Creating Secure Tools

What are Secure Tools?

Secure tools are marketplace items that execute remotely on a provider's server instead of being downloaded as DLLs to consumer hosts. This model is ideal when your tool needs:

• API keys or credentials — Users provide their own keys, which go directly to your server. Daisinet never stores them.
• Proprietary logic — Your code runs on your infrastructure, protecting intellectual property.
• External service access — Your server can call third-party APIs, databases, or other services directly.
• Server-side state — Maintain user sessions, caches, or data that persists between invocations.

How It Works

The architecture uses an InstallId — an opaque identifier generated on purchase — for all provider-facing communication. No Daisinet account IDs are ever sent to providers.

1. Purchase — When a user buys your tool, the ORC generates an InstallId and calls your /install endpoint to register the installation.
2. Configure — The user enters their credentials in the Manager UI, which sends them directly to your server (not through the ORC) with the InstallId.
3. Execute — During inference, the consumer host calls your /execute endpoint directly with the InstallId and parameters. The ORC is not in the execution path.
4. Uninstall — When a purchase is deactivated, the ORC calls your /uninstall endpoint so you can clean up stored data.

[Purchase]
  Manager --> ORC.PurchaseItem() --> generates InstallId
                                 --> POST provider /install {installId, toolId}

[Configure]
  Manager UI --> POST provider /configure {installId, setupValues}
  (direct, ORC not involved)

[Execute]
  Host SecureTool --> POST provider /execute {installId, parameters}
  (direct, ORC not involved)

[Uninstall]
  ORC deactivates --> POST provider /uninstall {installId}

Step 1: Implement the Provider API

Your server must implement four POST endpoints:

POST /install ORC-originated

Called by the ORC when a user purchases your tool. Register the installation.

// Request
Headers: X-Daisi-Auth: {sharedSecret}
Body: {
  "installId": "inst-260215143022-abcdef",
  "toolId": "weather-lookup"
}

// Response
{ "success": true }

POST /uninstall ORC-originated

Called by the ORC when a purchase is deactivated. Clean up stored data for this installation.

// Request
Headers: X-Daisi-Auth: {sharedSecret}
Body: { "installId": "inst-260215143022-abcdef" }

// Response
{ "success": true }

POST /configure Consumer-originated

Receives user setup data (API keys, credentials) directly from the Manager UI. Store these securely.

// Request (no X-Daisi-Auth header)
Body: {
  "installId": "inst-260215143022-abcdef",
  "toolId": "weather-lookup",
  "setupValues": { "apiKey": "sk-...", "region": "US" }
}

// Response
{ "success": true }

POST /execute Consumer-originated

Executes the tool with the given parameters, using stored setup data for the installation. Called directly by consumer hosts.

// Request (no X-Daisi-Auth header)
Body: {
  "installId": "inst-260215143022-abcdef",
  "toolId": "weather-lookup",
  "parameters": [ { "name": "city", "value": "San Francisco" } ]
}

// Response
{
  "success": true,
  "output": "72 F, Sunny",
  "outputFormat": "plaintext",
  "outputMessage": "Current weather for San Francisco"
}

Auth model:

• /install and /uninstall — Verify the X-Daisi-Auth header matches your shared secret. These come from the ORC.
• /configure and /execute — Verify that the installId was registered via /install. No shared secret header is sent — the installId is an opaque, unguessable identifier that serves as a bearer token.

Step 2: Create the Marketplace Item

1. In the DAISI Manager, navigate to Marketplace > Provider Dashboard > Create New Item.
2. Set the Item Type to Host Tool.
3. Enable the Secure Execution toggle.
4. Fill in:
   • Endpoint URL — Your server's base URL (e.g. https://my-func.azurewebsites.net/api)
   • Auth Key — A shared secret the ORC will send as X-Daisi-Auth for install/uninstall
   • Tool ID — Unique identifier (e.g. my-weather-tool)
   • Tool Name — Display name for the AI (e.g. Weather Lookup)
   • Use Instructions — Natural language description of when/how the AI should use this tool
   • Tool Group — Category for filtering (e.g. Information Tools, Integration Tools)
   • Call Parameters — Parameters the AI provides at execution time
   • Setup Parameters — Fields users fill in during configuration (API keys, regions, etc.)
5. Submit for review. An admin will verify your endpoint is reachable and responds correctly.

Step 3: Reference Implementation

A reference Azure Functions implementation is provided in the daisi-tools-dotnet/SecureToolProvider directory. It demonstrates:

• Installation registration and cleanup (/install, /uninstall)
• Auth header verification for ORC-originated calls
• InstallId validation for consumer-originated calls
• Setup data storage and retrieval
• Parameter handling and response formatting
• Error handling for missing configuration or unknown installations

Clone the reference project and replace the echo logic with your actual tool implementation.

Output Formats

The outputFormat field in the execute response determines how the output is rendered: