Skip to main content
An Account Kit is a reusable policy template. Instead of configuring every tenant user individually, you define a kit once and assign users to it. A kit controls two things:
  • Primitives — which capabilities are enabled, split into Identity (verification, formation, email, domains) and Tools (cards, social, vault, logs).
  • Third-party connections — which apps a user may connect, plus per-tool filters and white-label auth.
See the full model in Architecture → Account Kits.

CLI First

naive account-kits create --name Pro \
  --mode allowlist --toolkits gmail,slack,stripe \
  --tool gmail.enable=GMAIL_FETCH_EMAILS,GMAIL_SEND_EMAIL \
  --custom-auth gmail=ac_brand_gmail

naive account-kits list
naive account-kits assign <kit_id> <user_id>

Tools

ToolTypeDescription
account_kits_listCoreList all kits in the workspace
account_kits_createCoreCreate a policy template
account_kits_getCoreFetch a single kit
account_kits_updateCoreEdit primitives, connections, or governance
account_kits_deleteManagementDelete a kit (users must be reassigned first)
account_kits_assign_userManagementAssign a tenant user to a kit

Creating a Kit

curl -X POST https://api.usenaive.ai/v1/account-kits \
  -H "Authorization: Bearer nv_sk_your_key" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Pro",
    "primitives_config": {
      "cards": { "enabled": true },
      "email": { "enabled": true },
      "vault": { "enabled": true },
      "social": { "enabled": false }
    },
    "connections_config": {
      "mode": "allowlist",
      "toolkits": ["gmail", "slack", "stripe"],
      "tools": { "gmail": { "enable": ["GMAIL_FETCH_EMAILS", "GMAIL_SEND_EMAIL"] } },
      "custom_auth_configs": { "gmail": "ac_brand_gmail" }
    }
  }'
Response: 
{
  "id": "4273359a-7a80-460c-a93f-f49f9058fd23",
  "name": "Pro",
  "is_default": false,
  "primitives_config": { "cards": { "enabled": true }, "email": { "enabled": true } },
  "connections_config": { "mode": "allowlist", "toolkits": ["gmail", "slack", "stripe"] }
}

Connection modes

ModeBehavior
openNo filter — every third-party app available (the default).
allowlistOnly the listed toolkits can be connected.
blocklistEvery app except the listed ones.
Per-tool filters (tools.<app>.enable / .disable) and white-label custom_auth_configs are optional.
Discovering app slugs: browse the full third-party app catalog with GET /v1/toolkits (?search=). The dashboard’s Account Kit editor uses this endpoint to power a searchable allow/block picker.

Governance — require approval

Each gated primitive accepts requiresApproval, and connections accept requiresApproval / approvalToolkits. When on, the agent’s sensitive action is frozen for a human to approve before it runs. 
{
  "primitives_config": {
    "cards":   { "enabled": true, "requiresApproval": true },
    "domains": { "enabled": true, "requiresApproval": true }
  },
  "connections_config": { "mode": "open", "requiresApproval": false, "approvalToolkits": ["stripe"] }
}
Cards, domains, verification, formation, and connecting services default to requiring approval for agent calls; set requiresApproval: false to opt out. Calls on the operator’s own default user execute without approval.

Error Handling

ErrorCauseRecovery
invalid_inputMalformed mode/toolkits, or unknown app slugUse a valid mode and slugs from GET /v1/toolkits
duplicate_recordA kit with this name already existsPick a different name
forbiddenTrying to delete a kit with users still assignedReassign those users first
not_foundkit_id doesn’t exist in this workspaceUse GET /v1/account-kits

Typical Workflow

Define a tier once, apply it to many users

    ├─ POST /v1/account-kits                 → Create "Pro" (allowlist gmail/slack/stripe)
    │   → kit_id: 4273359a-...

    ├─ POST /v1/account-kits/4273359a.../users/{user_id}/assign   → Assign Alice

    └─ Alice's connections + primitives are now governed by "Pro"
        (connecting Notion is blocked; connecting Gmail is allowed)