Getting started

Integrate Aegis into your application — your repo, your deploy, your servers. You do not clone the Salanor monorepo or run our internal pnpm dev.

Who this guide is for: engineers at a customer company who received console access and need to send signed events from a service, worker, or agent.

1. Get credentials in the console

Your org admin (or you, after signup) uses the Salanor console:

  1. Sign up / sign in — create your organization or accept an invite.
  2. API keys — create an ingest API key. Copy the secret once; store it in your vault (e.g. AEGIS_INGEST_API_KEY).
  3. Agents — create or select an agent. Export the Ed25519 signing key (private key base64, key_id, agent_id,organization_id).
  4. Optional: Policies — define which tools are allowed, denied, or require human approval.

2. Install the SDK in your project

Pick your language on the SDK overview. TypeScript is recommended for full policy proxy support; Python and Go support sign + ingest today.

TypeScript / Node example — in your repository:

Your project
npm install @salanor/aegis
# or
pnpm add @salanor/aegis

3. Configure environment variables

Set these in your app's deployment (Kubernetes secret, Vercel env, .env on your laptop — whatever you already use):

.env (your app)
AEGIS_API_URL=https://api.salanor.com
AEGIS_INGEST_API_KEY=aegis_xxxxxxxx   # from console
ORGANIZATION_ID=uuid-from-console
AGENT_ID=agt_xxxxxxxx
KEY_ID=key_xxxxxxxx
SIGNING_PRIVATE_KEY_B64=base64-from-console-export

Set AEGIS_API_URL to your Salanor API base (production: https://api.salanor.com). Ingest routes live under /v1/aegis — full ingest URL: https://api.salanor.com/v1/aegis.

4. Send your first signed event

Add this to a route, worker, or script in your codebase:

your-app/src/aegis.ts
import { signAndIngest } from "@salanor/aegis";

export async function recordLlmStep(traceId: string, prompt: string, response: string) {
  return signAndIngest(
    {
      schema_version: 1,
      event_id: `evt_${crypto.randomUUID().replace(/-/g, "").slice(0, 24)}`,
      organization_id: process.env.ORGANIZATION_ID!,
      trace_id: traceId,
      agent_id: process.env.AGENT_ID!,
      key_id: process.env.KEY_ID!,
      emitted_at: new Date().toISOString(),
      actor_type: "agent",
      actor_principal: "my-support-bot",
      action_kind: "llm_invocation",
      policy_decision: "allow",
      tool_name: "openai.chat.completions",
      payload: {
        purpose: "support_triage",
        data_touched: ["ticket_message"],
        data_classification: "pii",
      },
    },
    {
      privateKeyB64: process.env.SIGNING_PRIVATE_KEY_B64!,
      keyId: process.env.KEY_ID!,
    },
    {
      apiBaseUrl: process.env.AEGIS_API_URL!,
      ingestApiKey: process.env.AEGIS_INGEST_API_KEY!,
    },
  );
}

5. Gate outbound tools (payments, APIs)

Wrap dangerous HTTP calls with wrapFetch so policy runs before the request leaves your process. See TypeScript SDK.

6. Verify in the console

Open Console → Traces. You should see your trace_id with signed events and a valid hash chain.

What you do not need

  • cd salanor, docker compose, or pnpm dev — those are for Salanor engineers running the platform locally.
  • Access to the Salanor GitHub monorepo — only the npm package (or HTTP API) in your app.

Salanor staff: local stack setup lives in the monorepo docs-internal/LOCAL_DEVELOPMENT.md and Platform Ops → Commands.

Next steps