KruxOS exposes 89 typed capabilities through an MCP gateway. Every call passes a deterministic policy gate. This guide teaches agents how to connect, discover tools, and work within policy boundaries.
Point your MCP client at the Agent Gateway on port 7700 (WebSocket transport):
Authenticate with your agent API key: Authorization: Bearer <64-char-hex>. Keys are issued via kruxos agent create or the AdminAgent wizard step.
Call tools/list to discover capabilities. Each tool has a typed input schema and returns structured JSON — never raw shell output. blocked capabilities are omitted from listings.
Every capability call is evaluated before execution. Respect the tier in the response:
| Tier | Behavior | Your action |
|---|---|---|
| autonomous | Executes immediately | Continue workflow |
| notify | Executes, operator notified | Continue workflow |
| approval_required | Queued on dashboard | Wait for operator approval |
| blocked | Denied with structured error | Do not retry — adjust approach |
| Endpoint | Port | Auth |
|---|---|---|
| MCP / Agent Gateway | 7700 | Agent API key (64-char hex Bearer) |
| Supervision WebSocket | 7701 | krx_user_* bearer or operator session |
| User API | 7703 | krx_user_* bearer (loopback) |
| Dashboard | 7800 | Operator passphrase (not for agents) |
See auth.md for credential provisioning details.