Hey, been playing with flue this week — really like what you're building.
Quick question on something I wanted to make sure I wasn't missing: when I deploy an agent, the endpoint looks like it's reachable without any auth. I had a look around to double-check — nothing about it in the docs, and as far as I can tell no check on the request path in the source either. If I'm wrong about that, just point me to the right place and feel free to close.
Assuming it's not there yet, I figured it was worth raising. A few things stood out to me as a user:
- the agent runs on my own LLM keys, so any traffic costs me money
- tools are usually wired to my creds (DB, APIs, files), so a caller acts with my permissions
- deploy URLs end up in surprising places — screenshots, bug reports, browser history
I saw PR #52 brings in flue.config.ts, which felt like a natural place to wire something minimal. Even a shared-secret env var as a default, plus a hook for people who want to plug in their own auth (JWT, OAuth, IP allowlist), would already cover a lot of ground.
Would love to hear how you're thinking about this.
Hey, been playing with flue this week — really like what you're building.
Quick question on something I wanted to make sure I wasn't missing: when I deploy an agent, the endpoint looks like it's reachable without any auth. I had a look around to double-check — nothing about it in the docs, and as far as I can tell no check on the request path in the source either. If I'm wrong about that, just point me to the right place and feel free to close.
Assuming it's not there yet, I figured it was worth raising. A few things stood out to me as a user:
I saw PR #52 brings in
flue.config.ts, which felt like a natural place to wire something minimal. Even a shared-secret env var as a default, plus a hook for people who want to plug in their own auth (JWT, OAuth, IP allowlist), would already cover a lot of ground.Would love to hear how you're thinking about this.