Documents are loading...

Getting Started

SDK Product Map

Which SDK, Portal surface, auth model, and product API to use for each Mirror product

Use this page when you know the product you want to use and need the shortest correct integration path.

The public contract is Portal plus SDK plus MAPI or Gateway. Do not build customer integrations against internal service URLs for AgentID, Tool Access, Agent Runtime, Memory, VDB, AgentIQ, PolicyEngine, Sandbox, Attestation, Workflow, or Telemetry.

One integration rule

NeedUse
Hosted product callService credential plus bearer token
Local/native crypto or FHELocal SDK License plus local SDK key material
Clean local handoffSDK bundle from Service Credentials create/rotate
Browser helperTypeScript plus WASM helper surface
Raw protected execution validationGateway route with service credential context
Product configurationPortal or MAPI
Receipts, traces, telemetryProduct response plus Portal observability

First setup

  1. Open Account Settings → Product subscriptions or Billing & Usage and confirm the product is active.
  2. Open Develop → Credentials and create or rotate a service credential.
  3. Download the service-credential handoff bundle when the secret is first displayed or rotated.
  4. Put the handoff files under .secrets/ and set MIRROR_SERVICE_CREDENTIAL_FILE.
  5. Open Admin → Local SDK License when local/native SDK execution is required.
  6. Open Admin → Key Management when the app owns keys, CEKs, KMS handoff, or FHE bootstrap.
  7. Install SDK packages from Develop → SDK.
  8. Run mirror diagnose, mirror licenses verify, and the smallest product smoke below before building the full workflow.

Product map

Product surfaceSDK / Portal entryPublic API pathAuth and keysWhat to verify
Mirror VectaX GatewayMirror().chat, Mirror().gateway, Use Mirror -> PlaygroundGateway through hosted MAPI or public Gateway facadeService credential bundle; CEK only for encrypted lanesresponse text, protection metadata, receipt/proof when protected
Protected inferencechat.completions.create(..., runtime="protected"), Use Mirror -> PlaygroundGateway protected routeService credential bearer plus client CEK for E2E lanesencrypted deltas, local reveal, contract satisfied
Coding-agent proxymirror agent-proxy start, OpenAICompat, AnthropicCompat, client.compatLocalhost proxy into SDK then MAPI/Gateway; optional HTTPS capture listener under the same proxyLocal service credential bundle, local proxy API key, capture host allowlist when enabledOpenAI/Anthropic response shape, protected evidence, model from live catalog, capture evidence digest when enabled
Claw / OpenClawmirror-claw-sdk, @mirror/claw-sdk, @mirror/claw-sdk-wasm, Rust mirror-claw-sdkSDK package over MAPI/Gateway protected lanesPer-workload service credential; browser package has no service credentialstrict-FHE lane assertion, protected evidence booleans, tool policy result
Key management / KMSclient.keys, mirror kms, Key ManagementMAPI key-management facadeOffline license for local/native; service credential for hosted handoffgenerated key bundle, KMS handoff, restricted local file permissions
Native crypto / FHEmirror-enc, client.fhe, client.pre, client.fpe, client.vectorslocal SDKOffline license and local key materiallicense verify, encrypt/decrypt roundtrip
Memoryclient.memory, Use Mirror -> AI MemoryMAPI/Gateway facadeService credential bearer; Tool Access authorizes resource scope behind the facadeobserve/recall result and tenant-scoped trace
VDB / encrypted searchclient.vdb, Use Mirror -> AI MemoryMAPI/Gateway facadeService credential bearer; Tool Access authorizes collection scope behind the facadecreate/list/search collection through facade
AgentIQ capabilitiesclient.agentiq.capabilities, AgentIQ PlaygroundMAPI AgentIQ facadeService credential bearer and AgentIQ entitlementcapability result, bounded telemetry, no raw evidence unless requested
PolicyEngineclient.policy, client.policy_engine, Policy WorkbenchMAPI PolicyEngine facadeService credential bearer and policy entitlementevaluate/generate/repair response, clean 422 errors
Agent RuntimeSDK run/trace helpers, BuilderMAPI/Gateway facadeService credential bearer; internal runtime records stepsrun id, step trace, linked receipts/evidence
Tool / MCP connectorsclient.tools, client.mcp, BuilderMAPI/Gateway facadeService credential bearer; Tool Access JIT grant behind the facadegrant-bound execution and denied invalid grant
AgentIQ Identityclient.agentiq.identity, AgentIQ IdentityMAPI identity facadeService credential bearer or short-lived capability tokenactor identity, scopes, audit subject
Sandboxagent/tool workflow through Gateway or Agent RuntimeMAPI/Gateway facadeService credential bearer plus Tool Access authorizationsandbox evidence linked to run step
Attestationresponse receipts and proof APIsproduct response or MAPI facadeproduct-specific bearersigned evidence verifies; no raw sensitive payload
TelemetryPortal observabilityproduct response and telemetry sinkservice emits sanitized envelopeusage/trace appears without raw prompts, contexts, or secrets
Code PrismCode Prism SDK/API or extensionCode Prism public APIservice credential bearer and Code Security entitlementpolicy result, scan result, tool/run evidence
Behavioral Defenseendpoint/browser agent plus PortalBehavioral product APIdeployed agent identity and product entitlementevent appears with user/device/session context
DiscoveRDiscover SDK/APIDiscover public APIservice credential bearer and Discover entitlementscan created, status updated, report available

