Move from trial to production

A trial lets one person explore Wicket quickly. Production means real agents, real team members, and real data flowing through the proxy. This checklist covers what changes between the two.

---

1. Audit your current policies

   Open the Policies tab for each agent. By default, Wicket allows any authenticated tool call. Before onboarding teammates, make this explicit:

   • Add a baseline permit policy scoped to the tools your agents should be able to call.
   • Add forbid policies for destructive tools (delete, force-push, message deletion).

   The policy recipes page has copy-paste starting points.

2. Invite team members

   From the agent’s Members tab, click Invite. Enter the team member’s email. They receive an invite link that:

   1. Authenticates them via magic link
   2. Steps them through connecting their own OAuth tokens
   3. Places them in pending status

   You approve or reject each member from the same Members tab.

   Note

   Each member holds their own encrypted OAuth tokens and generates their own member key. You cannot see their tokens or keys — only their display suffix.

3. Have each member generate their key

   After approval, members click Generate key on their member panel. Keys are 32-character base64 strings shown once. Members configure their MCP client with this key — see the client guides.

4. Set up key rotation

   Member keys do not expire automatically. Establish a rotation schedule:

   • Offboarding: Remove the member from the agent immediately. This invalidates their key.
   • Rotation: Members can regenerate a key at any time from their panel. This re-encrypts their OAuth tokens and invalidates the old key.

5. Enable audit monitoring

   Production agents should have audit monitoring set up before launch:

   • Visit the Audit tab daily to spot unexpected denies or unusual tool usage.
   • Use the result=DENY filter to surface blocked calls that may indicate a policy misconfiguration.
   • Export audit logs to CSV for long-term storage: GET /api/audit/export — see Work with audit logs.

6. Disable the agent if something goes wrong

   From agent settings, toggle Status to disabled. This immediately blocks all MCP proxy calls for all members — no key rotation required. Re-enable when resolved.

---

Production checklist

Item	Done?
Baseline permit policy covers expected tools
Forbid policies cover destructive tools
Team members invited and approved
Each member has generated their key
Key rotation policy documented
Audit tab reviewed at least once
Agent disable runbook exists for incidents

---

Next steps

• Policy recipes — patterns for GitHub, Slack, and Linear
• Audit event schema — fields available for log export
• REST API reference — automate member and policy management