Documents are loading...

Getting Started

Agent Onboarding

Machine-first onboarding for agents, copilots, and automation that need to integrate with Mirror products headlessly

This page is the docs-site equivalent of the repo bootstrap files. Use it when an agent, copilot, or automation workflow needs to integrate without a human stepping through the full documentation tree.

Choose the product path

Canonical machine flow

  1. Confirm the product is active in Entitlements and Access.
  2. Create a service credential in Portal for hosted runtime calls.
  3. Register or select the agent in the AgentIQ Identity registry when the workflow has delegated execution.
  4. Select connector and MCP tools from the Gateway registry.
  5. Reveal client_id and client_secret once.
  6. Exchange those values at the Keycloak token endpoint.
  7. Open Use Mirror -> Playground for the first hosted smoke request and Use Mirror -> Builder when the workflow spans multiple products.
  8. Call Gateway or product APIs with Authorization: Bearer <token>.
  9. Use offline signed or remote licensing for local crypto/FHE/vector/FPE/policy operations.

The active platform contract is service credential plus bearer token for service-backed calls. Offline license is the local/native contract. Do not start a new integration around legacy API-key-first examples.

Minimal environment

Use the same environment contract as Agent Bootstrap and SDK Catalog and Quickstart.

export MIRROR_SERVICE_CREDENTIAL_FILE=.secrets/service-credential.json
 
# Optional — override platform host only if the credential's gateway_url is wrong for this environment
# export MIRROR_BASE_URL="https://<your-gateway-host>"

Mirror() derives MIRROR_API_URL and MIRROR_GATEWAY_URL from the credential JSON. Set MIRROR_BASE_URL only when overriding a stale credential host. Use MIRROR_GATEWAY_URL directly only for raw gateway/runtime health checks when not going through the hosted SDK.

Fast verification

For hosted /mapi integrations, prefer Mirror() with MIRROR_SERVICE_CREDENTIAL_FILE — run the hosted SDK example below as your smoke test.

If you are validating the raw gateway/runtime surface directly, use health checks first (URLs come from the credential or from MIRROR_BASE_URL if you override it). If these fail, do not start debugging SDK code yet.

curl -fsS "$MIRROR_GATEWAY_URL/healthz"
curl -fsS "$MIRROR_GATEWAY_URL/.well-known/jwks.json"

Acquire the SDK artifact

Use the exact internal acquisition command shown in Portal → Use Mirror → SDK & Quickstart. The portal catalog is entitlement-aware and only exposes the built artifacts that match the licensed surface.

Runtime quickstart

from mirror_sdk import Mirror
 
# Mirror() reads the service credential issued in Portal -> Use Mirror -> SDK & Quickstart
# from MIRROR_SERVICE_CREDENTIAL_FILE, exchanges client_id + client_secret at the Keycloak
# token endpoint, and attaches the resulting bearer token to every hosted call.
client = Mirror()
 
reply = client.chat.completions.create(
    model="gpt-4o-mini",
    messages=[{"role": "user", "content": "Say pong only."}],
)
print(reply.text)

Read next: Python SDK, Python Gateway SDK, Python Memory SDK.

Harness-validated coverage

The local end-to-end harness currently proves these service-backed paths live:

Product surfaceTypeScriptPythonAuthLicense
Gateway / VectaX runtimeyesyesbearer tokenplatform/runtime license
Memory / VDB through Gatewayyesyesbearer tokengateway runtime license
Discover clientyesyesbearer tokenservice-backed runtime license
AgentIQ / Policy clientyesyesbearer tokenservice-backed runtime license
CodePrism clientyesyesbearer tokenservice-backed runtime license

The SDK confidence suite separately validates local licensed surfaces for prompt/PRE, vector, FPE, metadata, FHE, policy, search, key management, and sealed transport across the canonical SDKs.

Registry model

The consolidated platform has three registries and one onboarding flow:

RegistryOwnerPurpose
Agent registryAgentIQ Identityagent lifecycle, delegated identity, scopes, token chains, audit subjects
Connector registryGatewayOAuth/configured connectors such as O365, ServiceNow, Memory, VDB, and tenant-specific tools
MCP registryGateway projectionChatGPT, Claude, IDE agents, and internal builders receive the allowed tool projection for the current service credential

Use Mirror Builder should bind these registries together, then attach:

  • AgentIQ Identity token/scopes
  • AgentIQ Policy Engine guardrails and tool policies
  • Gateway runtime lane and connector execution
  • VectaX Memory/VDB/FPE/PRE/FHE data controls
  • Discover security scans, including MCP/tool prompt-injection scans and code-security scans
  • Governance evidence for onboarding, smoke, and release gates

Common headless tasks

Agent-oriented integration rules

  1. Prefer the smallest credential that works.
  2. Verify health endpoints before running SDK calls.
  3. Use service credentials plus bearer tokens for service-backed flows.
  4. Use signed offline or remote licenses for local crypto/FHE/vector/FPE/policy operations.
  5. Use browser/WASM only for real browser-capable surfaces.

Where to go next

On this page