Skip to main content

MandateZ Proxy Mode — Zero-Code Governance

Proxy Mode is the fastest path to MandateZ governance. Instead of installing @mandatez/sdk and refactoring your agent’s action layer, you repoint your HTTP client at the MandateZ proxy and every outbound call to OpenAI, Anthropic, Stripe, Supabase, Slack, or any other API is:
  • Policy-checked against the rules you’ve configured in your dashboard
  • Signed with an Ed25519 key escrowed by MandateZ and bound to your agent ID
  • Logged to the same agent_events stream the SDK writes to
  • Trust-scored in the background
No code changes to your agent. No private key to manage. Adoption without decision.
Proxy Mode is the right first integration when you need governance working in under ten minutes or when you cannot modify the agent’s source (third-party SaaS, compiled binaries, n8n nodes). For full SDK capabilities — per-agent keypairs you control, synchronous oversight gates with waitForApproval, cross-agent verification — use the SDK directly.

How It Works

Your agent makes its outbound request to https://core-dashboard-black.vercel.app/api/proxy instead of directly to the target API. The proxy reads three X-MandateZ-* headers, evaluates the call against your configured policies, and — if allowed — forwards the request to the real target. The target’s response is relayed back unchanged. If the call is blocked, the target API is never contacted and your agent receives a 403 with the policy reason.

Setup — Three Steps

Step 1 — Configure Your HTTP Client

Prefix your existing API calls with the MandateZ proxy URL and add three headers. Everything else (auth headers, body, method) stays identical to the direct call.

Python

Node.js

Step 2 — Set Policies in Your Dashboard

Define which action types (read, write, export, delete, call, payment) and resource patterns the agent is allowed to hit. The proxy evaluates every forwarded call against these rules before contacting the target. Example policy covering the Vercel-class failure mode:

Step 3 — Watch Events Stream in Real Time

Every proxied call produces a signed AgentEvent visible in the live event feed. The event records the action type, derived resource, outcome, policy ID, HTTP method, status code, and latency — but never the request or response body.

Request Headers Reference

All other headers (including Authorization and Content-Type) pass through to the target unchanged. MandateZ strips X-MandateZ-* headers before forwarding so the target API never sees them.

Response Headers

On successful proxy, the response includes:

What Gets Governed

The proxy automatically maps each target URL to a resource string your policies can match. Well-known hosts fold into a short prefix; custom hosts fall back to the full hostname. You can override the auto-derived resource with the X-MandateZ-Resource header — useful when you want to group multiple upstream APIs under a single policy prefix.

Privacy

MandateZ Proxy does not store request or response bodies. Only the action type, resource, outcome, policy ID, HTTP method, status code, and timestamp are logged — never your prompts, API payloads, or upstream responses. Every event is Ed25519-signed by an escrowed key bound to your agent ID. Because the key is managed by MandateZ on your behalf, Proxy Mode’s audit trail is most useful when governance is the security boundary. For workloads where cryptographic non-repudiation from the agent runtime itself is required (e.g. EU AI Act Article 12 for regulated-industry deployments), use the SDK directly so the private key never leaves your infrastructure.

Network Policy

MandateZ Proxy forwards only to public HTTPS endpoints. Private IPs (RFC1918, loopback, link-local, CGNAT), cloud metadata endpoints (169.254.169.254, metadata.google.internal), and plain HTTP targets are rejected with a 400. Request bodies larger than 5 MB are rejected with a 413.

Cache Behaviour

Proxy Mode caches your per-owner policy list in memory for 30 seconds. Policy changes made through the dashboard take effect on the next cache refresh — worst case ~30 s for a hot proxy instance, immediate for a cold one. If you need to force a policy rollout faster, redeploy the dashboard or evict the cache entry for that owner.

Proxy Mode vs SDK

Proxy Mode and the SDK write to the same agent_events stream — you can switch between them or run both on the same agent without losing audit continuity.

Get Started

Open your dashboard, copy the Proxy Setup snippet, and route your first call through MandateZ in under 60 seconds.