Agent identity patterns
How to connect AI agents and chatbots to Gateco for policy-enforced retrieval. Three integration patterns, with SDK examples for the two that are available today.
See also: Why your AI agent needs more than an IAM role — the narrative overview for architects and product teams.
Authentication vs. authorization
Two distinct security concerns operate at different points in every agent request. Conflating them leads to the classic failure mode: a bot that either leaks data across users or returns nothing useful to anyone.
| Concern | Question it answers | Example | Owned by |
|---|---|---|---|
| Authentication | Is this agent process trusted? | API key valid? IAM role attached? | Cloud IAM / API gateway |
| Authorization | What is this end user allowed to see? | Can customer #123 see invoice #8421? | Gateco policy engine |
IAM and Gateco are complementary, not overlapping:
| Concern | Handled by |
|---|---|
| Can this service account call the Gateco API at all? | IAM / network policy |
| What knowledge is this principal allowed to retrieve? | Gateco policy engine |
| Which chunks are filtered from the LLM context? | Gateco (late-binding) |
| Who retrieved what and when? | Gateco audit trail |
Three integration patterns
Choose the pattern that matches your channel and identity requirements.
Pattern 1 — Bot as its own principal
Available todayThe agent holds a Gateco Principal identity. Every retrieval runs as the bot. Best for public FAQ bots, anonymous assistants, or any deployment where user identity does not change what they are entitled to see.
# Python SDK
result = client.retrievals.execute(
connector_id="conn_abc",
principal_id="bot-service-principal-uuid", # ← service account UUID
query_vector=[...],
top_k=10,
)
// TypeScript SDK
const result = await client.retrievals.execute({
connectorId: "conn_abc",
principalId: "bot-service-principal-uuid",
queryVector: [...],
topK: 10,
});Setup: provision a service account in your IDP (Azure/Okta), sync it into Gateco, copy its principal UUID from the Principals page.
Pattern 2 — Delegated employee identity
Available todayThe agent forwards a real employee's identity per request. The policy engine runs against the employee's actual IDP-synced roles, groups, and department attributes. Best for internal copilots, employee-only Slack/WhatsApp/Teams bots.
# Python SDK — pass email; Gateco resolves to principal UUID
result = client.retrievals.execute(
connector_id="conn_abc",
principal_id=client.principals.resolve(email="alice@acmecorp.com").id,
query_vector=[...],
top_k=10,
)
# MCP server — email parameter passed directly; resolution is automatic
# gateco_retrieve(query="...", email="alice@acmecorp.com", connector_id="conn_abc")The MCP server's gateco_retrieve and gateco_ask tools accept an email parameter directly — no pre-resolution needed in the agent runtime. Identity must already be synced from your IDP; resolve() returns 404 for unknown addresses.
Pattern 3 — External user authorization
RoadmapThe agent forwards an external user's identity — a WhatsApp customer, a mobile app user, a partner contact — as a federated subject with inline attributes. No corporate directory entry required.
# Planned API shape (not yet available)
result = client.retrievals.execute(
connector_id="conn_abc",
external_subject={
"channel": "whatsapp",
"subject_id": "+1-555-0142",
"attributes": { "tenant_id": "customer_123" },
},
query_vector=[...],
top_k=10,
)Until this ships, the two workable interim approaches are: provision external users via SCIM as guest accounts (operationally expensive but functional), or pre-segment by tenant with one bot principal per customer cohort and narrow policies.
Identity resolution
For Pattern 2, the agent resolves an employee to a Gateco Principal UUID before calling retrievals.execute(). The POST /api/principals/resolve endpoint accepts either email or provider_subject and returns the active principal for that identity.
- →Returns 404 for unknown or inactive identities — never creates a principal. IDP sync must have run first.
- →Resolution is read-only. Treat 404 as “user not in IDP yet” — surface a clear error in the agent rather than falling back to a default principal.
- →The MCP server resolves automatically when you pass
email— no explicit resolve call needed in the agent runtime.
Policy conditions for agent flows
Gateco policies evaluate three condition namespaces. For agent deployments, the most useful principal-side conditions are:
principal.roles
Roles from your IDP (e.g. "engineering", "hr-admin"). Use for RBAC rules.
principal.groups
Group memberships synced from your IDP. Useful for team- or squad-scoped access.
principal.attributes.<key>
Any attribute from IDP sync or SCIM provisioning — department, cost_center, clearance_level, tenant_id, etc.
Resource-side conditions reference the metadata bound to your vectors: resource.classification, resource.sensitivity, resource.domain, resource.labels, and resource.encryption_mode. Always use the resource. prefix — bare field names resolve against the principal, not the resource.
For multi-tenant isolation, a typical policy condition is: principal.attributes.tenant_id == resource.labels.tenant_id. This ensures every retrieval, regardless of which agent issued it, only returns results belonging to the requesting user's tenant.
Audit trail for agent retrievals
Every retrieval is recorded as a SecuredRetrieval event with full context:
principal_idandprincipal_namesnapshot — who was resolved at retrieval timeconnector_idandconnector_namequery— the search query textoutcome— allowed / partial / deniedpolicy_trace— full decision trace including which policy rules fired and whysearch_mode— vector / keyword / hybrid / greplatency_msandtimestamp
For agent deployments, the audit trail answers the question “which user, via which bot, retrieved which data, under which policy?” — the data your compliance and incident-response teams will eventually ask for. It is written automatically; no additional configuration is required.
Roadmap: Pattern 3 — external user authorization
The planned extension adds a federated external principal type to Gateco's identity model. The agent passes an external_subject object per request — channel, subject identifier, and inline attributes — without requiring a corporate directory entry. No SCIM provisioning loop. No guest account lifecycle.
Three sub-patterns are planned in order of implementation priority:
- Ephemeral subjects — inline attributes per request, no database row. Cheapest; no identity lifecycle to manage.
- Signed assertions — agent passes a JWT signed by a trusted issuer (e.g., your app's auth layer); Gateco validates and lifts claims into the retrieval principal.
- Persisted external principals — same model as today's
Principalbut withkind="external"and nullable IDP. Best for long-lived audit on specific customer subjects.
If you are building a customer-facing chatbot and need this feature, reach out via the contact page — design partner input shapes the priority and implementation details.