Akeyless Agentic Runtime Authority Setup Guide
Agentic Runtime Authority complements a Claude Compliance API integration by providing runtime authorization, just-in-time access, and policy enforcement for AI agent actions.
Step-by-Step Setup Guide
Prerequisites
Before beginning, ensure you have the following:
- Claude Desktop installed
- An Identity Provider with OIDC configured (other auth options can be found here)
- Docker installed on your machine (for Gateway installation)
- A running MySQL Docker Container (or any other MySQL deployment)
- A Gemini or OpenAI API Key
1. Create a new Akeyless account
To start, create a new Akeyless account using our email address and a password.
- Go to console.akeyless.io/registration.
- Choose the email option.
- Enter your email address and click the “Let’s Get Started” button.
Check your email inbox for an email from Akeyless and click on the “Activate your account” button. You will be brought back to your web browser and be asked to create a password and add a few more details.
Once done, you will now have access to your Akeyless account and you are the admin of this account.
Enable AI Insights
Inside the Akeyless account:
- Go to the Account Settings page (by clicking on the initial in the top-right corner).
- Click on the “Account Settings” option.
- Scroll to the bottom of the page and toggle on the AI Insights feature.
2. Deploy the Akeyless Gateway
Next, deploy the Akeyless Gateway. This gateway is crucial to the Runtime Authority as the gateway is where all prompts will be checked before being sent to the LLM and all the output data from the LLM will be checked before being delivered back to the user.
Install CLI
To deploy the gateway, first install the Akeyless CLI (we use MacOS for this demo).
- Open your terminal and install the CLI with the relevant commands for your operating system. You can find all installation options in the docs.
curl -o akeyless https://akeyless-cli.s3.us-east-2.amazonaws.com/cli/latest/cli-darwin-arm64
chmod +x akeyless
./akeyless
- When you run the last command, you will be asked to enter an Akeyless URL; Click Enter.
- You will then be asked if you want to create a profile for your account. Type ‘Y’ + Enter.
- Type “6” and hit enter
- Enter the email address and password that you used for the initial account setup.
- Lastly, answer ‘Y’ to any questions asked and run any other commands to complete the install if asked.
- Once done, your default Akeyless profile will be configured and any interaction with your Akeyless account will use this profile’s credentials.
To confirm your credentials were entered correctly, type in the command akeyless list-items and you should see some output. If you do, you are ready to continue.
Deploy Gateway on Docker
The next step is to install the actual gateway on Docker, which we will do with a simple command. Ensure Docker is installed on the machine and run the following command in the terminal. For security, pass the email and password as environment variables in the terminal:
docker run -d \
-p 8000:8000 \
-p 5696:5696 \
--name akeyless-gw \
-e ADMIN_ACCESS_ID=”email”
-e ADMIN_PASSWORD=”pass”
akeyless/gateway:latest
Log into the Gateway
This command will create a new Docker container with the Akeyless Gateway installed. Once installed, go back to the Akeyless account and click the Gateways tab to see your Gateway running.
3. Create Auth Method and Access Role
In order for the agent to authenticate to the Gateway, we need an Authentication Method. We are using the OIDC protocol (with Microsoft’s Entra ID) which will authenticate the agent on behalf of a human user who will be using Claude to query the database. The agent’s access is then tied to the real person who triggered it through the existing IdP with the same multi-factor authentication (MFA) and group policies your organization might already enforce.
Create the OIDC Auth Method
- From the Akeyless account web console, go to Users & Auth Methods in the left-side menu and click the “New” button.
- Choose OIDC and click “Next”.
- Give it a name (e.g. rta-auth) and location (e.g. /rta). This will create a new folder called rta with the Auth Method inside.
- Click “Next” and add the Issuer URL, Client ID, and Client Secret as well as the Unique Identifier. In this case, our unique identifier is “groups”.
- Click “Finish” and you now have the Authentication Method created.
Create the Access Role
Now that we have an authentication method for our agent, we will give it the permissions it needs to access resources in Akeyless. In this example, we will create a specific role just for the agent. It will NOT have any access to read secrets in the account.
To do this:
- Click on Access Roles in the left-side menu and then the “New” button.
- Give it a name (e.g. rta-role) and location (e.g. /rta) and click “Next”. This will create a new folder called rta with the Access Role inside.
- Click the “Associate” button and we choose the authentication method we created from the dropdown.
- Add the groups sub-claim with the group ID from your IdP (e.g. Microsoft Entra ID) and click “Add”. Click “Next”.
