Skip to content

Commit 8f9c3d3

Browse files
committed
docs: update user guide
1 parent 14108e8 commit 8f9c3d3

1 file changed

Lines changed: 63 additions & 5 deletions

File tree

src/sap_cloud_sdk/agentgateway/user-guide.md

Lines changed: 63 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -14,9 +14,9 @@ pip install sap-cloud-sdk[langchain]
1414

1515
## Quick Start
1616

17-
### Customer Agent Flow
17+
### Customer Agent Flow — Standard Mode (file-based mTLS)
1818

19-
Customer agents use file-based credentials with mTLS authentication. MCP servers are read from `integrationDependencies` in the credentials file.
19+
Customer agents use file-based credentials with mTLS authentication. The SDK reads the credentials file from the path in `AGW_CREDENTIALS_PATH`, or falls back to the default Kyma mount path `/etc/ums/credentials/credentials`. MCP servers are read from `integrationDependencies` in the credentials file.
2020

2121
```python
2222
from sap_cloud_sdk.agentgateway import create_client
@@ -38,9 +38,55 @@ result = await agw_client.call_mcp_tool(
3838
user_token="user-jwt",
3939
cost_center="1000",
4040
)
41+
```
42+
43+
### Customer Agent Flow — Transparent Mode (gateway-injected mTLS)
44+
45+
In transparent mode the OpenShell Gateway intercepts HTTPS connections and injects the mTLS client certificate at the TLS layer. The agent never loads certificate or private key material — only the service endpoint URLs need to be visible to the agent process.
46+
47+
Set `AGW_TLS_MODE=transparent` and provide the required environment variables:
48+
49+
```bash
50+
export AGW_TLS_MODE="transparent"
51+
export CLIENT_ID="sb-abc123|xsuaa_std!b318"
52+
export TOKEN_SERVICE_URL="https://your-tenant.accounts.ondemand.com/oauth2/token"
53+
export GATEWAY_URL="https://agent-gateway.example.com"
54+
export INTEGRATION_DEPENDENCIES='[{"ordId": "sap.app:apiResource:my-tool:v1", "globalTenantId": "123456"}]'
55+
export HTTPS_PROXY="https://openshell-gateway:3128" # set automatically by OpenShell
56+
```
57+
58+
```python
59+
from sap_cloud_sdk.agentgateway import create_client
60+
from sap_cloud_sdk.agentgateway.config import ClientConfig
4161

62+
# Option 1: read AGW_TLS_MODE from environment
63+
client = create_client(config=ClientConfig.from_env())
64+
65+
# Option 2: set explicitly in code
66+
from sap_cloud_sdk.agentgateway.config import TlsMode
67+
client = create_client(config=ClientConfig(tls_mode=TlsMode.TRANSPARENT))
68+
69+
# Usage is identical to standard mode
70+
tools = await client.list_mcp_tools()
71+
result = await client.call_mcp_tool(tool=tools[0], user_token="user-jwt", cost_center="1000")
4272
```
4373

74+
**When to use transparent mode:**
75+
76+
- The agent runs inside an OpenShell Gateway sandbox with a `PolicyClass` configured for `tls: terminate` and `credentialRewrite: requestBody: true` on the IAS endpoint.
77+
- You want to eliminate TLS certificates and private keys from the agent process memory and filesystem entirely.
78+
- Credential rotation without pod restarts is required (secrets are updated in the gateway, not the agent).
79+
80+
**Credential visibility comparison:**
81+
82+
| Credential | Standard mode | Transparent mode |
83+
|---|---|---|
84+
| `CLIENT_ID` | In credentials file | In env var (gateway resolves placeholder) |
85+
| `CERTIFICATE` | In credentials file + SSLContext | Never in agent — gateway-injected |
86+
| `PRIVATE_KEY` | In credentials file + SSLContext | Never in agent — gateway-injected |
87+
| `TOKEN_SERVICE_URL` | In credentials file | In env var |
88+
| `GATEWAY_URL` | In credentials file | In env var |
89+
4490
### LoB Agent Flow
4591

