AI Onboarding Agent
Skip manual setup. Install a KnoxCall Agent on your host, then start a conversation. The AI Onboarding Agent analyzes your codebase through the installed agent, discovers API integrations, detects credentials, and creates all necessary KnoxCall resources through a conversational interface.The onboarding agent is a cloud-only feature (KnoxCall SaaS); it is not available on self-hosted deployments. SSH-based onboarding (entering a host, port, username, and SSH password/key) has been retired — you now install a lightweight KnoxCall Agent on your host and start a conversation bound to that agent.
What is the Onboarding Agent?
The Onboarding Agent is a conversational AI assistant powered by Claude that:- 🔍 Scans your codebase to find external API calls
- 🔑 Detects secrets in .env files and environment variables
- 🤖 Suggests resources (routes, secrets, clients) to create
- 💬 Asks clarifying questions when it needs your input
- ✨ Creates everything automatically once you approve
How It Works
Quick Start
Step 1: Install a KnoxCall Agent
- Navigate to Agents in the admin UI
- Click 1-line install and copy the install command
- Run the command on the host you want to onboard. The agent registers itself back to KnoxCall and appears in the Agents list as active.
Step 2: Start a Conversation
- Navigate to Onboarding (or open the agent on the Agents page)
- Click New Conversation and pick the installed agent you want to onboard
- KnoxCall creates an onboarding session bound to that agent and opens the conversation page
POST /admin/agents/:id/start-conversation, which provisions the session and queues the agent to begin work.
Step 3: Select Repositories
Browse the host’s filesystem (via the installed agent) and select code directories to analyze:Step 4: Chat with the Agent
The agent will greet you and explain what it’s doing:Step 5: Review & Approve
The agent presents a summary of what it will create:approve to confirm, or ask questions to refine.
Step 6: Automatic Creation
The agent creates everything:Features
Intelligent Code Analysis
The agent uses Claude’s AI to: Detect API Calls:Secret Detection
Finds credentials in multiple formats: .env Files:- Suggests descriptive names (
stripe_secret_keynotenv_var_42) - Detects secret type (API key, OAuth token, password)
- Shows preview (first 4 chars) without exposing full value
- Groups secrets by service
Conversational Interaction
The agent can: Ask clarifying questions:Pause & Resume
The agent saves its state, allowing you to:- Disconnect and return later
- Review findings before proceeding
- Consult with your team
- Re-run analysis on the same server
Advanced Usage
Bulk Domain Classification
Instead of classifying each endpoint individually, classify by domain:Repository Re-Analysis
Start a new conversation against the same agent to re-scan the same host:Custom Collections
Organize routes into logical groups:Multi-Environment Setup
The agent can configure environments during creation:Security & Privacy
Read-Only Access
The agent operates with read-only filesystem access on your host:- ✅ Can list directories
- ✅ Can read file contents
- ❌ Cannot execute commands
- ❌ Cannot write files
- ❌ Cannot modify permissions
- ❌ Cannot delete anything
Credential Handling
Host Access:- KnoxCall never receives or stores SSH credentials for your host
- The KnoxCall Agent runs locally on your host and connects out to KnoxCall — KnoxCall never logs into your server
- The agent only reads the directories you select during the conversation
- Full values never shown in UI
- Only first 4 characters displayed (preview)
- You must provide actual values during resource creation
- Agent cannot access production secret values
- Encrypted using AES-256-GCM
- Stored with per-secret encryption keys
- Keys encrypted with master key
- Zero-knowledge architecture
Network Isolation
- The KnoxCall Agent runs on your host (not in your browser); the conversation orchestration runs server-side
- The agent connects out to KnoxCall — KnoxCall never opens an inbound connection to your server
- No third-party services involved
- No data sent to external APIs (except Claude for analysis)
Audit Trail
All agent actions are logged:Supported Languages & Frameworks
Fully Supported
Backend Languages:- JavaScript / Node.js
- TypeScript
- PHP
- Python
- Ruby
- Go
- Java
- Express.js, Koa, Fastify (Node)
- Laravel, Symfony (PHP)
- Django, Flask, FastAPI (Python)
- Rails, Sinatra (Ruby)
- Gin, Echo (Go)
- Spring Boot (Java)
Detected Patterns
HTTP Clients:Troubleshooting
Connection Issues
Problem: “Agent not connected” / “Agent offline”Analysis Issues
Problem: “No endpoints discovered”Agent Behavior
Problem: “Agent stopped responding”API Reference
REST Endpoints
All onboarding endpoints live on the admin host (
admin.knoxcall.com, or any knoxcall.com host), under the /admin prefix. They are authenticated by an admin session JWT plus the X-Tenant-ID header (owner/admin role) and are scoped to your tenant — they are not part of the /v1/* client API on api.knoxcall.com and do not accept an API key. They are also cloud-only: requests fail on self-hosted deployments.{ "session_id": "<uuid>", "command_id": "<uuid>" }. This is the supported entry point — it creates an onboarding session bound to an installed KnoxCall Agent.
Send Message:
Event Types
agent.message:Best Practices
Before Starting
- Review your code - Ensure .env files are up to date
- Install the KnoxCall Agent - Run the 1-line install on your host and confirm it shows as active
- Backup credentials - Agent won’t access vault secrets; have them ready
- Clean up test code - Remove old API integrations you’re not using
During Analysis
- Be specific - “All Stripe endpoints are external” vs “yes”
- Group by service - Create collections like “Payment APIs”, not “APIs”
- Use environments - One route with dev/prod environments, not separate routes
- Verify suggestions - Agent’s AI is smart but review before approving
After Creation
- Test routes - Use the testing UI to verify proxying works
- Configure secrets - Add environment-specific secret values if needed
- Set rate limits - Agent doesn’t configure these; set manually
- Review client permissions - Ensure client IP is correct
Security Checklist
- Installed the KnoxCall Agent with a read-only OS user where possible
- Reviewed all discovered secrets before creating
- Verified no sensitive data in agent conversation
- Checked created routes target correct environments
- Tested with non-production credentials first
- Deleted onboarding session after completion (optional)
Limitations
What the Agent Cannot Do
- Execute commands on your server
- Modify your source code
- Access databases directly
- Read secrets from external vaults (AWS, HashiCorp)
- Detect API calls made via SDK without explicit URLs
- Parse compiled/minified code
- Read binary files
Edge Cases
Dynamic URLs:Next Steps
Create Your First Route
Manually create a route if agent missed one
Secret Management
Learn about secret encryption and environments
Environment Setup
Configure dev, staging, and production
Client Permissions
Restrict which clients can call routes
📊 Guide Info
- Level: Beginner to Intermediate
- Time: 10-30 minutes (depends on codebase size)
- Prerequisites: A KnoxCall Agent installed on your host (cloud-only feature)
🏷️ Tags
onboarding, automation, ai, agent, setup