Secure Service Agents with Customer Verification

Agentforce Service Agents are extremely powerful tools for delivering value to customers. One of the key challenges of setting up a service agent is to secure it. The good news is that thanks to Salesforce, your data is always safe by default. It is your responsibility as a developer or as an admin to open up access by granting the proper permissions. This is especially important when you deploy service agents in unauthenticated portals, such as Experience Cloud sites with guest access.

In this blog post, we’ll explore how to use the out-of-the-box Service Customer Verification topic and its actions to secure agent actions. You’ll also learn how to enforce security with variables and filters through the example of the Coral Cloud sample application (a fictitious resort that offers experiences to their guests). 

See the screenshot below for an example agent-guest conversation where the agent presents a description of an activity to the guest.


Screenshot of the Experience Cloud site for the Coral Cloud sample app

Exploring the Service Customer Verification topic

When you set up an agent, you have the ability to create custom topics and actions. But you don’t need to reinvent the wheel, you can benefit from a number of out-of-the-box topics and actions that are provided in the asset library. One of these topics is the Service Customer Verification topic.


Screenshot of Agent Builder showing how to get the Service Customer Verification topic from the asset library

The verification topic comes with a set of instructions that trigger a request for verification when the user attempts to access data. Just like for any standard topic, you can override the topic definition to add your own instructions.

The topic ships with two standard, flow-based agent actions that help you put in place basic security with the following sequence:

  1. The agent requests the user’s username or email and the Send Email with Verification Code action sends an email with a verification code to the user.
  2. The agent requests the verification code from the end user. Once the user provides it, the Verify Customer action checks the validation code and validates that the user is a known customer.


Screenshot of a conversation in Agent Builder that showcases the use of the verification actions

The flows that are bound to standard actions can be overridden, so you can add your own logic to them. For example, the verification flow works for both Salesforce user and contact records out of the box (see screenshot below) but you could extend the logic to other objects.


Screenshot showing the out-of-the-box flow bound to the standard Verify Customer agent action

Using the verification topic and its actions is only the first half of the agent security equation. The second half comes with variables and filters.

Securing topics and actions with variables and filters

The verification topic actions help us set a number of variables, among which:

  • Verified confirms that the customer was verified
  • Verified Customer Id points to the user ID or the contact ID that represents the customer

These variables are in filters, which can be applied at the topic level or at the action level to restrict access.

In the Coral Cloud app, we’ve grouped our actions into two topics:

  • Unverified Customer Support contains actions that are available to all guests (getting activity details, listing activity sessions, checking the weather, etc.)
  • Verified Customer Support contains actions that require the customer to be verified (managing bookings, generating a personalized schedule, etc.). We use an Is Verified Customer filter that relies on the Verified variable to secure the topic.


Screenshot showing the filter applied on the Verified Customer Support topic

In addition to setting filters, variables like Verified Customer Id can be used in actions like Create Booking to force specific values like the contact ID. This ensures activities can only be booked for the currently verified customer.


Screenshot of the booking action where the contact ID is assigned the Verified Customer Id variable

Conclusion

This concludes our tour of how to secure Agentforce Service Agents with the Service Customer Verification topic. You’ve learned about the topic and its actions, and how to set variables and filters to protect actions when exposing them to unauthenticated users. Get started with service agents and check out the Coral Cloud sample app for a live example.

Resources

About the author

Philippe Ozil is a Principal Developer Advocate at Salesforce, where he focuses on the Salesforce Platform. He writes technical content and speaks frequently at conferences. He is a full-stack developer and enjoys working with APIs, DevOps, robotics, and VR projects. Follow him on X, LinkedIn, and Bluesky, and check out his GitHub projects.

The post Secure Service Agents with Customer Verification appeared first on Salesforce Developers Blog.

Related Posts