Getting started

Deploy Airlock inside your organization: Gateway, Host Enforcers, and Mobile Approver — all under your control. This guide covers the high-level rollout; your Airlock team provides environment-specific URLs, credentials, and distribution packages.

Enterprise deployment. Airlock is not a hosted consumer service. Gateway endpoints, identity, and mobile distribution are configured for your environment. Contact sales if you are evaluating Airlock for your organization.

1. Plan your deployment

A typical enterprise deployment includes:

  • Airlock Gateway — ciphertext relay and policy enforcement at https://<your-gateway-host>
  • Identity provider — OIDC realm for approvers and service accounts at https://<your-auth-host>/realms/<your-realm>
  • Host Enforcers — intercept AI agent actions on developer machines, CI runners, or automation hosts
  • Mobile Approver — organization-distributed app for human reviewers (MDM, internal app store, or signed builds)

2. Deploy the Gateway

Install and configure the Gateway in your infrastructure. Record the public base URL — all enforcers and SDK clients use https://<your-gateway-host> as gatewayUrl / baseUrl.

See the Developer Guide for authentication headers, client credentials, and API flow.

3. Configure Host Enforcers

Point each Host Enforcer at your Gateway URL and identity settings. Build custom enforcers with the Gateway SDK, or start from our open-source reference samples:

4. Distribute the Mobile Approver

Provision the Mobile Approver to authorized reviewers through your organization's mobile distribution channel (MDM, private app catalog, or signed enterprise builds). Reviewers sign in with credentials issued by your identity provider — not a public app-store account.

5. Pair workspaces

  1. On a Host Enforcer, start pairing (QR code or 6-character code, depending on the integration).
  2. In the Mobile Approver, open Workspace Pairings and scan the QR or enter the code.
  3. After pairing, the enforcer encrypts artifacts to the approver's public key; the approver signs decisions with Ed25519; the enforcer verifies locally before execution.

6. Validate end-to-end

  • Trigger a gated action from an enforcer or SDK client and confirm it appears on the Mobile Approver.
  • Approve and reject paths both enforce signature verification on the host.
  • Use Gateway SDK echo / health checks against https://<your-gateway-host> to verify connectivity.
← All Docs Contact sales Back to Airlock