTML signature that all agents use in outgoing emails. Use template variables that get replaced per agent:

VariableReplaced With
{{name}}Agent's display name
{{role}}Agent's role
{{email}}Agent's email address
{{phone}}Agent's phone number
{{company}}Your organization name
{{logo}}Your company logo URL

Models & Providers

Configure which LLM providers your agents can use and set token pricing for billing calculations.

LLM Providers

Add and manage API keys for AI model providers (Anthropic, OpenAI, Google, etc.). Each provider can be tested to verify connectivity.

Model Pricing

Define input and output costs per million tokens for each model. This data is used to calculate agent token costs in billing reports (see Multi-Tenant Guide).

API Keys

Create API keys for programmatic access to your AgenticMail instance. Keys support read, write, and admin scopes.

API keys are shown only once. Copy the key immediately after creation. If you lose it, revoke the old key and create a new one.

Authentication & SSO

Two-Factor Authentication

Enable 2FA for additional account security.

SAML 2.0

Enterprise SSO standard. Works with Okta, OneLogin, Azure AD, and any SAML 2.0 identity provider. You'll need:

OpenID Connect (OIDC)

Modern alternative to SAML. Works with Google Workspace, Microsoft Entra, Auth0, and any OIDC provider. Quick setup buttons are available for common providers.

Email & Domain

Organization Email

Set up a shared OAuth application (Google or Microsoft) that all agents use for email. This centralizes OAuth app registration — each agent still authorizes individually, but they share the same Client ID and Secret.

Google Workspace Setup

  1. Go to Google Cloud Console → Credentials
  2. Create an OAuth 2.0 Client ID (Web application)
  3. Add redirect URI: https://your-domain.com/api/engine/oauth/callback
  4. Enable the Gmail API in your project
  5. Copy Client ID and Secret into the dashboard

Microsoft 365 Setup

  1. Go to Azure Portal → App Registrations
  2. Click "New Registration"
  3. Set redirect URI to: https://your-domain.com/api/engine/oauth/callback
  4. Copy Client ID and create a Client Secret
  5. Set Tenant ID (use "common" for multi-tenant)

Deployments

Manage deployment credentials for pushing agents to different environments (Docker, Kubernetes, cloud VMs). Create credentials with target-specific configuration.

Security

The Security tab provides comprehensive security configuration including prompt injection defense, SQL injection prevention, input/output filtering, transport encryption, dependency management, screen unlock, and audit logging. Each section has its own Edit/Save/Cancel buttons.

SectionWhat It Controls
Prompt Injection DefenseMulti-layer detection: monitor, sanitize, or block injection attempts
SQL Injection PreventionScan tool inputs and API bodies for SQL injection patterns
Input ValidationMax input length, JSON depth, HTML stripping, Unicode sanitization
Output FilteringScan agent outputs for secrets and PII; redact or block
Transport EncryptionAES-256-CBC encryption of API data between dashboard and server
Dependency ManagementOrg-wide package install policy, allowed managers, blocked packages
Screen UnlockAuto-unlock the machine when agents need desktop access
Security Audit LogLog prompt injection attempts, tool calls, API access

View full Security System documentation →

Tool Security

Fine-grained control over what agents' tools can access:

ControlWhat It Does
Path SandboxRestrict file system access to allowed directories. Block sensitive paths.
SSRF ProtectionBlock agents from making requests to internal network IPs. Allowlist specific internal hosts.
Command SanitizerControl which shell commands agents can execute. Blocklist or allowlist mode.
Audit LoggingLog all tool usage with optional key redaction.
Rate LimitingLimit how frequently agents can use tools.
Circuit BreakerAuto-disable tools that are failing repeatedly.

View full Tool Security documentation →

Network & Firewall

Configure network-level security — who can access your instance and what agents can reach on the internet.

SectionWhat It Controls
Inbound IP FilteringAllowlist or blocklist IPs/CIDRs with test tool
Egress FilteringControl outbound hosts and ports agents can reach
Proxy ConfigurationHTTP/HTTPS proxy for corporate/air-gapped environments
Trusted ProxiesReverse proxy IPs for correct X-Forwarded-For extraction
CORS OriginsAllowed cross-origin request domains
Rate LimitingPer-IP requests per minute with skip paths
HTTPS EnforcementRedirect HTTP to HTTPS in production
Security HeadersHSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy
DNS Rebinding ProtectionHost header validation against allowlist
Request Body LimitsMaximum payload size (default 10 MB)
Geo-IP RestrictionsCountry-based access control with built-in geolocation
Webhook SecurityHMAC validation and source IP filtering for webhooks

View full Network & Firewall documentation →

Troubleshooting

IssueSolution
Logo not appearing after uploadRefresh the page. Favicon changes may require clearing browser cache.
SSO login failsVerify redirect URI matches exactly. Check Entity ID and certificate. Use the OIDC test button to validate discovery.
Brand color not applyingEnsure the hex code is valid (#RRGGBB format). The color applies instantly — no save needed for preview.
API key not workingCheck scopes — the key may not have the required permission. Also verify it hasn't been revoked.
Org email "redirect_uri_mismatch"The redirect URI in your OAuth app must exactly match what's shown in the setup instructions, including protocol and path.

Related Pages

AgenticMail Enterprise — Settings Documentation

AgenticMail Enterprise Documentation Report an issue