Getting Started
SDK Product Map
Which SDK, Portal surface, auth model, and product API to use for each Mirror product
Use this page when you know the product you want to use and need the shortest correct integration path.
The public contract is Portal plus SDK plus MAPI or Gateway. Do not build customer integrations against internal service URLs for AgentID, Tool Access, Agent Runtime, Memory, VDB, AgentIQ, PolicyEngine, Sandbox, Attestation, Workflow, or Telemetry.
One integration rule
| Need | Use |
|---|---|
| Hosted product call | Service credential plus bearer token |
| Local/native crypto or FHE | Local SDK License plus local SDK key material |
| Clean local handoff | SDK bundle from Service Credentials create/rotate |
| Browser helper | TypeScript plus WASM helper surface |
| Raw protected execution validation | Gateway route with service credential context |
| Product configuration | Portal or MAPI |
| Receipts, traces, telemetry | Product response plus Portal observability |
First setup
- Open Account Settings → Product subscriptions or Billing & Usage and confirm the product is active.
- Open Develop → Credentials and create or rotate a service credential.
- Download the service-credential handoff bundle when the secret is first displayed or rotated.
- Put the handoff files under
.secrets/and setMIRROR_SERVICE_CREDENTIAL_FILE. - Open Admin → Local SDK License when local/native SDK execution is required.
- Open Admin → Key Management when the app owns keys, CEKs, KMS handoff, or FHE bootstrap.
- Install SDK packages from Develop → SDK.
- Run
mirror diagnose,mirror licenses verify, and the smallest product smoke below before building the full workflow.
Product map
| Product surface | SDK / Portal entry | Public API path | Auth and keys | What to verify |
|---|---|---|---|---|
| Mirror VectaX Gateway | Mirror().chat, Mirror().gateway, Use Mirror -> Playground | Gateway through hosted MAPI or public Gateway facade | Service credential bundle; CEK only for encrypted lanes | response text, protection metadata, receipt/proof when protected |
| Protected inference | chat.completions.create(..., runtime="protected"), Use Mirror -> Playground | Gateway protected route | Service credential bearer plus client CEK for E2E lanes | encrypted deltas, local reveal, contract satisfied |
| Coding-agent proxy | mirror agent-proxy start, OpenAICompat, AnthropicCompat, client.compat | Localhost proxy into SDK then MAPI/Gateway; optional HTTPS capture listener under the same proxy | Local service credential bundle, local proxy API key, capture host allowlist when enabled | OpenAI/Anthropic response shape, protected evidence, model from live catalog, capture evidence digest when enabled |
| Claw / OpenClaw | mirror-claw-sdk, @mirror/claw-sdk, @mirror/claw-sdk-wasm, Rust mirror-claw-sdk | SDK package over MAPI/Gateway protected lanes | Per-workload service credential; browser package has no service credential | strict-FHE lane assertion, protected evidence booleans, tool policy result |
| Key management / KMS | client.keys, mirror kms, Key Management | MAPI key-management facade | Offline license for local/native; service credential for hosted handoff | generated key bundle, KMS handoff, restricted local file permissions |
| Native crypto / FHE | mirror-enc, client.fhe, client.pre, client.fpe, client.vectors | local SDK | Offline license and local key material | license verify, encrypt/decrypt roundtrip |
| Memory | client.memory, Use Mirror -> AI Memory | MAPI/Gateway facade | Service credential bearer; Tool Access authorizes resource scope behind the facade | observe/recall result and tenant-scoped trace |
| VDB / encrypted search | client.vdb, Use Mirror -> AI Memory | MAPI/Gateway facade | Service credential bearer; Tool Access authorizes collection scope behind the facade | create/list/search collection through facade |
| AgentIQ capabilities | client.agentiq.capabilities, AgentIQ Playground | MAPI AgentIQ facade | Service credential bearer and AgentIQ entitlement | capability result, bounded telemetry, no raw evidence unless requested |
| PolicyEngine | client.policy, client.policy_engine, Policy Workbench | MAPI PolicyEngine facade | Service credential bearer and policy entitlement | evaluate/generate/repair response, clean 422 errors |
