1. Mint an API key
On Hexgate Cloud (or your self-hosted instance): sign up, open your project, go to Tokens, mint one, and set it:fty_live_… key only verifies against the
platform that minted it.
2. Register your agent
Push the agent’s manifest (its tools, model, system prompt) to the platform. On first register, the platform auto-generates a starter role-aware policy from the tool list — aread_only mixin plus default, member, and admin
roles, fail-closed (writes and shells gated). See CLI: register.
register vs serve. You rarely call
register yourself —
hexgate serve auto-registers the agent on first run.3. Edit the policy
Open the dashboard’s /policies page and shape the generated starter into your real rules: which role may call which tool, with which argument constraints (args.amount <= 500, …). See Dashboard,
policy YAML shape, and constraints.
Re-registering later never overwrites your edits — it only updates the manifest
snapshot.
4. Test in the Playground (optional)
Bring the agent up and drive it from the browser to watch decisions stream live:5. Deploy with the policy enforced
In production, your agent process just needsHEXGATE_API_KEY set. The SDK
resolves the agent’s policy from the platform and enforces it on every tool call —
no policy files shipped in your image, no enforce_policy(...) call to remember:
If-None-Match (the bundle’s wasm_hash): a 304
reuses the cached WASM module, a 200 swaps in the new one. So a policy change in
the dashboard lands on the next request your live agent serves — the code, model,
and tool list stay fixed for the process lifetime; only the policy refreshes. See
policy decision for the refresh seam.
The two systems of record
| Source of truth | Changes via | |
|---|---|---|
| Code — tools, model, system prompt | your Python (the manifest) | redeploy / re-register |
| Policy — roles, tools, arg constraints | the platform | dashboard edit → next turn |