# secure-agent Secure an agent by applying a policy from the catalog. Handles multiple starting points: from an existing API Manager instance, from an agent asset in Exchange, or from scratch by publishing the agent first. Use when the user wants to secure an agent, add rate limiting, apply OAuth2, enforce IP allowlisting, or protect any agent with a policy — regardless of where they are in the setup process. - **APIs:** [access-management](https://dev-portal.mulesoft.com/apis/access-management.md), [api-manager](https://dev-portal.mulesoft.com/apis/api-manager.md), [exchange-experience](https://dev-portal.mulesoft.com/apis/exchange-experience.md), [proxies-xapi](https://dev-portal.mulesoft.com/apis/proxies-xapi.md)- **Skill Source:** [SKILL.md](https://dev-portal.mulesoft.com/skills/secure-agent/SKILL.md) ## Steps ### Step 1: Step 1: Publish Agent to Exchange **API:** `urn:api:exchange-experience`**Operation:** `createAssets` **Inputs:** - `organizationId` — Your organization's Business Group GUID - `groupId` — The group ID for the asset (typically matches your organization ID) - `assetId` — A unique identifier for the asset in kebab-case - `version` — Semantic version for the asset **Outputs:** - `groupId` (`$.groupId`) — The group ID of the published asset - `assetId` (`$.assetId`) — The asset ID of the published asset - `assetVersion` (`$.version`) — The version of the published asset ### Step 2: Step 2: Find Agent in Exchange **API:** `urn:api:exchange-experience`**Operation:** `getAssetsSearch` **Inputs:** - `types` — Filter for agent assets only **Outputs:** - `groupId` (`$[*].groupId`) — Group ID of the selected agent asset - `assetId` (`$[*].assetId`) — Asset ID of the selected agent asset - `assetVersion` (`$[*].version`) — Version of the selected agent asset ### Step 3: Step 3: List Environments **API:** `urn:api:access-management`**Operation:** `listEnvironments` **Inputs:** - `organizationId` — Organization ID from Prerequisites **Outputs:** - `environmentId` (`$.data[*].id`) — Selected environment ID (e.g., Production, Sandbox) ### Step 4: Step 4: Select Deployment Target **API:** `urn:api:api-portal-xapi`**Operation:** `getGatewayTargets` **Inputs:** - `organizationId` — Organization ID - `environmentId` — Environment ID from Step 3 **Outputs:** - `targetId` (`$.rows[*].id`) — Selected gateway target ID - `targetName` (`$.rows[*].name`) — Name of the selected gateway target - `gatewayVersion` (``) — Gateway version to use for deployment. The targets response may return "-" instead of a real version; use "1.0.0" as the default. ### Step 5: Step 5: Create API Manager Instance **API:** `urn:api:api-manager`**Operation:** `createOrganizationsEnvironmentsApis` **Inputs:** - `organizationId` — Your organization's Business Group GUID - `environmentId` — Target environment ID from Step 3 - `groupId` — Exchange asset group ID from Step 2 - `assetId` — Exchange asset ID from Step 2 - `assetVersion` — Exchange asset version from Step 2 - `instanceLabel` — A human-readable label for this API instance (e.g., "my-agent-v1") - `technology` — Gateway technology — this skill targets Omni Gateway deployments - `endpoint.isCloudHub` — Must be null for flexGateway technology (not false — false causes a validation error) - `endpoint.proxyUri` — The proxy listener URI. Ask the user which port the Omni Gateway should listen on, then use http://0.0.0.0:<port>/ - `endpoint.uri` — The upstream backend URL for the agent. Ask the user if they want to provide it now or configure it later. **Outputs:** - `environmentApiId` (`$.id`) — The API instance ID in API Manager ### Step 6: Step 6: Deploy to Omni Gateway **API:** `urn:api:proxies-xapi`**Operation:** `createOrganizationsByOrganizationidEnvironmentsByEnvironmentidApisByEnvironmentapiidDeployments` **Inputs:** - `organizationId` — Organization ID - `environmentId` — Environment ID from Step 3 (used in both the URL path and the request body for HY deployment type) - `environmentApiId` — API instance ID from Step 5 - `type` — Deployment type for self-managed Omni Gateway (HY = Hybrid) - `targetId` — Omni Gateway target ID from Step 4 - `targetName` — Omni Gateway target name from Step 4 - `gatewayVersion` — Gateway version for deployment. Use "1.0.0" as the default. - `overwrite` — Whether to overwrite an existing deployment **Outputs:** - `deploymentId` (`$.id`) — The ID of the proxy deployment ### Step 7: Step 7: List Agent Instances **API:** `urn:api:api-manager`**Operation:** `listOrganizationsEnvironmentsApis` **Inputs:** - `organizationId` — Organization ID - `environmentId` — Environment ID from Step 3 - `family` — Filter for agent (agentic) instances only **Outputs:** - `environmentApiId` (`$.assets[*].apis[*].id`) — The agent instance ID in API Manager ### Step 8: Step 8: Browse Exchange Policy Catalog **API:** `urn:api:api-portal-xapi`**Operation:** `getExchangePolicyTemplates` **Inputs:** - `organizationId` — Organization ID - `apiInstanceId` — API instance ID from Step 5 or Step 7 (filters for compatible templates) - `environmentId` — Environment ID from Step 3 - `latest` — Return only the latest version of each template - `includeConfiguration` — Include the configuration schema for each template **Outputs:** - `policyGroupId` (`$[*].groupId`) — Exchange group ID of the selected policy template - `policyAssetId` (`$[*].assetId`) — Exchange asset ID of the selected policy template - `policyAssetVersion` (`$[*].version`) — Exchange version of the selected policy template (gateway-compatible) - `policyConfiguration` (`$[*].configuration`) — Configuration schema with gateway-compatible property names and defaults ### Step 9: Step 9: Apply Policy to Instance **API:** `urn:api:api-manager`**Operation:** `createOrganizationsEnvironmentsApisPolicies` **Inputs:** - `organizationId` — Organization ID - `environmentId` — Environment ID from Step 3 - `environmentApiId` — API instance ID from Step 5 or Step 7 (or provided manually) - `groupId` — Policy Exchange group ID from Step 8 - `assetId` — Policy Exchange asset ID from Step 8 - `assetVersion` — Policy Exchange version from Step 8 **Outputs:** - `policyId` (`$.id`) — The ID of the applied policy instance