Skip to content
Docs

Partner Quickstart

Partner Quickstart (Design Partner Pilot)

This is the single end-to-end onboarding path for design partners.

Rules

  • Do not share secrets in email/Slack/docs. Use placeholders like
    <API_KEY>
    .
  • Use a non-production environment first (dev/stage) unless explicitly agreed.

If you need deeper context, see:

  • Starter pack:
    docs/design-partner-starter-pack.md
  • Intake questionnaire:
    docs/design-partner-intake-questionnaire.md
  • Demo script (10 min walkthrough):
    docs/design-partner-demo-script.md
  • Onboarding runbook (internal):
    docs/design-partner-onboarding-runbook.md
  • Kill switch:
    docs/kill-switch-runbook.md
  • Known limitations:
    docs/known-limitations.md

0) Prereqs

You need:

  1. A Gateway URL (pilot instance) provided by the team, e.g.:
    • https://<YOUR_GATEWAY_HOST>
  2. A tenant/admin user created for you (or invited).
  3. A tool/agent identity naming convention:
    • example agent IDs:
      support_bot
      ,
      finance_agent
    • example tool IDs:
      zendesk.ticket.read
      ,
      jira.issue.create

1) Log in and verify the UI

  1. Log into the Gateway UI.
  2. Navigate to:
    • /tools
      (register tools)
    • /agents
      (register agents)
    • /api-keys
      (create an API key)
    • /policies
      (policies + Autopilot)
    • /decision-logs
      (audit + trace details)

If you see an auth/tenant mapping error, capture it in the friction log:

docs/pilot-friction-log-template.md
.


2) Create an API key (for agent calls)

  1. Go to
    /api-keys
  2. Create a key for your pilot agent(s)
  3. Store the key securely (password manager / secrets manager). Treat as a secret.

You will use it as:

  • HTTP header:
    x-api-key: <API_KEY>

3) Run the shim smoke test (recommended)

If you’re using the MCP enforcement shim, follow:

  • Install:
    docs/mcp-shim-design-partner-install.md
  • Smoke test:
    docs/mcp-shim-quick-smoke-test.md

Goal: confirm the shim can call the Gateway and get allow/deny responses.


4) Make a first decision call (direct curl)

Use the API reference as ground truth:

docs/api.md

Example (edit placeholders):

curl -sS -X POST "https://<YOUR_GATEWAY_HOST>/api/decision" \
  -H "content-type: application/json" \
  -H "x-api-key: <API_KEY>" \
  -d '{
    "requestId": "partner_quickstart_001",
    "agentId": "support_bot",
    "toolId": "zendesk.ticket.read",
    "environment": "stage",
    "user": { "login": "jsmith", "email": "jsmith@example.com" },
    "params": { "ticketId": "12345" }
  }'

Expected:

  • JSON response with
    { "ok": true, "decision": "allow" | "deny", ... }
  • A trace is written. The system fails closed if trace insert fails.

5) Confirm audit trace + deep links

  1. Go to

    /decision-logs

  2. Paste your

    requestId
    (e.g.
    partner_quickstart_001
    ) into search OR open:

    • /decision-logs?q=partner_quickstart_001
  3. Open the trace detail by clicking

    trace_id

You should see:

  • decision (allow/deny)
  • matched policy (if any)
  • inputs (agent/tool/env/user/params)

If a deep link doesn’t work, log it in:

docs/pilot-friction-log-template.md


6) Use Autopilot: recommend + save as draft + replay impact

  1. Go to

    /policies

  2. In Policy Autopilot:

    • click Generate recommendation
    • click Save draft (inactive) to save an inactive draft policy
    • click Replay impact to see breakage / new access samples

Notes:

  • Draft policies are inactive and not enforced until you activate them.
  • Replay results include deep links to traces or filtered logs when available.

Optional: Top users (redacted)

  • Autopilot may show Top users (redacted) per tool if the feature is enabled by the operator.
  • If you see
    topUsersByTool: {}
    (empty), it usually means traces in this environment do not include
    user_login
    /
    user_email
    yet — not a failure.
  • To verify, open DevTools → Network →
    POST /api/autopilot/recommend
    and check the JSON response for
    topUsersByTool
    .

More detail:

docs/policy-autopilot-v1.md


7) Activate a policy (explicit enforcement)

  1. On
    /policies
    , find your draft policy
  2. Click Activate
  3. Confirm the activation prompt

Activation means:

  • policy is now enforced for matching requests immediately

If you need to stop enforcement quickly, see:

  • docs/kill-switch-runbook.md

8) Troubleshooting

Common checks:

  • Confirm
    x-api-key
    is present (header) and correct.
  • Confirm
    environment
    matches what your policies expect.
  • Confirm your agent/tool IDs match what you registered.
  • Use
    /decision-logs?q=<requestId>
    to find the trace.

If you’re blocked, capture:

  • requestId
  • approximate time (timezone)
  • environment (dev/stage/prod)
  • agentId/toolId
  • the decision + reason (from response or trace)

Log it in:

docs/pilot-friction-log-template.md