Agent Onboarding
Machine-first onboarding for agents, copilots, and automation that need to integrate with Mirror products headlessly
This page is the docs-site equivalent of the repo bootstrap files. Use it when an agent, copilot, or automation workflow needs to integrate without a human stepping through the full documentation tree.
Choose the product path
Mirror VectaX
Use for crypto operations, gateway-backed AI, encrypted memory, vector search, FPE, PRE, RBAC, key management, and FHE workflows.
Code Prism
Use for coding-assistant workflows, policy-backed agent operations, and gateway-integrated secure development flows.
AgentIQ Policy Engine
Use for policy enforcement, tool controls, prompt safety, and runtime governance.
AgentIQ Identity
Use for agent identity, capability tokens, delegated execution, registries, and MCP protection.
DiscoveR
Use for red-teaming, adversarial validation, streaming API testing, and browser scanning.
Canonical machine flow
- Confirm the product is active in Entitlements and Access.
- Create a service credential in Portal for hosted runtime calls.
- Register or select the agent in the AgentIQ Identity registry when the workflow has delegated execution.
- Select connector and MCP tools from the Gateway registry.
- Reveal
client_idandclient_secretonce. - Exchange those values at the Keycloak token endpoint.
- Open
Use Mirror -> Playgroundfor the first hosted smoke request andUse Mirror -> Builderwhen the workflow spans multiple products. - Call Gateway or product APIs with
Authorization: Bearer <token>. - Use offline signed or remote licensing for local crypto/FHE/vector/FPE/policy operations.
The active platform contract is service credential plus bearer token for service-backed calls. Offline license is the local/native contract. Do not start a new integration around legacy API-key-first examples.
Minimal environment
Use the same environment contract as Agent Bootstrap and SDK Catalog and Quickstart.
Mirror() derives MIRROR_API_URL and MIRROR_GATEWAY_URL from the credential JSON. Set MIRROR_BASE_URL only when overriding a stale credential host. Use MIRROR_GATEWAY_URL directly only for raw gateway/runtime health checks when not going through the hosted SDK.
Fast verification
For hosted /mapi integrations, prefer Mirror() with MIRROR_SERVICE_CREDENTIAL_FILE — run the hosted SDK example below as your smoke test.
If you are validating the raw gateway/runtime surface directly, use health checks first (URLs come from the credential or from MIRROR_BASE_URL if you override it). If these fail, do not start debugging SDK code yet.
Acquire the SDK artifact
Use the exact internal acquisition command shown in Portal → Use Mirror → SDK & Quickstart. The portal catalog is entitlement-aware and only exposes the built artifacts that match the licensed surface.
Runtime quickstart
Read next: Python SDK, Python Gateway SDK, Python Memory SDK.
Harness-validated coverage
The local end-to-end harness currently proves these service-backed paths live:
| Product surface | TypeScript | Python | Auth | License |
|---|---|---|---|---|
| Gateway / VectaX runtime | yes | yes | bearer token | platform/runtime license |
| Memory / VDB through Gateway | yes | yes | bearer token | gateway runtime license |
| Discover client | yes | yes | bearer token | service-backed runtime license |
| AgentIQ / Policy client | yes | yes | bearer token | service-backed runtime license |
| CodePrism client | yes | yes | bearer token | service-backed runtime license |
The SDK confidence suite separately validates local licensed surfaces for prompt/PRE, vector, FPE, metadata, FHE, policy, search, key management, and sealed transport across the canonical SDKs.
Registry model
The consolidated platform has three registries and one onboarding flow:
| Registry | Owner | Purpose |
|---|---|---|
| Agent registry | AgentIQ Identity | agent lifecycle, delegated identity, scopes, token chains, audit subjects |
| Connector registry | Gateway | OAuth/configured connectors such as O365, ServiceNow, Memory, VDB, and tenant-specific tools |
| MCP registry | Gateway projection | ChatGPT, Claude, IDE agents, and internal builders receive the allowed tool projection for the current service credential |
Use Mirror Builder should bind these registries together, then attach:
- AgentIQ Identity token/scopes
- AgentIQ Policy Engine guardrails and tool policies
- Gateway runtime lane and connector execution
- VectaX Memory/VDB/FPE/PRE/FHE data controls
- Discover security scans, including MCP/tool prompt-injection scans and code-security scans
- Governance evidence for onboarding, smoke, and release gates
Common headless tasks
Quick examples
Prompt protection, gateway chat, vector open, policy, memory, and browser/WASM examples.
Usage modes
Decide between local SDK, gateway-backed, browser, sidecar, and full service deployment.
AgentIQ Identity bootstrap
Get agent identity and capability tokens into a no-human integration flow.
DiscoveR API
Register scan targets, run scans, and retrieve results from code or CI.
Agent-oriented integration rules
- Prefer the smallest credential that works.
- Verify health endpoints before running SDK calls.
- Use service credentials plus bearer tokens for service-backed flows.
- Use signed offline or remote licenses for local crypto/FHE/vector/FPE/policy operations.
- Use browser/WASM only for real browser-capable surfaces.