On the next screen, add the rules for this access role. :
- Click “Add” and in the Type dropdown choose Agentic Runtime Authority.
- In the Access Path field, choose the folder where the database secret will be held. In our case, it will be /rta as our Dynamic Secret will later be created inside that folder.
- For Permissions choose Allow Access and then click “Add” and then “Next”. Click “Next” and “Next” to skip the following pages and then “Finish”.
4. Create a Dynamic Secret for our MySQL Database and Add Guardrail Policies
Next, you’ll need a Target for your database access. Targets hold privileged login credentials for the resources being accessed and are connected to the Dynamic Secret.
Create the MySQL Target
To create it:
- Go to Targets in the left-side menu and click “New”.
- Choose MySQL and click “Next”.
- Give it a name (e.g. rta-target-mysql) and location (e.g. /rta) and click “Next”. This will create a new folder called rta with the Target inside.
- Below are the details of our Docker-based MySQL database for this example. Replace them with your own running MySQL deployment:
- Add the DB username: root
- Add the DB password: my-super-secret
- Add the hostname: host.docker.internal
- Add the port: 3306
- Add the DB name: my-db
- Click “Finish”.
Note: See our docs for using other database and application targets. To install a test MySQL database on Docker, see the Appendix instructions at the end of this document..
Create the MySQL Dynamic Secret
Create a Dynamic Secret that will be used along with the Target to connect to the MySQL database and fetch just-in-time, ephemeral login credentials for this database.
To create the Dynamic Secret:
- Go to Items in the left-side menu.
- Click “New” and choose “Dynamic Secret”, then “MySQL” and click “Next”.
- Add a name (e.g. rta-ds) and location (e.g. /rta). This will create a new folder called rta with the Dynamic Secret inside.
- Find the Choose an Existing Target dropdown and pick the Target you created from the dropdown.
- Scroll down in the same screen to the Gateway field and choose defaultCluster from the dropdown, then click “Finish”.
Runtime Authority Guardrails Configuration
Next, set the rules for what the LLM can access inside the database:
- Click on the Dynamic Secret we just created and the details open on the right-hand side.
- Click on the Agentic Runtime Authority tab and toggle it on to enable.
- Add some Input Rules in plain English such as a rule to give the agent read-only access to the database and a rule to block its access to the salary column. And add an Output Rule to ensure email addresses are masked when given in the Claude output.
Here are some examples of input and output rules that will be tested later:
| Rule Type | Name | Rule |
|---|---|---|
| Input | read-only | Only allow read-only statements such as SELECT and SHOW. |
| Input | salary | Do not let the agent query salary or payroll columns. |
| Output | email-masking | Mask all email address output. |
5. Connect Akeyless MCP to Claude
Now you have a gateway, an authentication method, and an access role for the agent. You also have the database with a dynamic secret and target which will enable the LLM to connect to the database without handling any secrets. Now, configure the LLM side.
Create an LLM Target
Create a new Target for the LLM inside the Akeyless account. We currently offer Gemini and OpenAI options. This Target gives the Gateway something to call when it needs to classify a request’s intent and evaluate your input and output rules.
Make sure you have your Gemini/OpenAI API key before continuing:
- Go to Targets in the left-side menu.
- Click “New” and choose “Gemini” and click “Next”.
- Add name (e.g. gemini-target) and location (e.g. /).
- Click “Next”, add your API key and click “Finish”.
Enable AI Insights and add LLM Model
Next, enable the AI Insights feature in the Gateway:
- Go to Gateways in the left-side menu.
- Click defaultCluster, then the “Manage Gateway” button.
- Click on AI Insights and then toggle on the AI Insights option to enable it.
- Add the Gemini Target from the dropdown and choose the Model (gemini-3.5-flash), then click “Save”.
Go to the left-side menu and click the Agentic Runtime Authority link under the Products section and you’ll see the Agentic Runtime Authority dashboard. This is where we will see our logs and traceability of all the Agentic Runtime Authority actions. We will come back to this after running prompts in Claude.
Connect The Akeyless MCP Server to Claude
Next, connect the Akeyless MCP to Claude Desktop.Make sure you first have Claude Desktop installed:
- Open Claude Desktop, click your name at the bottom-left and choose Settings.
- Click Developer, then the “Edit Config” button.
