Prerequisites¶
Before integrating with the LiveKit Platform Service, complete the steps below. These are one-time setup tasks that enable your application to authenticate and communicate with the platform.
Table of Contents¶
- Overview
- Step 1 — Register Your Application in BEAT
- Step 2 — Create an Entra ID App Registration
- Step 3 — Request Ocelot Access
- Checklist
- Next Steps
Overview¶
Regardless of whether you are building an AI agent or a client application, you need three things:
| Requirement | What it is | Where to get it |
|---|---|---|
| BEAT registration | Bayer's enterprise application registry entry for your application | BEAT Portal ⧉ |
| Entra ID App Registration | A Microsoft Entra ID application identity (client ID + secret) | IT4U App Registration Request ⧉ |
| Ocelot route access | Reverse proxy configuration that allows your app to reach LKPS | Ocelot UI ⧉ |
Step 1 — Register Your Application in BEAT¶
BEAT ⧉ is Bayer's enterprise application registry. All applications that integrate with Entra ID or Ocelot must have a valid BEAT entry.
- Navigate to the BEAT Portal ⧉.
- Register your application if it does not already exist.
- Note the BEAT ID (format:
BEAT12345678) — you will need it for the Entra ID app registration and Ocelot route setup.
Tip
If your application already has a BEAT entry, you can skip this step. Verify by searching for your application name in BEAT.
Step 2 — Create an Entra ID App Registration¶
An Entra ID app registration gives your application an identity within Bayer's Microsoft Entra tenant. This is required for authentication with both Ocelot and LKPS.
For detailed background on Entra app registrations at Bayer, see the Cloud IAM — App Registrations ⧉ documentation.
Note
Future direction — Microsoft Agent ID: Bayer has made an architectural decision to adopt Microsoft Agent ID ⧉ as the identity model for AI agents. We intend to align with Agent ID as soon as it becomes available within the Bayer Entra tenant. Until then, standard Entra ID app registrations are used for agent identities.
Request a New App Registration¶
- Navigate to the IT4U Entra ID App Registration ⧉ request page in ServiceNow.
- Fill in the required fields:
- BEAT ID — the BEAT entry for your application
- Application name — use a descriptive name that includes the environment, e.g.,
MY-LIVEKIT-AGENT-NP(non-prod) orMY-LIVEKIT-AGENT(prod) - Additional owners — add team members who need to manage the app registration
- Submit the request.
- Once provisioned, you will receive a Client ID (Application ID) — a GUID that uniquely identifies your app.
Important
Create separate app registrations for non-production and production environments. This follows Bayer's Entra ID best practices and avoids cross-environment credential leakage.
Configure Client Credentials¶
After provisioning, configure credentials for your app registration:
- Go to the Azure Portal ⧉ → Microsoft Entra ID → Manage → App Registrations → select your app. Alternatively, navigate directly to the Entra portal ⧉ → App registrations → select your app.
- Navigate to Certificates & secrets → Client secrets → New client secret.
- Add a description (e.g.,
lkps-integration) and select an expiration period. - Copy the secret value immediately — it will not be shown again.
You now have two values required for authentication:
| Value | Where to find it |
|---|---|
| Client ID (Application ID) | App Registration → Overview → Application (client) ID |
| Client Secret | App Registration → Certificates & secrets → (the value you just created) |
Security
Store the client secret securely. Use a secret manager ⧉ (e.g., HashiCorp Vault, AWS Secrets Manager, Azure Key Vault) — never commit secrets to source code.
Step 3 — Request Ocelot Access¶
Ocelot is the reverse proxy that sits in front of LKPS. Your application must be authorized in Ocelot before it can reach the LKPS API endpoints. This involves two steps:
3.1 — Join the Ocelot Users Group¶
You must be a member of the Ocelot Users group to view and interact with Ocelot routes. Verify your membership or request access at:
- Non-prod: devtools-np.bayer.com/profile/applications/OCELOT ⧉
- Prod: devtools.bayer.com/profile/applications/OCELOT ⧉
Click "Request access for..." and wait for approval. Once approved, you can access the Ocelot UI at devtools-np.bayer.com/ocelot ⧉ (non-prod) or devtools.bayer.com/ocelot ⧉ (prod).
Tip
Already a member of the Ocelot Users group? Skip to Step 3.2.
3.2 — Add Your App to the LKPS Route's Client Access List¶
Once you have group membership, you need to add your application's Entra client ID to the LKPS Ocelot route's Client Access List so that Ocelot allows your requests through.
Info
Complete the Ocelot Access Setup Guide to add your client ID to the route. The guide includes step-by-step instructions with screenshots.
Checklist¶
Before proceeding to the next step, verify you have:
- A valid BEAT entry for your application
- An Entra ID App Registration with:
- Client ID (Application ID)
- Client Secret (stored securely)
- Separate registrations for non-prod and prod
- Membership in the Ocelot Users group via the DevTools Ocelot application page
- Ocelot route access — your client ID is added to the LKPS route's Client Access List (self-service via Ocelot UI)
Next Steps¶
| Your role | Next guide |
|---|---|
| Agent developer | Agent Developer Guide |
| Client app developer | Client Developer Guide |
| Need help with Ocelot setup | Ocelot Access Setup |