Skip to main content

Authorization Deployment

Deploy the Authorization tier to add Cedar-based policy enforcement on top of Discovery & Registry.

Recommended: Use the Beacon Installer

The Beacon Installer supports wl-apdp via the --services flag. For Kubernetes, see the Helm chart installation guide (Tier 2).

Prerequisites

  • Docker Engine 24+ with Compose v2
  • 4 GB RAM available for containers
  • Ports available: 443 (Policy Manager), 8443 (Registry dashboard), 8081 (APDP API)
  • GHCR access token (provided by Watchlight AI)
curl -fsSL https://docs.watchlight.ai/install-beacon.sh -o install-beacon.sh
chmod +x install-beacon.sh
./install-beacon.sh --services registry,discover,apdp --ghcr-token <token>

See the Beacon Installer docs for all options.

Option B: Helm Chart (Kubernetes)

helm install beacon ./watchlight-beacon \
  --namespace watchlight \
  --set global.imagePullSecrets[0].name=ghcr-credentials \
  --set wl-apdp.enabled=true \
  --set wl-apdp-frontend.enabled=true

See the Helm installation guide for details.

Option C: Bootstrap Script

cd deploy/tier2-authorization/docker-compose
./bootstrap.sh

Access

EndpointPurpose
https://localhostPolicy Manager Dashboard
https://localhost:8443Registry Dashboard
https://localhost/authorizeAuthorization API (Cedar eval)

Cedar Policies

Default: Observation mode — all actions allowed, all decisions logged.

Load enforcement policies via the Policy Manager Dashboard at https://localhost, or via API:

curl -k -X POST https://localhost/authorize \
  -H 'Content-Type: application/json' \
  -d '{
    "principal": "Agent::\"my-agent\"",
    "action": "Action::\"execute_tool\"",
    "resource": "Tool::\"web_search\""
  }'

Dashboard Authentication

Both dashboards start without authentication by default. Configure OIDC or LDAP through each dashboard's built-in setup UI.

Commands

# Re-run bootstrap
./docker-compose/bootstrap.sh

# View logs
docker compose -f docker-compose/docker-compose.yml logs -f

# Stop
docker compose -f docker-compose/docker-compose.yml down

# Full reset
./docker-compose/bootstrap.sh --reset

Upgrade to Runtime Enforcement Proxy

Ready for transparent policy enforcement on every API call? See the Runtime Enforcement Proxy overview.