- This will open the Claude folder on your computer and you will see the claude_desktop_config.json file. Edit it with an editor and add the following block at the top:
{
"mcpServers": {
"akeyless-connector": {
"command": "akeyless",
"args": [
"mcp-runtime-authority",
"--gateway-url", "http://localhost:8000",
"--profile", "default"
]
}
}
}
The final file should look something like this:
{
"mcpServers": {
"akeyless-connector": {
"command": "akeyless",
"args": [
"mcp-runtime-authority",
"--gateway-url", "https://gateway.example.company.com/",
"--profile", "default"
]
}
},
"preferences": {
"coworkHipaaRestricted": false,
"coworkWebSearchEnabled": true,
"remoteToolsDeviceName": "akeyless",
"coworkModelAutoFallbackByAccount": {
"4e4f6307-xxxxxxx-xxxxxxxxx": true
},
"epitaxyPrefs": {
"desktop-frame.paneStore.v1": {
"state": {
"extraPanesByMode": {},
"colWeightsByMode": {},
"rowSplit": 0.5,
"draftNonce": 0
},
"version": 4
},
"ccd-sessions-filter": {
"state": {
"selectedProjects": []
},
"version": 0
}
},
"coworkScheduledTasksEnabled": false,
"ccdScheduledTasksEnabled": false,
"bypassPermissionsGateByAccount": {
"4e4f6307-xxxxxxx-xxxxxxxxx": false
}
},
"coworkUserFilesPath": "/Users/username/Claude"
}
- Save the file and close Claude Desktop.
Configure OIDC Profile in the Terminal
Ensure that the default profile in the CLI is set to the OIDC authentication method:
- Go to Users & Auth Methods in the Akeyless account, find your OIDC Authentication Method and copy the ID.
- Go to the terminal and run the akeyless configure command:
akeyless configure --access-type oidc --access-id <your-access-id>
- Then run the akeyless auth command to authenticate:
akeyless auth –-profile default
- The browser will open to your IdP to authenticate.
- Once authentication is successful, you will see a success screen.
6. Use Claude to Prompt the Database for Sensitive Data
Now you are ready to prompt Claude and check that the input/output policies you set are being enforced.
Open Claude Desktop again and do the following:
- Ask Claude to show us everything it has access to inside Akeyless:
What resources do you have access to in Akeyless?
NOTE: Claude may open your browser in order to authenticate to your IdP again.
- When it gives us output, you’ll see it says it only has access to the MySQL database secret in the Akeyless account.
- Now ask it to show us all the data inside the MySQL employees table:
Show me all the data in the employees table in the MySQL database.
- The Agentic Runtime Authority instantly intercepts the request at runtime, forcing the LLM to comply with our guardrails, and defining what it has access to in the table as well as how the output looks. It therefore will only output partial data from the database that it is allowed to access.
Next, give it full access to the database:
- Go back to the Akeyless account in the Agentic Runtime Authority section of the Dynamic Secret.
- Click the three dots next to the salary rule and then “delete”.
- Go back to Claude and prompt for all the data in the table:
The salary restriction has been removed. Show me all the data again.
It now gives us the complete output of the database still holding the output rule for email masking.
Logging and Traceability
Check the logs of the Agentic Runtime Authority:
- In the Akeyless account, click on the Agentic Runtime Authority link in the left-side menu again in the Products section.
- In the dashboard, click the three dots of one of the actions, and then Forensic Traceability.
We see a request for this session that was blocked and then other requests that were approved, as well as the actual database queries from the LLM.
This is essential to ensuring policy controls for secure agent execution.
Appendix – Docker-based MySQL Database Setup
In case you need to create a database for testing out Akeyless Agentic Runtime Authority, use the following instructions:
Database
You can quickly spin up a Docker MySQL instance with test data as follows:
- Create a file called init.sql with the following:
CREATE TABLE IF NOT EXISTS employees (
id INT AUTO_INCREMENT PRIMARY KEY,
name VARCHAR(100),
salary INT,
email VARCHAR(150)
);
INSERT INTO employees (name, salary, email) VALUES
('Alice Smith', 95000, '[email protected]'),
('Bob Jones', 110000, '[email protected]'),
('Charlie Brown', 65000, '[email protected]');
- Run the following command from the Terminal in the path you saved the init.sql file:
docker run -d --name mysql-test-db \
-p 3306:3306 \
-e MYSQL_ROOT_PASSWORD=my-super-secret \
-e MYSQL_DATABASE=my-db \
-v "$(pwd)/init.sql:/docker-entrypoint-initdb.d/init.sql" \
mysql:latest