Configuration
Configure the SDK via environment variables or armoriq.yaml
Configuration
There are two ways to configure the ArmorIQ SDK:
- Environment variables — works from either language, no extra files.
armoriq.yaml— generated byarmoriq init, loaded by the Python SDK withArmorIQClient.from_config(). YAML loading from the TypeScript SDK is coming soon.
Environment variables
# Required
export ARMORIQ_API_KEY="ak_live_..."
# Optional — pick an environment
export ARMORIQ_ENV="production" # or "staging" / "local"
# Optional — endpoint overrides
export IAP_ENDPOINT="https://iap.armoriq.ai"
export PROXY_ENDPOINT="https://proxy.armoriq.ai"
export BACKEND_ENDPOINT="https://api.armoriq.ai"
# Optional — per-MCP credentials (JSON blob)
export ARMORIQ_MCP_CREDENTIALS='{"data-mcp":{"authType":"bearer","token":"..."}}'Per-MCP credentials can also be set individually:
export ARMORIQ_MCP_DATA_MCP_AUTH_TYPE=bearer
export ARMORIQ_MCP_DATA_MCP_TOKEN=...armoriq.yaml
Run armoriq init to scaffold a config interactively. The file is
structured like this:
version: v1
identity:
api_key: ${ARMORIQ_API_KEY} # env-var interpolation supported
environment: production # or "sandbox"
proxy:
url: https://proxy.armoriq.ai
timeout: 30
max_retries: 3
mcp_servers:
- id: data-mcp
url: https://data.internal/mcp
description: Internal data warehouse
auth:
type: bearer
token: ${DATA_MCP_TOKEN}
- id: analytics-mcp
url: https://analytics.internal/mcp
auth:
type: api_key
api_key: ${ANALYTICS_API_KEY}
policy:
allow:
- data-mcp:fetch_sales
- analytics-mcp:analyze
deny:
- data-mcp:delete_all
intent:
ttl_seconds: 300
require_csrg: trueSchema reference
| Section | Field | Type | Default | Description |
|---|---|---|---|---|
| top-level | version | "v1" | "v1" | Schema version |
| top-level | environment | "sandbox" | "production" | "sandbox" | Environment preset |
identity | api_key | string | — | ak_live_... key; supports ${ENV_VAR} |
proxy | url | string | production proxy | Proxy endpoint |
proxy | timeout | int | 30 | Seconds |
proxy | max_retries | int | 3 | Retry count |
mcp_servers[] | id | string | — | Unique MCP identifier |
mcp_servers[] | url | string | — | MCP endpoint |
mcp_servers[] | description | string | — | Optional human label |
mcp_servers[] | auth.type | "none" | "bearer" | "api_key" | "none" | Auth scheme |
mcp_servers[] | auth.token | string | — | Required when type: bearer |
mcp_servers[] | auth.api_key | string | — | Required when type: api_key |
policy | allow | list<string> | [] | Tool identifiers <mcp>:<action> always allowed |
policy | deny | list<string> | [] | Tool identifiers always denied |
intent | ttl_seconds | int | 300 | Intent-token validity window |
intent | require_csrg | bool | true | Require CSRG plan hashing |
Loading the config
from armoriq_sdk import ArmorIQClient
client = ArmorIQClient.from_config("armoriq.yaml")// YAML loading coming soon.
// For now, use environment variables or explicit args:
import { ArmorIQClient } from '@armoriq/sdk';
const client = new ArmorIQClient({
apiKey: process.env.ARMORIQ_API_KEY!,
});CLI workflow
The armoriq.yaml file is designed to be managed with the CLI:
armoriq init # scaffold
armoriq validate # check syntax, API key, MCP connectivity
armoriq register # push to control planeSee the CLI docs for details.
Logging
import logging
logging.basicConfig(
level=logging.INFO,
format='%(asctime)s - %(name)s - %(levelname)s - %(message)s',
)
# SDK logger
logging.getLogger("armoriq_sdk").setLevel(logging.DEBUG)// The SDK writes init / validation info to console by default.
// Wrap your client logic with your own logger as needed.