Skip to main content

AI Onboarding Agent

Skip manual setup. Install a KnoxCall Agent on your host, then start a conversation. The AI Onboarding Agent analyzes your codebase through the installed agent, discovers API integrations, detects credentials, and creates all necessary KnoxCall resources through a conversational interface.
The onboarding agent is a cloud-only feature (KnoxCall SaaS); it is not available on self-hosted deployments. SSH-based onboarding (entering a host, port, username, and SSH password/key) has been retired — you now install a lightweight KnoxCall Agent on your host and start a conversation bound to that agent.

What is the Onboarding Agent?

The Onboarding Agent is a conversational AI assistant powered by Claude that:
  • 🔍 Scans your codebase to find external API calls
  • 🔑 Detects secrets in .env files and environment variables
  • 🤖 Suggests resources (routes, secrets, clients) to create
  • 💬 Asks clarifying questions when it needs your input
  • Creates everything automatically once you approve

How It Works

Quick Start

Step 1: Install a KnoxCall Agent

  1. Navigate to Agents in the admin UI
  2. Click 1-line install and copy the install command
  3. Run the command on the host you want to onboard. The agent registers itself back to KnoxCall and appears in the Agents list as active.
You don’t enter any SSH host, port, username, or password — the agent runs locally on your host and connects out to KnoxCall.

Step 2: Start a Conversation

  1. Navigate to Onboarding (or open the agent on the Agents page)
  2. Click New Conversation and pick the installed agent you want to onboard
  3. KnoxCall creates an onboarding session bound to that agent and opens the conversation page
Behind the scenes this calls POST /admin/agents/:id/start-conversation, which provisions the session and queues the agent to begin work.

Step 3: Select Repositories

Browse the host’s filesystem (via the installed agent) and select code directories to analyze:
Click Start Agent to begin analysis.

Step 4: Chat with the Agent

The agent will greet you and explain what it’s doing:

Step 5: Review & Approve

The agent presents a summary of what it will create:
Type approve to confirm, or ask questions to refine.

Step 6: Automatic Creation

The agent creates everything:

Features

Intelligent Code Analysis

The agent uses Claude’s AI to: Detect API Calls:
Classify Internal vs External:
Extract Authentication Patterns:

Secret Detection

Finds credentials in multiple formats: .env Files:
PHP Config:
JavaScript/TypeScript:
Python:
The agent automatically:
  • Suggests descriptive names (stripe_secret_key not env_var_42)
  • Detects secret type (API key, OAuth token, password)
  • Shows preview (first 4 chars) without exposing full value
  • Groups secrets by service

Conversational Interaction

The agent can: Ask clarifying questions:
Handle ambiguity:
Provide context:

Pause & Resume

The agent saves its state, allowing you to:
  • Disconnect and return later
  • Review findings before proceeding
  • Consult with your team
  • Re-run analysis on the same server

Advanced Usage

Bulk Domain Classification

Instead of classifying each endpoint individually, classify by domain:

Repository Re-Analysis

Start a new conversation against the same agent to re-scan the same host:

Custom Collections

Organize routes into logical groups:

Multi-Environment Setup

The agent can configure environments during creation:

Security & Privacy

Read-Only Access

The agent operates with read-only filesystem access on your host:
  • ✅ Can list directories
  • ✅ Can read file contents
  • Cannot execute commands
  • Cannot write files
  • Cannot modify permissions
  • Cannot delete anything

Credential Handling

Host Access:
  • KnoxCall never receives or stores SSH credentials for your host
  • The KnoxCall Agent runs locally on your host and connects out to KnoxCall — KnoxCall never logs into your server
  • The agent only reads the directories you select during the conversation
Detected Secrets:
  • Full values never shown in UI
  • Only first 4 characters displayed (preview)
  • You must provide actual values during resource creation
  • Agent cannot access production secret values
Created Secrets:
  • Encrypted using AES-256-GCM
  • Stored with per-secret encryption keys
  • Keys encrypted with master key
  • Zero-knowledge architecture

