Deploy, configure, operate

Gateway

Self-hosted authorization service. Go binary, embedded OPA, multi-tenant, tamper-evident audit chain.

• Source — github.com/NetGnarus/intentgate-gateway

  Apache 2.0. CI, signed releases, SBOM + provenance.

• ghcr.io/netgnarus/intentgate-gateway:1.6.0

  Multi-arch container image. Distroless base.

• Helm chart — oci://ghcr.io/netgnarus/charts/intentgate

  Deploys gateway + extractor. Postgres-backed audit.

SDKs

Agent-side libraries. Issue, attenuate, present capability tokens. Byte-compatible between Python and TypeScript.

• pip install intentgate

  Python 3.10–3.13. PyPI · GitHub

• npm install @netgnarus/intentgate

  Node 18+, dual ESM/CJS, zero runtime deps. GitHub

Quick install

# Generate secrets (kept in your secret manager)
ADMIN_TOKEN=$(openssl rand -hex 32)
MASTER_KEY=$(openssl rand -hex 32)

# Postgres connection
kubectl create namespace intentgate
kubectl -n intentgate create secret generic intentgate-db \
  --from-literal=url='postgres://...'

# Helm install
helm install intentgate \
  oci://ghcr.io/netgnarus/charts/intentgate \
  --namespace intentgate \
  --set gateway.image.tag=1.6.0 \
  --set gateway.adminToken.value=$ADMIN_TOKEN \
  --set gateway.masterKey.value=$MASTER_KEY \
  --set postgres.existingSecret=intentgate-db \
  --set audit.persist=true

# Verify
kubectl -n intentgate port-forward svc/intentgate-gateway 8080:8080 &
curl http://localhost:8080/healthz
# {"ok":true,"version":"1.6.0"}

Mint your first token

curl -X POST $GATEWAY/v1/admin/mint \
  -H "Authorization: Bearer $ADMIN_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "subject":      "agent-trade-bot",
    "tenant":       "default",
    "ttl_seconds":  86400,
    "tools":        ["read_invoice", "send_email"],
    "max_calls":    1000
  }'

# Returns {"token": "eyJ...", "jti": "...", ...}
# Token shown ONCE. Store in your agent's secret manager.