Monago logo
ID
documentation

Getting started

Quickstart

Configure Monago in three steps for integration teams.

A concise walkthrough for configuring Monago as a governance gateway and sending your first request.

Prerequisites: the admin role in a Monago tenant and an active account at the AI provider you intend to integrate.

Tip

For end-to-end configuration including credential acquisition, rotation, troubleshooting, and FAQ, see the BYOK guide.

Step 1 — Acquire the provider API key

Pick one or more AI providers.

OpenAI

Log in

Log in at platform.openai.com.

Create a new secret key

Open Settings → API keys → Create new secret key.

Set minimum scope

Pick the minimum scope your integration requires, for example model.read and chat.completions:write. The principle of least privilege applies.

Copy the plaintext key

Format sk-… or sk-proj-….

Anthropic

Log in

Log in at console.anthropic.com.

Create the key

Open Settings → API keys → Create Key.

Copy the plaintext key

Format sk-ant-….

AWS Bedrock

Integration status

AWS Bedrock credentials can be registered in Monago today. Inference request processing through Bedrock will be enabled in a subsequent release. Contact the Monago team to discuss timelines if Bedrock is your primary provider.

Open IAM

AWS Console → IAM → Users → Create access key.

Grant permissions

Minimum permissions: bedrock:InvokeModel and bedrock:InvokeModelWithResponseStream.

Record credentials and region

Save the Access Key ID, Secret Access Key, and region (e.g. Singapore ap-southeast-1).

Stash the plaintext key in your password manager — it will be used in Step 2.

Step 2 — Register the credential in Monago

Log in as admin

Log in to the Monago dashboard as the tenant administrator.

Open AI Providers

Select AI Providers from the sidebar.

Add a provider

Click Add provider in the top-right.

Fill the form

  • Provider: OpenAI, Anthropic, or AWS Bedrock.
  • Credential name: an internal label such as production-openai.
  • API key: paste the plaintext from Step 1.
  • Base URL (optional): override when the provider endpoint sits behind an internal gateway.

Submit

Click Add credential.

Monago validates the key against the provider's metadata endpoint with a short timeout. The "Validating key…" indicator is displayed while validation is in progress.

Show-once dialog (important)

After successful validation, the show-once dialog displays the plaintext key.

Plaintext shown once

A warning banner notes that the key is shown only at this point.

Copy

Click Copy; a Copied indicator appears briefly.

Save to your password manager

Paste the plaintext into your password manager or internal secret vault.

Acknowledge

Tick the confirmation "I have copied the API key."

Close

Click Saved, close.

Warning

Once the dialog is dismissed, the plaintext is no longer surfaced through any product workflow. Recovery requires rotating the credential. The table only displays the last four characters of the key (sk-…-XXXX).

Step 3 — Send a request through Monago

curl -X POST https://gateway.monago.io/v1/chat/completions \
  -H "Authorization: Bearer $MONAGO_JWT" \
  -H "Content-Type: application/json" \
  -d '{
    "model": "gpt-4o-mini",
    "messages": [{"role": "user", "content": "Hi!"}]
  }'

Monago will:

  1. Resolve the active credential for the tenant + provider pair.
  2. Decrypt the key only for the duration of the request.
  3. Forward the request to the provider using the customer's key.
  4. Capture an audit log entry with cryptographic integrity chaining.
  5. Apply policy enforcement, PII detection, and risk scoring.
  6. Return the response to the customer application.

Configuration is complete. Monago is now active as a governance gateway under the BYOK model.

Next steps

TopicDocument
Rotation, troubleshooting, FAQBYOK guide
Policy enforcement DSLDashboard → Policies
Audit trail + observabilityDashboard → Observability
Compliance postureDashboard → Compliance

Quick troubleshooting

"Invalid API key"

  • Check for whitespace introduced during copy-paste (leading or trailing spaces or newlines).
  • Verify the key is still active in the provider dashboard.
  • Check the billing status of the provider account.

"Credential name already used"

Each tenant + provider combination requires a unique name. Recommended convention: production-openai-v2, staging-openai.

Gateway request fails after the credential is disabled

This is expected behaviour. When the credential is disabled, cloud deployments will use the platform's default key if the deployment administrator has configured one. On-premise deployments return a configuration error since there is no fallback. Resolution: re-enable the credential through the UI.

Further detail: BYOK guide — Troubleshooting.