Documents are loading...

Getting Started

Quick Start Guide

The shortest correct path from portal access to a working hosted or local SDK call

Quick Start Guide

Use this page when you want the shortest path that still matches the real platform contract.

Mirror distributes built SDK artifacts through Portal and internal release channels. Do not start with public npm, pip, or Cargo flows. Use the exact acquisition command shown on Develop → SDK for your licensed products.

Before you install anything

Confirm licensed products in Account Settings → Product subscriptions or Billing & Usage. The Home product cards also reflect what is unlocked.

  • Service Credentials for hosted runtime calls such as Gateway, Discover, AgentIQ, and Code Prism.
  • Local SDK License for local/native execution such as native crypto, vector, metadata, prompt, CEK / KMS, and FHE.

Open Develop → SDK for the licensed package catalog, or download the service-credential handoff bundle from Develop → Credentials during create/rotate.

Use Use Mirror Surfaces when the operator question is which Portal surface to open first.

Acquire built artifacts

# 1. Log in to your Mirror portal (partner / customer credentials required)
# 2. Navigate to: Develop → SDK, or download the bundle from Service Credentials during create/rotate
# 3. Download the TypeScript SDK tarball
 
# 4. Install locally
npm install /path/to/mirror-sdk-<version>.tgz

Prepare the credential bundle

For hosted calls, create or rotate a service credential in Portal and download the service credential handoff bundle while the client_secret is visible. Existing credential downloads can refresh URLs and license files, but they cannot mint tokens unless the secret is present.

Install SDK packages separately from Develop → SDK.

SDK_BUNDLE_DIR="/path/to/downloaded-credential-bundle"
 
mkdir -p .secrets
chmod 700 .secrets
 
# Copy or unzip the service credential handoff bundle into .secrets.
# service-credential.json must include the first-display or rotated client_secret
# for hosted SDK calls.
cp "$SDK_BUNDLE_DIR/service-credential.json" .secrets/service-credential.json
chmod 600 .secrets/service-credential.json
 
# Optional: local/native bundle files, when included in the Portal download.
if [ -f "$SDK_BUNDLE_DIR/mirror-license.json" ]; then
  cp "$SDK_BUNDLE_DIR/mirror-license.json" .secrets/mirror-license.json
  chmod 600 .secrets/mirror-license.json
fi
 
if [ -f "$SDK_BUNDLE_DIR/mirror-license-public-key.b64" ]; then
  cp "$SDK_BUNDLE_DIR/mirror-license-public-key.b64" .secrets/mirror-license-public-key.b64
  chmod 600 .secrets/mirror-license-public-key.b64
fi

Do not commit .secrets/, service-credential.json, license files, bearer tokens, or copied credential contents.

Minimal environment

Hosted runtime calls

export MIRROR_SERVICE_CREDENTIAL_FILE=.secrets/service-credential.json
 
# Optional — override platform host only if the credential's gateway_url is wrong for this environment
# export MIRROR_BASE_URL="https://<your-gateway-host>"

Local/native execution

export MIRROR_LICENSE_FILE=.secrets/mirror-license.json
export MIRROR_LICENSE_PUBLIC_KEY_B64_FILE=.secrets/mirror-license-public-key.b64

Verify the deployment first

For hosted /mapi integrations, prefer Mirror() with MIRROR_SERVICE_CREDENTIAL_FILE — the SDK exchanges the credential and attaches the bearer token automatically. Use the first hosted SDK call below as your smoke test.

If you are validating the raw gateway/runtime surface directly, run (URLs come from the credential or from MIRROR_BASE_URL if you override it):

curl -fsS "$MIRROR_GATEWAY_URL/healthz"
curl -fsS "$MIRROR_GATEWAY_URL/.well-known/jwks.json"

If the raw-gateway health checks fail, stop there. Fix the deployment or credentials before debugging SDK code.

Manual bearer token exchange (optional)

Only needed for raw HTTP scripts — not when using Mirror() with the SDK bundle:

# Values below are also embedded in service-credential.json
export MIRROR_TOKEN_URL="https://<your-gateway-host>/keycloak/realms/<your-realm>/protocol/openid-connect/token"
export MIRROR_CLIENT_ID="<service-credential-client-id>"
export MIRROR_CLIENT_SECRET="<service-credential-secret>"
 
ACCESS_TOKEN=$(curl -s "$MIRROR_TOKEN_URL" \
  -d grant_type=client_credentials \
  -d client_id="$MIRROR_CLIENT_ID" \
  -d client_secret="$MIRROR_CLIENT_SECRET" | jq -r .access_token)

First successful call

from mirror_sdk import Mirror
 
# Mirror() reads the service credential issued from Portal; SDK artifacts come from Develop → SDK or Service Credentials.
# from MIRROR_SERVICE_CREDENTIAL_FILE, exchanges client_id + client_secret at the Keycloak
# token endpoint, and attaches the resulting bearer token to every hosted call.
client = Mirror()
 
reply = client.chat.completions.create(
    model="gpt-4o-mini",
    messages=[{"role": "user", "content": "Say pong only."}],
)
print(reply.text)

Common next steps

On this page