4692
LoB agents use BTP Destination Service for credential management. Tools are auto-discovered from destination fragments.
@@ -103,9 +149,11 @@ mcp_tool_to_langchain(
103149
### Agent Types
104150

105151
- **LoB (Line of Business) Agent**: Uses BTP Destination Service for credentials. Requires `tenant_subdomain`. Tools are auto-discovered from destination fragments.
106-
- **Customer Agent**: Uses file-based credentials mounted on the pod filesystem with mTLS authentication. MCP servers are defined in the credentials file's `integrationDependencies`.
152+
- **Customer Agent**: Uses credentials for mTLS authentication against IAS. MCP servers are defined in `integrationDependencies`. Supports two sub-modes:
153+
- **Standard mode** (default): credentials are read from a file mounted on the pod filesystem. The agent loads the certificate and private key into an `ssl.SSLContext` and performs the mTLS handshake directly.
154+
- **Transparent mode** (`AGW_TLS_MODE=transparent`): the OpenShell Gateway intercepts HTTPS connections and injects the client certificate at the TLS layer. The agent reads only endpoint URLs from environment variables and never accesses certificate or private key material.
107155

108-
The SDK automatically detects the agent type based on the presence of a credentials file.
156+
The SDK automatically selects the agent type and TLS mode based on credential file presence and the `AGW_TLS_MODE` environment variable.
109157

110158

111159
## API
@@ -124,27 +172,37 @@ def create_client(
124172

125173
### ClientConfig
126174

127-
Use `ClientConfig` to tune request timeouts and token cache behavior for a client instance.
175+
Use `ClientConfig` to tune request timeouts, token cache behaviour, and TLS mode for a client instance.
128176

129177
```python
130178
from sap_cloud_sdk.agentgateway import ClientConfig, create_client
179+
from sap_cloud_sdk.agentgateway.config import TlsMode
131180

132181
config = ClientConfig(
133182
timeout=30.0,
134183
fallback_token_ttl_seconds=300.0,
135184
token_expiry_buffer_seconds=30.0,
136185
max_system_token_cache_size=32,
137186
max_user_token_cache_size=256,
187+
tls_mode=TlsMode.STANDARD, # or TlsMode.TRANSPARENT
138188
)
139189

140190
agw_client = create_client(tenant_subdomain="my-tenant", config=config)
141191
```
142192

193+
Use `ClientConfig.from_env()` to resolve `tls_mode` automatically from the `AGW_TLS_MODE` environment variable:
194+
195+
```python
196+
config = ClientConfig.from_env() # reads AGW_TLS_MODE; defaults to STANDARD
197+
agw_client = create_client(config=config)
198+
```
199+
143200
- `timeout`: HTTP timeout in seconds for token requests and MCP calls. Default: `60.0`.
144201
- `fallback_token_ttl_seconds`: Used when the token response does not include expiry metadata. Default: `300.0`.
145202
- `token_expiry_buffer_seconds`: Safety buffer subtracted from explicit token expiries before a cached token is reused. Default: `30.0`.
146203
- `max_system_token_cache_size`: Maximum number of cached system tokens per client instance. Default: `32`.
147204
- `max_user_token_cache_size`: Maximum number of cached exchanged user tokens per client instance. Default: `256`.
205+
- `tls_mode`: `TlsMode.STANDARD` (default) or `TlsMode.TRANSPARENT`. Controls whether the agent performs mTLS directly or delegates it to the OpenShell Gateway. See [Transparent Mode](#customer-agent-flow--transparent-mode-gateway-injected-mtls) above.
148206

149207
The SDK keeps token caches per `AgentGatewayClient` instance and reuses valid cached tokens for repeated authentication calls. System and user token caches are bounded independently with least-recently-used eviction.
150208

0 commit comments

Comments
 (0)