How-to
Publish intent manifest

Publish intent manifest (so the dashboard can show your menu)

This page is the "okay, cool concept, show me the code" version of Intents.

What the manifest is (and is not)

The intent manifest is tooling, not security.

  • Security is enforced at runtime by your app: key → scopes → payload schema → handler.
  • The manifest is just how Bissap Cloud can display your intent menu (and schemas) in the dashboard.

Think: restaurant menu.

  • The menu helps humans choose.
  • The bouncer still checks IDs at the door.

Where it lives

  • Source of truth: your app code (the intents registry)
  • Exposed by your app: GET /bissap/agent/intents
  • Stored in Cloud (optional): PUT /v1/sdk/intents → shows up in dashboard (Project → Intents)

Node example (Zod)

import express from "express";
import { enableAgentAccess } from "@bissap/sdk";
import { z } from "zod";
 
const app = express();
 
app.use((req: any, _res, next) => {
  req.user = { id: "user_123" };
  next();
});
 
enableAgentAccess(app, {
  userResolver: (req: any) => req.user.id,
  scopes: ["read", "write"],
 
  // 👇 This is the source of truth.
  intents: {
    ping: {
      name: "ping",
      title: "Ping",
      requiredScopes: ["read"],
      input: z.object({}).optional(),
      output: z.object({ ok: z.boolean() }),
      handler: async () => ({ ok: true }),
    },
 
    "journal.create": {
      name: "journal.create",
      title: "Create journal entry",
      requiredScopes: ["write"],
      input: z.object({ text: z.string().min(1).max(2000) }),
      output: z.object({ id: z.string() }),
      handler: async ({ text }, user) => {
        // write to DB scoped to user.id
        return { id: "entry_123" };
      },
    },
  },
 
  strictIntents: true,
  validateResults: true,
 
  // fallback (unused if strictIntents + registry covers everything)
  onAgentIntent: async () => {
    throw new Error("Unknown intent");
  },
 
  // Cloud/hybrid mode only: the SDK will best-effort upload the manifest.
  // mode: "hybrid",
  // cloud: { endpoint, projectId, sdkSecret }
});

Verify locally (2 curls)

1) Your app exposes the manifest

curl -sS http://localhost:3000/bissap/agent/intents

2) Your app enforces payload schemas

BISSAP_KEY='bs_live_...'
 
curl -sS -X POST http://localhost:3000/bissap/agent/run \
  -H "authorization: Bearer $BISSAP_KEY" \
  -H 'content-type: application/json' \
  -d '{"intent":"journal.create","payload":{}}'

Expected: INTENT_VALIDATION_ERROR (because text is required).

Verify in Cloud

Once your app is running in hybrid/cloud mode and pointing at https://api.bissap.dev, open:

  • Dashboard → Project → Intents

If the page is empty, your app likely didn't upload the manifest (wrong cloud env vars or not in cloud/hybrid mode).

Build an agent loop (inbox poll/ack)Rotate keys safely