Documents are loading...

Getting Started

Agent Bootstrap

Copy-paste bootstrap contract for agents, copilots, and automation integrating with Mirror products

This page is the docs-site version of the repo AGENTS.md / CLAUDE.md contract. Use it when an agent needs a machine-readable bootstrap without repo access.

What you can do headlessly

  • call gateway-backed chat and streaming
  • protect prompts and share them with PRE
  • encrypt and open vectors
  • use RBAC / ABE-gated vector open
  • run FPE on structured values
  • evaluate policy for code-agent safety
  • use ECAD protect / evaluate / phase-gate
  • use memory observe / recall / answer and secure retrieval
  • use browser/WASM helpers for prompt, vector, and FPE surfaces that are actually browser-capable

Minimal environment

export MIRROR_SERVICE_CREDENTIAL_FILE=".secrets/service-credential.json"
 
# Optional — override platform host only if the credential's gateway_url is wrong for this environment
# export MIRROR_BASE_URL="https://mirror.example.com"
# export MIRROR_API_URL="$MIRROR_BASE_URL/mapi"
# export MIRROR_GATEWAY_URL="$MIRROR_BASE_URL/gateway"
 
# Manual token exchange only when not using the SDK bundle helper (values also in the credential JSON).
# export MIRROR_TOKEN_URL="https://mirror.example.com/keycloak/realms/mirror-one/protocol/openid-connect/token"
# export MIRROR_CLIENT_ID="svc_example"
# export MIRROR_CLIENT_SECRET="replace-me"
# export MIRROR_SERVICE_CREDENTIAL_ID="svc_example"
# export MIRROR_BEARER="<access-token>"
 
export MIRROR_DEFAULT_PROVIDER="openai"
 
# Local crypto / policy / FHE licensing
export MIRROR_LICENSE_FILE=".secrets/mirror-license.json"
export MIRROR_LICENSE_PUBLIC_KEY_B64_FILE=".secrets/mirror-license-public-key.b64"

Auth model

Use the smallest credential that works.

  1. Portal SDK bundle

    • create or rotate a service credential in Portal
    • download the SDK bundle while the secret is first displayed
    • set MIRROR_SERVICE_CREDENTIAL_FILE=.secrets/service-credential.json
    • let the SDK exchange the credential and load license/public-key files
  2. Manual service credential

    • exchange client_id and client_secret at Keycloak
    • call Gateway and product APIs with Authorization: Bearer <token>
  3. Capability JWT

    • set MIRROR_CAPABILITY_JWT only when the deployment uses delegated capability-scoped auth
  4. Legacy project key

    • keep only for explicit bootstrap or raw Gateway compatibility paths
    • do not use it for new SDK, Portal, Memory/VDB, Tool/MCP, AgentIQ, or Policy integrations

Most application integrations should start with the Portal SDK bundle or a service credential plus the hosted runtime access profile. Use broader admin credentials only for bootstrap or operator flows that explicitly require them.

Fast verification

mirror diagnose
mirror licenses verify
 
curl -fsS \
  -H "Authorization: Bearer $MIRROR_BEARER" \
  "$MIRROR_API_URL/v1/gateway/routing/catalog?surface=gateway&includeLiveModels=false&serviceCredentialId=$MIRROR_SERVICE_CREDENTIAL_ID"
 
# Optional raw runtime checks when operations provided a direct Gateway URL.
[ -n "$MIRROR_GATEWAY_URL" ] && curl -fsS "$MIRROR_GATEWAY_URL/healthz"
[ -n "$MIRROR_GATEWAY_URL" ] && curl -fsS "$MIRROR_GATEWAY_URL/.well-known/jwks.json"

Token bootstrap

ACCESS_TOKEN=$(curl -s "$MIRROR_TOKEN_URL" \
  -d grant_type=client_credentials \
  -d client_id="$MIRROR_CLIENT_ID" \
  -d client_secret="$MIRROR_CLIENT_SECRET" | jq -r .access_token)

Common tasks

Browser/WASM rule

Use browser/WASM only for surfaces that are actually browser-capable:

  • prompt helpers
  • vector helpers
  • FPE helpers

Do not use browser/WASM as the primary path for:

  • gateway admin flows
  • service-credential bootstrap
  • full gateway-backed inference
  • standalone policy evaluation
  • direct FHE execution as the primary deployment model

Next step

Go to SDK Surface Examples if you need the full per-surface example index.

On this page