- ›An Account Kit is a reusable policy template that governs what a tenant user's agents can do.
- ›It controls two things: which native primitives are enabled, and which third-party apps a user may connect.
- ›
You author a few kits— Starter, Pro, Enterprise — and assign users to them instead of configuring each one. - ›Kits set primitive defaults (like a card spending limit), app-filter mode (open/allowlist/blocklist), and per-tool rules.
- ›Kits can require human approval on sensitive actions; cards, domains, verification, formation, and connecting apps default to gated.
- ›The default kit on signup enables every native primitive with the app filter open.
If you've read about multi-tenant AI agents or agent permissions on Naïve, you've seen the term Account Kit. This is the short, definitional version: what an Account Kit is, what it controls, and why it exists.
What is an Account Kit?
An Account Kit is a reusable policy template that governs what a tenant user's agents can do. Rather than configuring 10,000 users one at a time, you author a few kits — say "Starter," "Pro," and "Enterprise" — and assign users to them.
It sits in the middle of Naïve's multi-tenant model: an operator (you) owns Account Kits, and each tenant user (your customer) is assigned one. The kit is the rulebook; the tenant user is who the rules apply to.
What does a kit control?
A kit controls exactly two things:
- Which native primitives are enabled — cards, email, vault, social, and so on. Primitives can carry defaults, like a card
spending_limit_cents. - Which third-party apps a user may connect — Gmail, Slack, Stripe, and the rest of the catalog.
Here's a "Pro" kit:
{
"name": "Pro",
"primitives_config": {
"cards": { "enabled": true, "defaults": { "spending_limit_cents": 250000 } },
"email": { "enabled": true },
"vault": { "enabled": true },
"social": { "enabled": false }
},
"connections_config": {
"mode": "allowlist",
"toolkits": ["gmail", "slack", "stripe", "hubspot", "notion", "linear"],
"tools": { "gmail": { "enable": ["GMAIL_FETCH_EMAILS", "GMAIL_SEND_EMAIL"] } }
}
}How does the app filter work?
The connections_config.mode field has three settings:
| Mode | Behavior |
|---|---|
open | No filter — every third-party app is available (the default). |
allowlist | Only the listed toolkits are available. |
blocklist | Every app except the listed ones. |
Allowlist and blocklist are mutually exclusive. Within an allowed app, you can go finer still — enable or disable specific tools (allow Gmail, but only fetch and send). And custom_auth_configs lets you pin your own provider auth so the OAuth consent screen shows your brand instead of the provider's.
Can a kit require approval?
Yes. Each gated primitive accepts requiresApproval. When it's on, a sensitive agent action freezes as a pending approval (HTTP 202) until a human approves it.
The defaults are conservative: cards, domains, verification, formation, and connecting a new app default to requiring approval. Set requiresApproval: false to opt a primitive out. Human callers from the dashboard or a session are not subject to the approval gate — only agent (API-key or MCP) calls are gated (per published docs).
What's the default kit?
On signup you get a default kit with mode: "open" and every native primitive enabled — so you can build immediately without writing policy first. As you move toward a multi-tenant product, you author tighter kits and assign the right one to each tenant user.
Where it fits
An Account Kit is one piece of a larger picture: tenant users give you per-customer isolation, and Account Kits give you enforced permissions on top of that isolation. Together they're how the multi-tenant playbook keeps each customer's agent both separate and safe. For the complete field-by-field reference, see the Account Kits docs.
What is an Account Kit?+
What can an Account Kit control?+
What are the three app-filter modes?+
Can an Account Kit require approval before an agent acts?+
What does the default Account Kit look like?+
How is an Account Kit different from a tenant user?+
Building the agent-native backend.
AI agent permissions should be enforced server-side at execution time, not prompted. Here's how policy templates gate primitives, apps, and approvals.
Multi-tenant AI agents give every customer their own isolated agent. Here's the operator, tenant-user, and Account Kit model behind per-user isolation.
Building multi-tenant AI agents into your SaaS means giving each customer an isolated, governed agent. Here's the full architecture and how to ship it.
Human-in-the-loop approvals that freeze sensitive actions until you say yes, a per-user audit trail of everything an agent did, short-lived scoped MCP sessions, and unified async job tracking — the controls that make an autonomous fleet safe to run.