| Agent Runtime | SDK run/trace helpers, Builder | MAPI/Gateway facade | Service credential bearer; internal runtime records steps | run id, step trace, linked receipts/evidence |
| Tool / MCP connectors | client.tools, client.mcp, Builder | MAPI/Gateway facade | Service credential bearer; Tool Access JIT grant behind the facade | grant-bound execution and denied invalid grant |
| AgentIQ Identity | client.agentiq.identity, AgentIQ Identity | MAPI identity facade | Service credential bearer or short-lived capability token | actor identity, scopes, audit subject |
| Sandbox | agent/tool workflow through Gateway or Agent Runtime | MAPI/Gateway facade | Service credential bearer plus Tool Access authorization | sandbox evidence linked to run step |
| Attestation | response receipts and proof APIs | product response or MAPI facade | product-specific bearer | signed evidence verifies; no raw sensitive payload |
| Telemetry | Portal observability | product response and telemetry sink | service emits sanitized envelope | usage/trace appears without raw prompts, contexts, or secrets |
| Code Prism | Code Prism SDK/API or extension | Code Prism public API | service credential bearer and Code Security entitlement | policy result, scan result, tool/run evidence |
| Behavioral Defense | endpoint/browser agent plus Portal | Behavioral product API | deployed agent identity and product entitlement | event appears with user/device/session context |
| DiscoveR | Discover SDK/API | Discover public API | service credential bearer and Discover entitlement | scan created, status updated, report available |
SDK surface by runtime
| Runtime | Use it for | Do not use it for |
|---|---|---|
Python mirror_sdk | backend orchestration, hosted product calls, memory/VDB, policy, AgentIQ, local coding-agent proxy | browser-only crypto helpers |
TypeScript @mirror/sdk | Node services, portal-adjacent apps, hosted product calls, memory/VDB, policy, AgentIQ, compatibility adapters | storing long-lived secrets in frontend code |
Go mirror-sdk | service integrations, gateway calls, catalog/compat helpers, protected CEK normalization | browser workflows or local HTTP proxy in 0.3.0 |
Rust mirror-sdk | systems integrations, catalog/compat helpers, protected CEK normalization | browser workflows or local HTTP proxy in 0.3.0 |
Native mirror-enc | local crypto, FHE, PRE, vector, FPE, license-verified offline work | hosted product provisioning |
WASM @mirror/wasm | browser-safe prompt/vector/FPE helpers and controlled local reveal | service credentials, gateway admin, full inference orchestration |
| Claw SDK packages | Claw/OpenClaw policy, tool wrapper, and strict-FHE evidence assertions | tenant provisioning or direct Gateway internals |
Smallest smoke by product
| Product | Smoke |
|---|---|
| Gateway | call routing catalog, then one chat request |
| Coding-agent proxy | start mirror agent-proxy, call /healthz, then one /v1/chat/completions request; for capture mode, curl through --capture-proxy to an allowlisted upstream URL |
| Claw / OpenClaw | normalize one policy decision and assert one protected response evidence object |
| Protected inference | call protected chat and confirm sealed deltas plus local reveal |
| SDK bundle | run mirror diagnose, mirror licenses verify, mirror gateway models, then one hosted call |
| Key management | generate key bundle, write it with restricted permissions, verify local load |
| Memory | observe one item, recall it with the same service credential |
| VDB | create collection, list collections, insert/search one point |
| AgentIQ | evaluate one capability with top-level platform shape |
| PolicyEngine | evaluate one policy and one bad request that returns clean 422 |
| Tool/MCP | mint a scoped grant, execute one allowed tool call, reject one invalid grant |
| Agent Runtime | create a run, record one inference step, link one receipt |
Boundaries to keep
| Boundary | Reason |
|---|---|
| MAPI owns provisioning and tenant/license checks | one control-plane authority |
| Gateway owns execution enforcement and sealed transport | one runtime edge |
| Tool Access owns grants and resource ABAC | no duplicated tool authorization |
| Agent Runtime owns run and step lifecycle | traces stay consistent across tools, policy, sandbox, and inference |
| Telemetry is a sink | telemetry must not become an auth or identity authority |
| SDK uses public facades only | customer integrations stay stable while internals move |