Docs

Deploy, configure, operate

The deployment runbook below is the primary customer-facing document for platform engineering and security operations teams. Per-feature deep-dives, API references, and SDK guides land on docs.intentgate.app as the docs site comes online.

For decision makers

IntentGate Product Brief

17-page executive overview. The five-check authorization pipeline, how agents register, what ships, architecture, compliance mapping (AI Act Annex IV, DORA Article 6, GDPR Article 32, NIST AI RMF, SOC 2), full OWASP Top 10 mapping for LLM and Agentic AI applications, per-agent tiered pricing, pilot terms, and how to engage. Built to forward to your CFO, CISO, or Risk Committee.

Request the brief PDF · 17 pages · 123 KB

For platform engineers

Deployment Runbook

27-page operational guide. Prerequisites, Helm + Docker Compose install paths, day-1 configuration (including the agent identity model and design rationale), day-2 operations, troubleshooting, incident response, full env variable reference, admin API reference.

Read online → Download PDF PDF · 27 pages · 169 KB

For console users

Operator Manual

Console user guide. Every page in the IntentGate operator console — Dashboard, Tokens, Policies, Audit, Audit Verify, Approvals, Elevations, Compliance, Integrations, Notifications, Security, Tenants, Settings — what it shows, how to use it, when you'd reach for it.

Read online → Download PDF

For your SOC team

SIEM Runbook — Splunk

6-page reference for security operations. Audit-event field schema, five canonical SPL queries, HEC setup, one-line pointers for Datadog and Sentinel.

Download PDF → PDF · 6 pages · 82 KB

Reference

Deep technical reference for engineers integrating with IntentGate. API surface, deployment architecture, and integration recipes for common SIEM and observability stacks.

API

API reference

Every endpoint the gateway exposes. Runtime path (/v1/mcp, /v1/tool-call) plus admin path (capabilities, policies, audit, approvals, tenants). Authentication, error codes, request and response shapes.

Architecture

Architecture

What runs where, what talks to what. Components, request lifecycle, audit chain, multi-tenant model, three deployment topologies, trust boundaries.

Integrations

Recipes for common enterprise topologies. Each page is vendor-agnostic and links to deployable artifacts in the gateway repo.

AWS + Microsoft Sentinel

AWS workloads · Sentinel SIEM

Audit events into Microsoft Sentinel (hot lane, 12 months) and Amazon S3 + Athena (cold lane, multi-year). Native sinks, Glue table DDL, KQL query pack.

Gateway

Self-hosted authorization service. Go binary, embedded OPA, multi-tenant, tamper-evident audit chain.

SDKs

Agent-side libraries. Issue, attenuate, present capability tokens. Byte-compatible between Python and TypeScript.

  • pip install intentgate

    Python 3.10–3.13. PyPI · GitHub

  • npm install @intentgate-app/intentgate

    Node 18+, dual ESM/CJS, zero runtime deps. GitHub

Install in three steps

Standard Helm. About three minutes.

  1. 1

    Generate two secrets

    One signs tokens, one gates the admin API.

  2. 2

    Helm install the chart

    Gateway, extractor, Postgres-backed audit. No CRDs.

  3. 3

    Verify the four checks

    One health endpoint confirms the pipeline is live.

Mint your first token

One credential per agent. Issued by the gateway.

  1. 1

    Define the agent's identity

    Subject, tenant, and the tools it's allowed to call.

  2. 2

    Set the budget

    TTL, max calls, optional cost ceiling.

  3. 3

    Hand it to your agent

    Shown once. Stored like any secret. Revocable any time.

Want the commands? GitHub for source. Runbook PDF for production.

Getting-started guides

Four end-to-end runnable guides in the open-source gateway repo. Each is a single milestone you'll hit when bringing IntentGate into your environment. Copy-paste from a fresh laptop.

01 · 5 min

Quickstart — gateway running in 5 minutes

One docker run in-memory, mint a token, watch the capability check fire on a tool the token doesn't grant. The shortest path from zero to seeing a real authorization decision.

02 · 15 min

Your first Rego policy

Write Rego, push it via /v1/admin/policies/drafts + promote, test allow / escalate / block paths against the live engine. Includes the dry-run pattern and common rule shapes (time-of-day, per-agent overrides, step-up required).

03 · 15 min

Wire your first agent (Python SDK)

pip install intentgate, three-line Gateway() construction, typed exception per check. The LLM-loop-with-error-feedback pattern and attenuate() for sub-agent delegation.

04 · 10 min

Querying audit and verifying the chain

GET /v1/admin/audit filter parameters, SOC playbook queries (blocks in last hour, all activity by agent), chain verify endpoint, the daily-evidence-pack pattern for SOC 2 CC7.2 and EU AI Act Article 12.

Browse all guides on GitHub →

What's not (yet) in the guides above

The four guides cover the developer and SOC paths end-to-end: zero to a working policy, a wired-up agent, and queryable audit. For production deployment patterns — Helm-based HA, monitoring + alerting, day-2 operations, incident playbooks, full environment variable reference — the 23-page deployment runbook is the canonical document.

Request the runbook PDF