What this is

A path that reaches first success: get a key, connect an AI client, and make one governed call. No step is left to "depends on your deployment."

Prerequisites

• An AI Control Center workspace (org + at least one project). Request access if you don't have one.
• An MCP-compatible client (Claude Desktop, Cursor, VS Code) or any HTTP client for the REST API.
• One enabled tool or connector in your project (the sample project ships with a read-only demo tool).

1. Issue your first key ← (the step Aegis leaves out)

Keys are scoped to a project and a role, and they map to a principal (tenant, role, scopes).

In the console: Project → Settings → API Keys → Create key → choose a role (viewer / operator / approver) → copy the key (shown once). The key inherits the project's connector scopes; it cannot widen its own scope.

Or via API (admin token required):

curl -X POST https://api.<workspace>/api/v1/keys \
  -H "Authorization: Bearer $ADMIN_TOKEN" \
  -d '{ "project_id": "proj_123", "role": "operator", "label": "cursor-laptop" }'
# → { "key": "act_live_…", "principal": { "tenant": "acme", "role": "operator" } }

Store it as AI_CONTROL_CENTER_KEY. If a call later returns scope_denied, the key's role/scopes are the place to look — not the agent prompt.

2. Connect an AI client

Hosted (remote MCP endpoint):

{ "mcpServers": { "ai-control-center": {
    "url": "https://gw.<workspace>/mcp",
    "headers": { "Authorization": "Bearer ${AI_CONTROL_CENTER_KEY}" } } } }

Local / private (NPX wrapper):

{ "mcpServers": { "ai-control-center": {
    "command": "npx", "args": ["-y", "@devplane/ai-control-center-mcp"],
    "env": { "AI_CONTROL_CENTER_KEY": "act_live_…" } } } }

You configure the client once to the gateway — not to Gmail, Slack, or your HRIS separately. The gateway handles discovery, authorization, credential injection, execution, confirmation, and audit.

3. Your first governed call

1. gw_session            → { user_intent: "try a read-only lookup" }   → session_id
2. search_tools          → "demo lookup"                               → returns the demo tool
3. execute_tool          → demo tool + args                            → { status: "allowed", result, evidence_id }
4. (try a write tool)    → execute_tool                                → { status: "routed", approval_id }
5. confirm_operation     → approve the approval_id                     → { status: "executed", evidence_id }

Pull the evidence_id from any step and fetch it (evidence_get) to see the control record — that's the proof trail you'll rely on in production.

Honest scope

This gets you to a working governed call. Production setup (real connectors, OAuth, approval routing to named humans, residency) is covered in the Connectors and Control Plane sections. The demo tool is read-only by design.

See also

Concepts · Architecture · Gateway API Contract