4Keyless SaaS End User Documentation

4Keyless secures AI agent access to protected systems through a managed SaaS platform. As an end user, you will use the Admin Panel to configure agents, systems, credentials, and policies, while your agents send traffic through the 4Keyless Proxy endpoint provided in your workspace.

⬇ CA Certificate — Download & Install

The 4Keyless proxy uses a CA certificate to perform HTTPS interception (MITM). You must install and trust this certificate on every machine or container that routes traffic through the proxy.

Download 4keyless-ca.crt

🪟 Windows

  1. Download the 4keyless-ca.crt file above.
  2. Double-click the file → click Install Certificate.
  3. Select Local Machine → Next.
  4. Select Place all certificates in the following store → Browse → Trusted Root Certification Authorities.
  5. Click Next → Finish. Accept the security warning.

Or via PowerShell (run as Administrator):

Import-Certificate -FilePath ".\4keyless-ca.crt" -CertStoreLocation Cert:\LocalMachine\Root

🍎 macOS

  1. Download the 4keyless-ca.crt file above.
  2. Double-click the file → it opens Keychain Access.
  3. Add it to the System keychain.
  4. Find the certificate (4keyless.io), double-click it.
  5. Expand Trust → set When using this certificate to Always Trust.
  6. Close and authenticate with your macOS password.

Or via Terminal:

sudo security add-trusted-cert -d -r trustRoot \
  -k /Library/Keychains/System.keychain 4keyless-ca.crt

🐧 Linux

Ubuntu / Debian:

sudo cp 4keyless-ca.crt /usr/local/share/ca-certificates/4keyless-ca.crt
sudo update-ca-certificates

Fedora / RHEL / CentOS:

sudo cp 4keyless-ca.crt /etc/pki/ca-trust/source/anchors/4keyless-ca.crt
sudo update-ca-trust

🐳 Docker

Add the certificate to your Dockerfile:

# Debian/Ubuntu-based images
COPY 4keyless-ca.crt /usr/local/share/ca-certificates/4keyless-ca.crt
RUN update-ca-certificates

# Alpine-based images
COPY 4keyless-ca.crt /usr/local/share/ca-certificates/4keyless-ca.crt
RUN apk add --no-cache ca-certificates && update-ca-certificates

Or mount at runtime:

docker run -v $(pwd)/4keyless-ca.crt:/usr/local/share/ca-certificates/4keyless-ca.crt \
  --env HTTPS_PROXY=http://proxy.4keyless.io:8080 \
  your-image

⚙️ Node.js & Python

Some runtimes need explicit CA configuration:

# Node.js
export NODE_EXTRA_CA_CERTS=/path/to/4keyless-ca.crt

# Python (requests library)
export REQUESTS_CA_BUNDLE=/path/to/4keyless-ca.crt
# or
export SSL_CERT_FILE=/path/to/4keyless-ca.crt

2. Getting started (SaaS)

  1. Sign in to your 4Keyless workspace at your SaaS URL (example: https://app.4keyless.io).
  2. Complete MFA setup in Settings if prompted.
  3. Create your first Target System (REST API, Web App, GraphQL, Database, or MCP).
  4. Each system supports multiple domains (e.g., HTTP and HTTPS URLs).
  5. Create a Credential and link it to the target system.
  6. Create an AI Agent and securely store the generated agent key.

3. Connect your AI agent

In SaaS mode, 4Keyless provides a managed proxy endpoint for your workspace. Configure your agent to route outbound requests through that endpoint and include your agent key. Two authentication formats are supported: 

# Format 1: 4Keyless header (programmatic)
HTTPS_PROXY=https://proxy.<your-workspace>.4keyless.io:443
Proxy-Authorization: 4Keyless <your-agent-key>

# Format 2: Basic auth (browser-compatible)
Proxy-Authorization: Basic base64(agent:<your-agent-key>)

You can rotate agent keys any time from Agents > Rotate Key. After rotation, update the key in your AI runtime immediately.

4. Configure policies

Policies define what each AI agent can do against each target system.

  • block: always deny access.
  • allow: allow access automatically.
  • ask: require human approval before forwarding the request.

Recommended default: start with block, then move selected flows to allow or ask.

5. MCP Gateway

The MCP Gateway allows AI agents to interact with upstream MCP (Model Context Protocol) servers through the same authentication, policy enforcement, and credential injection used by the HTTP proxy.

Registering an MCP system

  1. Go to Systems, create a new system, and select type MCP.
  2. Set the Transport (HTTP, SSE, or Stdio) and the Server URL (e.g., https://mcp.notion.com/mcp).
  3. Optionally link an Upstream Credential (Bearer token for the MCP server).
  4. Go to MCP Gateway in the left menu and click Sync to discover available tools.

Calling the MCP Gateway

# List available tools (GET — returns JSON)
curl http://mcp-gateway.4keyless.io:8090/mcp?system=MyMCPSystem \
  -H "Proxy-Authorization: 4Keyless <agent-key>"

# Send JSON-RPC request (POST)
curl -X POST http://mcp-gateway.4keyless.io:8090/mcp?system=MyMCPSystem \
  -H "Proxy-Authorization: 4Keyless <agent-key>" \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","id":1,"method":"tools/list","params":{}}'

The ?system= parameter accepts either a UUID or the system name (case-insensitive). Policies are enforced per tool using the mcp_tool_name field in access policies.

6. Daily operations

Use these areas in the Admin Panel:

  • Dashboard: monitor recent activity and key metrics.
  • Logs: filter by agent, system, decision, and time window.
  • Notifications: review and respond to approval requests.
  • Scripts: manage script actions for custom request/response behavior.
  • MCP Gateway: manage MCP systems, sync tools, and monitor tool calls.
  • Settings: manage MFA and workspace-level preferences.

API Gateway for advanced users

If you automate provisioning, use the API Gateway endpoints under /api/v1 with your workspace JWT token.

  • POST /api/v1/auth/login and MFA endpoints for auth.
  • /api/v1/agents, /api/v1/systems, /api/v1/policies for provisioning.
  • /api/v1/logs for compliance and auditing workflows.

Standard response envelope: { data, meta?, error? }.

Typical SaaS onboarding flow

  1. Admin creates workspace users and enables MFA.
  2. Operator registers target systems (with domains and system type) and credentials.
  3. Operator creates AI agents and distributes keys securely.
  4. Security owner defines policies per agent-system pair.
  5. AI traffic is routed through managed 4Keyless Proxy endpoint.
  6. Team monitors logs and notifications daily.

7. Security best practices (SaaS)

  • - Enforce least privilege with roles (viewer, operator, admin, super_admin).
  • - Rotate AI agent keys regularly or after any suspected leak.
  • - Use block as default and grant allow selectively.
  • - Keep high-risk systems behind ask with human approval.
  • - Review audit logs and notifications as part of daily operations.