Threat model

What Wicket protects against

Overprivileged AI agents. Without a proxy, an MCP client configured with broad OAuth scopes can call any tool the upstream service allows — delete repositories, send Slack messages to any channel, close Linear issues. Wicket interposes Cedar policy evaluation on every call, so the AI agent is limited to what its policies permit regardless of what its OAuth token can do.

Credential exposure. OAuth tokens are never stored in plaintext. Wicket uses AES-GCM encryption with two key layers:

1. Tokens are encrypted with the server key during OAuth callback
2. When a member generates their member key, tokens are re-encrypted under a key derived from the member key (HMAC-SHA256)

The server never stores member keys. If a member key is lost, the OAuth tokens encrypted under it are unreadable and must be reconnected.

Unaudited tool calls. Every tool call — allowed or denied — writes an audit entry with the tool name, principal (key suffix), decision, matched policy, and duration. You have a full record of what your AI agents did.

Lateral movement via stolen member keys. Member keys are scoped to a single agent. A stolen key gives access only to the tools that agent’s policies permit — not to other agents or to the underlying OAuth token.

What Wicket does not protect against

Prompt injection in tool outputs. If a GitHub file, Slack message, or Linear issue contains adversarial instructions, Wicket does not inspect or sanitise tool outputs before returning them to the AI client. Policy enforcement is on the call, not on what the call returns.

Malicious agent owners. An agent owner can create permissive policies, approve any member, and read the audit log. Wicket trusts the owner. If an owner account is compromised, they can grant broad access.

Supply chain attacks on MCP servers. Wicket proxies to upstream MCP servers it is configured to trust. It does not verify the integrity of those servers’ responses.

Network-level attacks. Wicket is an application-layer control. All traffic to and from the platform is TLS-encrypted, but Wicket cannot protect a compromised client machine or a malicious network endpoint impersonating an upstream provider.

Dashboard account takeover via email. Dashboard sign-in is bound to email ownership (magic codes). If an attacker controls a member’s mailbox, they can reach that member’s dashboard — enable MFA to add a second factor. MCP proxy calls use member keys, never dashboard sessions, so mailbox compromise alone does not grant proxy access.

Credential security model

Secret	Storage	Recoverable if lost?
Platform encryption keys	Managed by Wicket, never exposed	Rotated by Wicket operations
Member key	Never stored — shown once to member	No — member resets the lost key and reconnects OAuth
OAuth tokens	AES-GCM encrypted at rest, keyed to member key	No — must reconnect via OAuth if member key lost
Connector OAuth app secrets	Encrypted at rest; write-only after save	Re-enter from your provider’s app settings
Sign-in codes	Hashed, 10-minute validity, single use	Not applicable

Caution

Audit entries may include toolArgs — arguments passed to the tool. Some arguments may contain sensitive data (file contents, message text). Before writing them, Wicket applies a global redactor (maskToolArgs) that masks any argument whose key name matches token, secret, password, or key, and truncates overly long string values. This is heuristic key-name matching, not a per-connector schema — arguments with non-matching names are stored as-is, so review your audit retention policy if you handle regulated data.