AgentLattice/Docs
Get Started
Navigate docs

Releases

Provisioner Guide

A provisioner is a trusted system that registers new agents in your workspace on behalf of your platform team. Instead of manually creating each agent through the dashboard, provisioners automate agent registration as part of your deployment pipeline -- every new service that spins up gets a governed identity automatically.

When You Need a Provisioner

Most teams start by registering agents manually through the dashboard. This works fine for a handful of long-running agents. But when your fleet grows, or when agents are created dynamically as part of deployments, you need programmatic registration.

Common provisioner scenarios:

  • CI/CD pipelines that spin up new agents for each deployment target
  • Platform teams that manage a fleet of agents across multiple services
  • Infrastructure-as-code workflows where agent identities are declared alongside infrastructure
  • Dynamic agent pools where agents are created and destroyed based on workload

Service Keys

Provisioners authenticate with a service key, which is distinct from agent API keys:

Credential Purpose Can register agents? Can execute actions?
Agent API key (al_agent_*) Individual agent identity No Yes
Service key (al_svc_*) Programmatic agent registration Yes No

A service key can create agents but cannot act as one. An agent key can act but cannot create others. This separation ensures that a compromised agent key cannot spawn new agents, and a compromised service key cannot take actions in your infrastructure.

Generating a Service Key

  1. Go to Settings > Security in the AgentLattice dashboard.
  2. Click Generate Service Key.
  3. Copy the key immediately -- it is displayed exactly once. Only the hash is stored server-side.
  4. Store the key in your CI/CD secrets manager (GitHub Secrets, Vault, AWS Secrets Manager, etc.).

Service key generation requires admin privileges and is recorded in the audit trail.

Registering Agents

Via the SDK

TypeScript:

import { AgentLattice } from "@agentlattice/sdk";

const al = new AgentLattice({
  serviceKey: process.env.AL_SERVICE_KEY,
});

const agent = await al.registerAgent({
  name: "deploy-bot-staging",
  capabilities: ["deploy.staging", "rollback.staging"],
});

console.log(agent.apiKey); // al_agent_... — store this securely
console.log(agent.id);     // agent ID for reference

Python:

import os
from agentlattice import AgentLattice

al = AgentLattice(service_key=os.environ["AL_SERVICE_KEY"])

agent = await al.register_agent(
    name="deploy-bot-staging",
    capabilities=["deploy.staging", "rollback.staging"],
)

print(agent.api_key)  # al_agent_... — store this securely
print(agent.id)       # agent ID for reference

Via the CLI

AL_SERVICE_KEY="al_svc_your_key" al register \
  --name "deploy-bot-staging" \
  --capabilities "deploy.staging,rollback.staging"

The CLI prints the new agent's API key to stdout. In a pipeline, capture it:

AGENT_KEY=$(AL_SERVICE_KEY="$SVC_KEY" al register \
  --name "deploy-bot-$ENV" \
  --capabilities "deploy.$ENV" \
  --json | jq -r '.apiKey')

Via the REST API

curl -X POST https://www.agentlattice.io/api/agents/register \
  -H "Authorization: Bearer al_svc_your_key" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "deploy-bot-staging",
    "capabilities": ["deploy.staging", "rollback.staging"]
  }'

Blast Radius Control

Service keys are powerful -- they can create agents in your workspace. Limit the blast radius of a compromised key:

  • One key per provisioner. Do not share a single service key across multiple pipelines. If one is compromised, you revoke only that key without disrupting other provisioners.
  • Rotate regularly. Service keys do not expire automatically. Set a rotation schedule (quarterly is typical) and revoke old keys after rotation.
  • Monitor registration events. Unexpected agent registrations are a strong signal that a service key has been compromised. Set up webhook alerts for registration events.
  • Audit who created what. Every agent registration is tied to the service key that created it. The audit trail shows which key registered which agents and when.

Revoking a Service Key

If a service key is compromised:

  1. Go to Settings > Security in the dashboard.
  2. Find the key by its label and click Revoke.
  3. Revocation is instant. The next registration attempt with that key will fail.
  4. Agents previously created by the revoked key continue to function -- revoking the service key does not affect existing agents.

If you suspect agents created by the compromised key are also compromised, halt or kill them individually from the dashboard or via MCP.

Infrastructure-as-Code Example

For teams using Terraform, Pulumi, or similar tools, agent registration can be part of your infrastructure declaration:

#!/bin/bash
# deploy.sh — called by your IaC pipeline

# Register the agent for this environment
AGENT_KEY=$(al register \
  --name "api-$ENVIRONMENT" \
  --capabilities "deploy.$ENVIRONMENT,health.$ENVIRONMENT" \
  --json | jq -r '.apiKey')

# Store the key in the environment's secret manager
aws secretsmanager put-secret-value \
  --secret-id "agentlattice/$ENVIRONMENT" \
  --secret-string "$AGENT_KEY"

# Deploy with governance
AL_API_KEY="$AGENT_KEY" al gate "deploy.$ENVIRONMENT" && deploy_service

This pattern ensures every deployed service has a governed identity from the moment it starts running.