Onboarding guide
Onboarding configures the Agent Router management plane: organization details, single sign-on (SSO), LLM providers, and the credentials used later to install the data plane. The data plane install runs separately, covered by the data plane installation guides.
How the wizard works
Onboarding is a 5-step wizard that launches automatically the first time you sign in to the Agent Router Management Plane Dashboard. You don't navigate to a separate URL; the wizard appears on first login.
Each step has Next and Previous controls. Next becomes enabled once the required fields on the current step are filled. You can return to any earlier step with Previous to review or change a value.
The five steps are:
- Organization Name: Identify your tenant and set the data-plane URL
- Corporate Login: Wire up SSO via OIDC
- LLM Providers: Connect to OpenAI, Anthropic, and similar
- LLM Models: Choose which models are exposed
- Service Account: Download the credential the data plane needs
By the end of onboarding, you will have a configured management plane and a service-account.json file ready to use as input to the data plane installation.
Plan for 15–30 minutes, plus any back-and-forth with your IdP team during Step 2.
Prerequisites
Gather the following before launching the wizard. Step 2 in particular is hard to complete without your IdP details on hand.
- Access to the Agent Router Management Plane Dashboard. Tetrate provides the URL during provisioning.
- Initial admin credentials for the first sign-in. SSO is configured later; your first login uses these credentials.
- OIDC IdP details on hand: issuer URL, client ID, client secret, scopes. Agent Router supports OIDC only; SAML and other protocols are not supported.
- An IdP admin reachable during Step 2. The wizard displays a redirect URI you must register on the IdP side before SSO will work.
- API credentials for at least one LLM provider (for example, an OpenAI API key). See the supported providers list.
- A planned hostname for your data plane, for example
proxy.example.com. This becomes the Proxy URL in Step 1 and the--serve-urlvalue in the data plane install.
Step 1: configure organization name
Typical time: 2 minutes
Fill in:
| Field | Required | Description | Sample value |
|---|---|---|---|
| Organization Name | Yes | Your organization's display name | Acme Corp. |
| Proxy URL | Yes | The public URL where your data plane will be reachable. The same value you will pass to tare install --serve-url later. | https://proxy.example.com |
Always include the scheme in the Proxy URL (for example, https://proxy.example.com, not proxy.example.com).
The data plane does not need to exist yet. Use the hostname you intend to set up; onboarding only stores the value. The actual cluster, ingress, and DNS are created during the data plane install.
Step 2: configure corporate login (single sign on)
Typical time: 5–15 minutes (depends on IdP team availability)
Configure SSO so your users can sign in with your existing identity provider.
Agent Router supports OIDC only. SAML, LDAP, and other protocols are not supported.
When you arrive at Step 2, the wizard displays the OIDC redirect URI for this Agent Router deployment. The URI follows the pattern:
https://dashboard.<your-mp-host>/login
Register Agent Router as an OIDC application in your IdP using that exact URI as an authorized redirect URI. You can leave the wizard tab open while doing this; click Previous if you need to come back to verify the displayed URI.
Once the IdP-side application is registered and you have the issuer URL, client ID, and client secret in hand, fill in:
| Field | Required | Description | Sample value |
|---|---|---|---|
| Issuer (IdP URL) | Yes | OIDC issuer URL exposed by your IdP | https://login.example.com/ |
| Client ID | Yes | OAuth client ID created for Agent Router | agent-router |
| Client Secret | Yes | OAuth client secret paired with the Client ID | •••••••• |
| Discovery URL | No | OIDC discovery document URL. If omitted, Agent Router constructs it as <Issuer URL>/.well-known/openid-configuration. Provide this only if your IdP serves discovery at a non-standard path. | https://login.example.com/.well-known/openid-configuration |
| Scopes | Yes | OAuth scopes to request | openid profile email |
| Admin email | Yes | At least one user that should land in Agent Router with admin rights after first SSO login | [email protected] |
| Attribute mapping | Yes | Free-text field that maps an IdP claim to the Agent Router user's email. The wizard shows Email as a hint. Typically you enter email. | email |
More information and details can be found in the Configuring SSO Guide.
Recovery: If SSO is misconfigured and locks you out, sign back in with the initial admin credentials and reset the SSO configuration from the Dashboard's settings panel.
Step 3: configure llm providers
Typical time: 3–5 minutes per provider
Connect Agent Router to one or more LLM providers. You need at least one provider to route traffic.
The wizard shows a radio button for each supported provider. Select a provider, then click Configure to enter its credentials.
Supported providers
The wizard lists Agent Router's supported providers, including:
- OpenAI
- Anthropic
- Azure OpenAI
- Mistral
- Cohere
- Together
- Perplexity
Additional providers may appear depending on your deployment. See Providers Management for the authoritative list.
Configure a provider
After clicking Configure, fill in:
| Field | Required | Description | Sample value |
|---|---|---|---|
| Display Name | No | Optional label shown in tables and search filters | OpenAI |
| API Base URL | Yes | Base URL for the provider API endpoint. Pre-filled for supported providers (for example, OpenAI defaults to https://api.openai.com/v1). | https://api.openai.com/v1 |
| Auth method | Yes | Authentication method. Pre-filled per provider. | API Key |
| Secret Type | Yes | Password for single-string API keys (OpenAI, Anthropic). Service Account JSON for providers that authenticate with a JSON credential file (for example, Google Vertex). | Password |
| Provider Secret | Yes | API key, token, or service-account JSON used to authenticate to the provider | sk-proj-... |
| First-party provider | No | Leave off for the supported providers above. Toggle on only if you're configuring a custom provider that exposes an OpenAI-compatible API at a non-standard endpoint. | toggle |
| Enable provider | Yes | Defaults to on. Disable to keep the provider hidden until you're ready to expose it. | toggle |
Repeat for each provider you want to expose. The wizard returns to the provider selection screen after each one is saved.
Step 4: configure llm models
Typical time: 1–2 minutes
The wizard shows a single long list of all models supported by Agent Router (no grouping by provider). The list is a static catalog maintained by Tetrate and updates with new releases of Agent Router.
By default, all models are selected. Reasons to un-select a model:
- Cost control: block expensive models from being callable.
- Compliance: restrict to models that meet your data-handling requirements.
- Capability scoping: only expose models that fit your use case.
If a model you need isn't in the list, contact Tetrate support; custom model entries are not configurable in onboarding.
Step 5: generate service account credentials
Typical time: under 1 minute
This is the final step. It generates the credentials the data plane uses to authenticate to the management plane.
Click Create Service Account. A service-account.json file is downloaded by your browser. The credential is valid immediately: you can use it to run tare install as soon as it lands.
The download is one-shot. If your browser blocks the download or the file is lost in transit, you cannot re-download the same credential; you must regenerate. See "Regenerate the service account file" below.
Treat service-account.json as a long-lived secret. Store it in a secret manager; do not commit it to source control.
After the file downloads, the wizard closes and you land on the populated Dashboard.
Regenerate the service account file
If you lose the file, regenerate it from the Dashboard:
- Sign in to the Dashboard.
- Go to System | Settings.
- Open the Licenses tab.
- Click + Generate New License.
A new service-account.json file is downloaded. Older files remain valid until revoked.
Where to go next