You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
### Customer Agent Flow — Standard Mode (file-based mTLS)
18
18
19
-
Customer agents use file-based credentials with mTLS authentication. MCP servers are read from `integrationDependencies` in the credentials file.
19
+
Customer agents use file-based credentials with mTLS authentication. The SDK reads the credentials file from the path in `AGW_CREDENTIALS_PATH`, or falls back to the default Kyma mount path `/etc/ums/credentials/credentials`. MCP servers are read from `integrationDependencies` in the credentials file.
20
20
21
21
```python
22
22
from sap_cloud_sdk.agentgateway import create_client
@@ -38,9 +38,55 @@ result = await agw_client.call_mcp_tool(
In transparent mode the OpenShell Gateway intercepts HTTPS connections and injects the mTLS client certificate at the TLS layer. The agent never loads certificate or private key material — only the service endpoint URLs need to be visible to the agent process.
46
+
47
+
Set `AGW_TLS_MODE=transparent` and provide the required environment variables:
result =await client.call_mcp_tool(tool=tools[0], user_token="user-jwt", cost_center="1000")
42
72
```
43
73
74
+
**When to use transparent mode:**
75
+
76
+
- The agent runs inside an OpenShell Gateway sandbox with a `PolicyClass` configured for `tls: terminate` and `credentialRewrite: requestBody: true` on the IAS endpoint.
77
+
- You want to eliminate TLS certificates and private keys from the agent process memory and filesystem entirely.
78
+
- Credential rotation without pod restarts is required (secrets are updated in the gateway, not the agent).
79
+
80
+
**Credential visibility comparison:**
81
+
82
+
| Credential | Standard mode | Transparent mode |
83
+
|---|---|---|
84
+
|`CLIENT_ID`| In credentials file | In env var (gateway resolves placeholder) |
85
+
|`CERTIFICATE`| In credentials file + SSLContext | Never in agent — gateway-injected |
86
+
|`PRIVATE_KEY`| In credentials file + SSLContext | Never in agent — gateway-injected |
87
+
|`TOKEN_SERVICE_URL`| In credentials file | In env var |
88
+
|`GATEWAY_URL`| In credentials file | In env var |
89
+
44
90
### LoB Agent Flow
45
91
46
92
LoB agents use BTP Destination Service for credential management. Tools are auto-discovered from destination fragments.
@@ -103,9 +149,11 @@ mcp_tool_to_langchain(
103
149
### Agent Types
104
150
105
151
-**LoB (Line of Business) Agent**: Uses BTP Destination Service for credentials. Requires `tenant_subdomain`. Tools are auto-discovered from destination fragments.
106
-
-**Customer Agent**: Uses file-based credentials mounted on the pod filesystem with mTLS authentication. MCP servers are defined in the credentials file's `integrationDependencies`.
152
+
-**Customer Agent**: Uses credentials for mTLS authentication against IAS. MCP servers are defined in `integrationDependencies`. Supports two sub-modes:
153
+
-**Standard mode** (default): credentials are read from a file mounted on the pod filesystem. The agent loads the certificate and private key into an `ssl.SSLContext` and performs the mTLS handshake directly.
154
+
-**Transparent mode** (`AGW_TLS_MODE=transparent`): the OpenShell Gateway intercepts HTTPS connections and injects the client certificate at the TLS layer. The agent reads only endpoint URLs from environment variables and never accesses certificate or private key material.
107
155
108
-
The SDK automatically detects the agent type based on the presence of a credentials file.
156
+
The SDK automatically selects the agent type and TLS mode based on credential file presence and the `AGW_TLS_MODE` environment variable.
109
157
110
158
111
159
## API
@@ -124,27 +172,37 @@ def create_client(
124
172
125
173
### ClientConfig
126
174
127
-
Use `ClientConfig` to tune request timeoutsandtoken cache behaviorfor a client instance.
175
+
Use `ClientConfig` to tune request timeouts, token cache behaviour, andTLS modefor a client instance.
128
176
129
177
```python
130
178
from sap_cloud_sdk.agentgateway import ClientConfig, create_client
179
+
from sap_cloud_sdk.agentgateway.config import TlsMode
131
180
132
181
config = ClientConfig(
133
182
timeout=30.0,
134
183
fallback_token_ttl_seconds=300.0,
135
184
token_expiry_buffer_seconds=30.0,
136
185
max_system_token_cache_size=32,
137
186
max_user_token_cache_size=256,
187
+
tls_mode=TlsMode.STANDARD, # or TlsMode.TRANSPARENT
Use `ClientConfig.from_env()` to resolve `tls_mode` automatically from the `AGW_TLS_MODE` environment variable:
194
+
195
+
```python
196
+
config = ClientConfig.from_env() # reads AGW_TLS_MODE; defaults to STANDARD
197
+
agw_client = create_client(config=config)
198
+
```
199
+
143
200
-`timeout`: HTTP timeout in seconds for token requests andMCP calls. Default: `60.0`.
144
201
-`fallback_token_ttl_seconds`: Used when the token response does not include expiry metadata. Default: `300.0`.
145
202
-`token_expiry_buffer_seconds`: Safety buffer subtracted from explicit token expiries before a cached token is reused. Default: `30.0`.
146
203
-`max_system_token_cache_size`: Maximum number of cached system tokens per client instance. Default: `32`.
147
204
-`max_user_token_cache_size`: Maximum number of cached exchanged user tokens per client instance. Default: `256`.
205
+
-`tls_mode`: `TlsMode.STANDARD` (default) or`TlsMode.TRANSPARENT`. Controls whether the agent performs mTLS directly or delegates it to the OpenShell Gateway. See [Transparent Mode](#customer-agent-flow--transparent-mode-gateway-injected-mtls) above.
148
206
149
207
The SDK keeps token caches per `AgentGatewayClient` instance and reuses valid cached tokens for repeated authentication calls. System and user token caches are bounded independently with least-recently-used eviction.
0 commit comments