Choose The Right Tool Boundary
Duckie supports four tool categories:| Tool type | Use for |
|---|---|
| Duckie Tools | Built-in Duckie actions such as responding, escalating, and searching Duckie-managed context |
| App Tools | Actions in connected apps such as Zendesk, Slack, Linear, Jira, HubSpot, and others |
| Custom Tools | HTTP API calls to endpoints you define |
| MCP Servers | Tools exposed by external MCP servers |
Control Which Agents Can Use Tools
App tools and custom tools become usable only after they are connected or created and enabled for the agent or assistant that should use them. For each agent:- Open the agent’s tool access settings.
- Enable only the tools needed for that support role.
- Keep write tools separate from lookup tools.
- Test the agent with the exact tool-enabled workflow.
Connect App Tools Deliberately
Connected apps inherit the access of the external account, token, workspace, repository, project, channel, or knowledge source you connect. Before connecting an app:- Decide which external workspace or account Duckie should access.
- Use provider-side permissions to limit access where possible.
- Enable only the app tools the agent needs.
- Review runs after launch to confirm expected tool use.
Design Custom Tools Safely
Custom tools call HTTP endpoints that you define. Use them for internal services, third-party APIs, or API actions that are not covered by connected integrations. For safe custom tool design:| Pattern | Why it helps |
|---|---|
| Use literal endpoint hosts | Duckie can validate the request destination before variables are resolved |
| Keep tools narrow | The agent has fewer ways to cause unintended side effects |
| Use fixed values | Constants, tenant IDs, and record selectors do not need to be generated by the agent |
| Use context variables | Current run metadata can supply customer, account, ticket, or requester values |
| Use org variables | Organization-specific API keys, regions, and defaults can be injected from configuration |
| Mark write actions | Testing and approval behavior can distinguish reads from side effects |
| Require approval | Sensitive actions pause for human review before execution |
http or https. Duckie blocks local, private, and internal network addresses before making server-side requests. For custom tool execution, Duckie validates the configured URL, resolves variables and parameters, and validates the final URL before the HTTP call.
See Custom Tools.
Handle Credentials Carefully
Use the credential mechanism that matches the external API:| Credential type | Recommended use |
|---|---|
| OAuth 2.0 client credentials | APIs that issue access tokens from a client ID and client secret |
| Manual headers with org variables | Static API keys or bearer tokens |
| No authentication | Public endpoints or endpoints protected by request parameters alone |
Mark Write Actions
Use Write Action for tools that change external state, such as updating an account, issuing a refund, creating a ticket, sending a message, closing a conversation, or changing a record. Marking write actions makes the tool’s impact explicit and supports safer testing and review. Batch test runs execute in testing mode and skip write app tools, custom tools, and MCP tools. See Deployment Modes and Batch Testing.Require Approval For Sensitive Side Effects
Use Requires Approval when a human should approve the tool call before it runs. Require approval for actions such as:- Billing changes, refunds, or credits.
- Plan, entitlement, or ownership changes.
- Security setting changes.
- Customer-visible messages in sensitive workflows.
- Destructive or hard-to-reverse external updates.
- MCP write actions that modify Duckie configuration.
Use Workflows For High-Risk Paths
Use workflows when an action must follow a consistent verification path. A high-risk tool workflow should usually:- Look up the current requester, ticket, customer, or account.
- Extract the requested target or requested change.
- Compare the requested target to verified context.
- Continue only on the approved branch.
- Require approval when the action is sensitive.
- Escalate or send a safe response when verification fails.
Tool Security Checklist
| Area | Check |
|---|---|
| Tool access | The agent has only the tools needed for its role |
| External account | Connected app permissions are limited at the provider where possible |
| Custom endpoint | The endpoint host is literal and expected |
| Record selector | Customer, account, ticket, or record IDs come from context, fixed values, or verified workflow output |
| Credentials | Secrets are stored in org variables or OAuth credentials, not generated by the agent |
| Write action | Tools that change external state are marked as write actions |
| Approval | Sensitive side effects require human approval |
| Testing | Misuse cases are tested before production |
| Review | Run history shows expected tool inputs, outputs, and outcomes |
Related Docs
Custom Tools
Define HTTP tools, variables, authentication, write actions, and approvals.
App Tools
Use tools from connected apps and Duckie-provided app platforms.
MCP Servers
Connect external MCP servers and expose their tools.
Account-Safe Actions
Keep support actions attached to the right customer or account.