Getting Started
Entitlements and Access
How Portal, SDK visibility, service credentials, offline licenses, and key management all map back to the same enterprise entitlements
Use this page when a user asks one of these questions:
- Why does one product show up in Portal but another does not?
- Why does the SDK catalog hide some packages or quickstarts?
- When should a team use a service credential versus an offline license?
- Where does Key Management fit into the runtime story?
- Where should an operator verify what the enterprise is actually entitled to use?
The one-page rule
Start in the Portal license overview:
- Account → Account Settings → Product subscriptions
- Account → Billing & Usage (admin)
- Home product cards, which show which surfaces are unlocked for your enterprise
That overview is the source of truth for:
- which products are licensed for the enterprise
- which SDK cards and downloads stay visible on Develop → SDK
- which teams should use Develop → Credentials
- which teams should use Admin → Local SDK License
- which teams should use Admin → Key Management
If a product card, SDK package, or quickstart is missing, confirm the license state in Account Settings or Billing & Usage first. Do not debug routes or credentials until the entitlement is confirmed.
What each access surface means
| Portal surface | Use it for | Backing model |
|---|---|---|
| Develop → Credentials | Hosted runtime calls to Gateway, Discover, AgentIQ, Code Prism, and other service-backed clients | Project-scoped service credential plus Keycloak bearer token |
| Admin → Local SDK License | Local and native SDK execution such as native crypto, CEK / KMS, vector, metadata, prompt, and FHE flows | Enterprise offline signed license |
| Admin → Key Management | Browser or SDK-driven key generation, private-key export, public-material registration, CEK / KMS handoff, and FHE rail bootstrap | Customer-generated keys plus hosted session/KMS rails |
| Develop → SDK | Downloading packages, native bundles, and entitlement-filtered SDK catalog items | Filtered by the same entitlement model |
| License overview | Seeing what the enterprise owns and which surfaces are unlocked | Account Settings and Billing & Usage |
Product-to-access mapping
| Product / surface | Primary access path |
|---|---|
| Gateway / VectaX runtime | Service credential + bearer token |
| Discover | Service credential + bearer token |
| AgentIQ / Policy | Service credential + bearer token |
| Code Prism | Service credential + bearer token |
| Native crypto | Offline license |
| Memory / VDB helpers | Offline license for local/native use, service credential for hosted runtime use |
| CEK / KMS | Offline license for local/native use, service credential for hosted runtime use |
| FHE | Offline license |
| Customer-owned prompt/vector/signing keys | Key Management plus offline license or SDK-native flows |
How SDK visibility works
The Portal SDK catalog is entitlement-aware.
That means:
- a product without an active entitlement should not show a quickstart card
- a package that only makes sense for an unlicensed surface should not be shown
- native bundles stay visible only when the enterprise license unlocks those local/native surfaces
- Key Management actions should only appear when the enterprise can actually use the related crypto rails
Recommended operator flow
- Open Account Settings → Product subscriptions or Billing & Usage and confirm the product shows as active or trial.
- Decide whether the team needs:
- Develop → Credentials for hosted runtime calls,
- Admin → Local SDK License for local/native execution, or
- Admin → Key Management for customer-generated keys and KMS handoff.
- Open Develop → SDK to download packages, or create/rotate a service credential under Develop → Credentials for the handoff bundle.
- Open Use Mirror → Playground or Use Mirror → Onboarding for the first hosted call and snippets.
- Verify metrics / usage in Use Mirror → Usage or Billing & Usage.