Network Isolation

  • The KnoxCall Agent runs on your host (not in your browser); the conversation orchestration runs server-side
  • The agent connects out to KnoxCall — KnoxCall never opens an inbound connection to your server
  • No third-party services involved
  • No data sent to external APIs (except Claude for analysis)

Audit Trail

All agent actions are logged:

Supported Languages & Frameworks

Fully Supported

Backend Languages:
  • JavaScript / Node.js
  • TypeScript
  • PHP
  • Python
  • Ruby
  • Go
  • Java
Frameworks:
  • Express.js, Koa, Fastify (Node)
  • Laravel, Symfony (PHP)
  • Django, Flask, FastAPI (Python)
  • Rails, Sinatra (Ruby)
  • Gin, Echo (Go)
  • Spring Boot (Java)

Detected Patterns

HTTP Clients:
Environment Variables:

Troubleshooting

Connection Issues

Problem: “Agent not connected” / “Agent offline”
Problem: “Permission denied when reading files”

Analysis Issues

Problem: “No endpoints discovered”
Problem: “Too many false positives”
Problem: “Secret values not detected”

Agent Behavior

Problem: “Agent stopped responding”
Problem: “Agent is stuck in a loop”

API Reference

REST Endpoints

All onboarding endpoints live on the admin host (admin.knoxcall.com, or any knoxcall.com host), under the /admin prefix. They are authenticated by an admin session JWT plus the X-Tenant-ID header (owner/admin role) and are scoped to your tenant — they are not part of the /v1/* client API on api.knoxcall.com and do not accept an API key. They are also cloud-only: requests fail on self-hosted deployments.
Start a Conversation (create session):
Returns { "session_id": "<uuid>", "command_id": "<uuid>" }. This is the supported entry point — it creates an onboarding session bound to an installed KnoxCall Agent.
The legacy POST /admin/onboarding/sessions (passing host/port/username/auth_type) has been retired and now returns 410 Gone. Install a KnoxCall Agent and use POST /admin/agents/{agentId}/start-conversation instead.
Send Message:
Stream Events (SSE):

Event Types

agent.message:
agent.tool_call:
agent.action_needed:

Best Practices

Before Starting

  1. Review your code - Ensure .env files are up to date
  2. Install the KnoxCall Agent - Run the 1-line install on your host and confirm it shows as active
  3. Backup credentials - Agent won’t access vault secrets; have them ready
  4. Clean up test code - Remove old API integrations you’re not using

During Analysis

  1. Be specific - “All Stripe endpoints are external” vs “yes”
  2. Group by service - Create collections like “Payment APIs”, not “APIs”
  3. Use environments - One route with dev/prod environments, not separate routes
  4. Verify suggestions - Agent’s AI is smart but review before approving

After Creation

  1. Test routes - Use the testing UI to verify proxying works
  2. Configure secrets - Add environment-specific secret values if needed
  3. Set rate limits - Agent doesn’t configure these; set manually
  4. Review client permissions - Ensure client IP is correct

Security Checklist

  • Installed the KnoxCall Agent with a read-only OS user where possible
  • Reviewed all discovered secrets before creating
  • Verified no sensitive data in agent conversation
  • Checked created routes target correct environments
  • Tested with non-production credentials first
  • Deleted onboarding session after completion (optional)

Limitations

What the Agent Cannot Do

  • Execute commands on your server
  • Modify your source code
  • Access databases directly
  • Read secrets from external vaults (AWS, HashiCorp)
  • Detect API calls made via SDK without explicit URLs
  • Parse compiled/minified code
  • Read binary files

Edge Cases

Dynamic URLs:
Runtime Config:
Indirect Calls:

Next Steps

Create Your First Route

Manually create a route if agent missed one

Secret Management

Learn about secret encryption and environments

Environment Setup

Configure dev, staging, and production

Client Permissions

Restrict which clients can call routes

📊 Guide Info

  • Level: Beginner to Intermediate
  • Time: 10-30 minutes (depends on codebase size)
  • Prerequisites: A KnoxCall Agent installed on your host (cloud-only feature)

🏷️ Tags

onboarding, automation, ai, agent, setup