SDK surface by runtime

RuntimeUse it forDo not use it for
Python mirror_sdkbackend orchestration, hosted product calls, memory/VDB, policy, AgentIQ, local coding-agent proxybrowser-only crypto helpers
TypeScript @mirror/sdkNode services, portal-adjacent apps, hosted product calls, memory/VDB, policy, AgentIQ, compatibility adaptersstoring long-lived secrets in frontend code
Go mirror-sdkservice integrations, gateway calls, catalog/compat helpers, protected CEK normalizationbrowser workflows or local HTTP proxy in 0.3.0
Rust mirror-sdksystems integrations, catalog/compat helpers, protected CEK normalizationbrowser workflows or local HTTP proxy in 0.3.0
Native mirror-enclocal crypto, FHE, PRE, vector, FPE, license-verified offline workhosted product provisioning
WASM @mirror/wasmbrowser-safe prompt/vector/FPE helpers and controlled local revealservice credentials, gateway admin, full inference orchestration
Claw SDK packagesClaw/OpenClaw policy, tool wrapper, and strict-FHE evidence assertionstenant provisioning or direct Gateway internals

Smallest smoke by product

ProductSmoke
Gatewaycall routing catalog, then one chat request
Coding-agent proxystart mirror agent-proxy, call /healthz, then one /v1/chat/completions request; for capture mode, curl through --capture-proxy to an allowlisted upstream URL
Claw / OpenClawnormalize one policy decision and assert one protected response evidence object
Protected inferencecall protected chat and confirm sealed deltas plus local reveal
SDK bundlerun mirror diagnose, mirror licenses verify, mirror gateway models, then one hosted call
Key managementgenerate key bundle, write it with restricted permissions, verify local load
Memoryobserve one item, recall it with the same service credential
VDBcreate collection, list collections, insert/search one point
AgentIQevaluate one capability with top-level platform shape
PolicyEngineevaluate one policy and one bad request that returns clean 422
Tool/MCPmint a scoped grant, execute one allowed tool call, reject one invalid grant
Agent Runtimecreate a run, record one inference step, link one receipt

Boundaries to keep

BoundaryReason
MAPI owns provisioning and tenant/license checksone control-plane authority
Gateway owns execution enforcement and sealed transportone runtime edge
Tool Access owns grants and resource ABACno duplicated tool authorization
Agent Runtime owns run and step lifecycletraces stay consistent across tools, policy, sandbox, and inference
Telemetry is a sinktelemetry must not become an auth or identity authority
SDK uses public facades onlycustomer integrations stay stable while internals move

On this page