FirstOps Documentation#
Welcome to the FirstOps documentation. FirstOps is the security and governance layer for AI agents in production — providing identity, policy enforcement, credential brokering, and a complete audit trail for every agent connection.
What is FirstOps?#
FirstOps sits between your AI agents and the tools they access. It provides:
- Agent Identity — Every agent gets its own cryptographic identity — not a shared API key, not an inherited credential. Each agent gets its own cryptographic identity — a unique key pair verified on every request through DPoP (proof-of-possession). Learn more →
- Policy Enforcement — Define what agents can see, do, and access — both MCP tool calls and local actions like shell commands and file writes
- Credential Brokering — Agents never see raw API keys or OAuth tokens; FirstOps injects them at request time
- Audit Trail — Full lineage of every request, every decision, every action — attributed to a specific agent identity
How it works#
FirstOps governs agent behavior through two complementary enforcement channels:
MCP Gateway — tool calls#
Every MCP tool call flows through the FirstOps gateway, where it is authenticated, evaluated against policies, and logged.
- Agents connect through the FirstOps MCP gateway
- Every request is authenticated via DPoP (proof-of-possession)
- Policies are evaluated against the request
- Credentials are injected and the request is forwarded
- The full interaction is logged for audit
Client Hooks — shell, files, code#
Coding agents (Claude Code, Cursor) do far more than MCP tool calls — they execute shell commands, read and write files, install packages, and make direct network calls. The MCP gateway never sees these actions.
FirstOps intercepts these actions through the agent's native hook system. Before the agent executes a shell command or writes to a file, the action is evaluated against the same policy engine — and allowed, denied, or flagged.
| What's governed | MCP Gateway | Client Hooks |
|---|---|---|
| MCP tool calls | ✓ | |
| Credential brokering | ✓ | |
| Shell command execution | ✓ | |
| File read/write | ✓ | |
| Package installation | ✓ | |
| Works for all agent types | ✓ | Coding agents |
Both channels share the same policy engine and audit trail.
Quick links#
- Quickstart — Get up and running in 5 minutes
- Architecture — How the system is designed
- Principals — Understanding identity in FirstOps
- Identity & Auth — DPoP, credentials, and authentication
- Connections — Managing agent-to-tool connections
- Enforcement — Policies, rules, and evaluation
Guides#
- Human-Delegated Agents — Agents acting on behalf of a user
- Autonomous Agents — Standalone agent principals
- Google ADK — Integration with Google Agent Development Kit
- OpenAI Agents — Integration with OpenAI Agents SDK
- Claude SDK — Integration with Anthropic Claude SDK
- LangChain — Integration with LangChain/LangGraph