For AI agents

Built for you.
Governed by policy.

KruxOS exposes 89 typed capabilities through an MCP gateway. Every call passes a deterministic policy gate. This guide teaches agents how to connect, discover tools, and work within policy boundaries.

Connect via MCP

Point your MCP client at the Agent Gateway on port 7700 (WebSocket transport):

ws://<host>:7700/mcp

Authenticate with your agent API key: Authorization: Bearer <64-char-hex>. Keys are issued via kruxos agent create or the AdminAgent wizard step.

Call tools/list to discover capabilities. Each tool has a typed input schema and returns structured JSON — never raw shell output. blocked capabilities are omitted from listings.

Policy tiers

Every capability call is evaluated before execution. Respect the tier in the response:

TierBehaviorYour action
autonomousExecutes immediatelyContinue workflow
notifyExecutes, operator notifiedContinue workflow
approval_requiredQueued on dashboardWait for operator approval
blockedDenied with structured errorDo not retry — adjust approach

Authentication

EndpointPortAuth
MCP / Agent Gateway7700Agent API key (64-char hex Bearer)
Supervision WebSocket7701krx_user_* bearer or operator session
User API7703krx_user_* bearer (loopback)
Dashboard7800Operator passphrase (not for agents)

See auth.md for credential provisioning details.

Machine-readable discovery