Get started¶

Agentic workflows help you build secure, end-to-end AI pipelines using modular agents, visual components, and structured inputs. This tutorial walks you through building your first agentic workflow—from design and configuration to secure launch—and shows how to trigger it using the OPAQUE Python SDK.

Before you begin¶

You’ll need access to an agentic AI workspace and a local environment with Python 3.10+ and the OPAQUE Python SDK installed. If you haven’t set that up yet, start with the local setup guide.

You’ll also need the app subdomain of your OPAQUE deployment to trigger the SDK. This is the domain configured during deployment through Azure Marketplace. If you’re not sure where to find it, ask your workspace admin.

Workflow lifecycle¶

Every agentic workflow moves through three stages: draft → review → launch. Understanding these stages helps you plan when to test, request approvals, and deploy your workflow.

In the draft stage, you define your workflow’s structure and logic by connecting agents that retrieve data, run models, or transform results. Adjust model parameters, temperature, or prompts, and test until you’re satisfied. Workflows remain editable until submitted for review.

Once your workflow is fully defined, you submit it for approval. Reviewers verify connections, configurations, and guardrails to ensure compliance with workspace policies. If changes are needed, they can reject it; the workflow creator then returns it to draft, revises it, and resubmits it for approval. Once all required reviewers approve, the workflow can be launched.

After approval, launch the workflow to activate it as a persistent, callable service. It remains live until you pause or stop it, and can handle multiple requests through the SDK or API. Every execution runs inside an attested enclave, ensuring data privacy and policy enforcement.

Step 1. Build your first workflow¶

Start by navigating to the workspace where your workflow will live.

Go to Workspaces, open an agentic AI workspace from the list, and select the Workflows tab. This tab lists all workflows created in the selected workspace. If none exist yet, the page will be blank.

Go to Workspaces > Workflows to create agentic workflows.
Click Create workflow.
Enter a name (max 50 characters) and optional description (max 150), then click Create workflow again.

When the workflow builder opens, you’ll see a new canvas with Start and End nodes. The Start node defines where inputs enter the workflow (typically via API), and the End node collects the response that gets returned to the caller.

A new workflow canvas with start and end nodes.

On the left, you’ll see the Components panel—this is where you’ll find the agents used to build your workflow. Expand the Agents section to get started.

Add agents to the canvas.

Drag agents onto the canvas to define the steps of your workflow. Your options include:
- Azure AI Retriever: Search enterprise content using Azure Search.
- OpenAI Service: Call GPT-4 or GPT-3.5 via OpenAI.
- vLLM Service: Run private models with high-throughput inference via vLLM.
- OPAQUE Redact: Removes or masks personally identifiable or sensitive data before it’s passed to external services or models.
- OPAQUE Unredact: Restores redacted values for authorized recipients when data returns to a trusted environment.
(More agents will be added soon.)

Tip

Combine a Retriever (like Azure AI) and a Model (like OpenAI or vLLM) for a basic RAG workflow.
Configure agents and guardrails.

Click an agent to reveal its toolbar. Click the icon to configure the agent’s behavior—such as which model it uses, how it responds, and what task it performs. Use the icon to add guardrails that enforce safety, context, or compliance rules.

These settings ensure each step in your workflow performs the right task, with the right constraints, every time it runs.

Note

For a deeper look at each agent type and configuration options, see Working with agents.

Use the toolbar to configure agents.
After entering the required fields, click Save changes.
Connect your workflow nodes.

Now it’s time to connect your workflow’s logic: which agent should run first? What comes next?

To define the flow of data through your workflow:
1. Click the output port (small circle on the right) of the Start node and drag a line to the input port (circle on the left) of the first agent.
2. Repeat this process to connect each agent node in the desired sequence.
3. Finally, connect the last agent’s output port to the input port of the End node.
This flow defines the execution order—data moves through each connected step when the workflow runs.

Connect your workflow nodes.

Step 2. Prepare for review¶

The steps in this section apply to members in a multiparty workspace. If you're in a single-party workspace, you can skip this section.

In multiparty workspaces, workflows must be reviewed and approved according to the approval policy defined in the workspace settings before they can be launched.

Workflow creatorsWorkflow reviewers

Submit your workflow for review

Click Request approval in the top right corner of the canvas. This submits the workflow for review.

Note

If you don’t see this option, check that all required nodes are configured and connected.

The status of your workflow changes from Draft to Under Review. You’ll see this reflected next to the workflow name, in a status pill at the top of the page. It also appears on the Workflows list view under the name and description.
Workspace members can begin reviewing and and approving the workflow.
Use the Review Status link to track who has approved or rejected.

Known limitation

When you mark a workflow as ready for review, others can see its status—but they won’t be notified automatically. You may want to let reviewers know directly.

Revise and resubmit (if rejected)

If a reviewer rejects the workflow:

Click Review Status icon, locate the Declined row, and read the reviewer’s comment.
Select Return to draft from the Actions button menu..
Make your changes, then click Request approval again.

Review a workflow

To review an agentic workflow:

Go to the Workflows tab in your workspace and click the workflow name to open it.
Review the full workflow on the canvas. Open each agent’s configuration panel () and guardrails () to make sure everything looks reasonable.
When you're ready, click Accept workflow or Reject workflow in the reviewer toolbar.
In the dialog box, you can optionally add a comment before confirming your selection.

Note

While comments are optional when rejecting a workflow, we recommend adding one. This helps the workflow creator understand why it wasn’t approved and what needs to be fixed.

Step 3. Launch your workflow¶

Once approved, click Launch workflow to bring it online and start processing requests.

You can stop or restart the workflow using the same button. However, once approved, you won’t be able to modify the workflow.

Step 4. Trigger your workflow via the SDK¶

After launching, your workflow becomes callable through the OPAQUE Python SDK.

Use the SDK to trigger executions and connect the workflow to other systems or applications—for example:

A web app that submits user queries
An internal service that triggers workflows on a schedule
A notebook that submits structured inputs to a deployed agentic workflow

Collect the required values¶

You’ll need to collect the following information before you can trigger the SDK:

Your API key: Click API key in the left-hand nav.
Your workflow service UUID and domain: Click the icon above your canvas to open the Trigger the SDK drawer.
The REST URL of your OPAQUE deployment: This is the API domain used when deploying OPAQUE via Azure Marketplace. Ask your workspace admin if you don't have it.

Trigger the SDK¶

Submit a request using the SDK via a Python script.

The following script:

Sets the necessary environment variables
Initializes a connection to your workflow
Submits a request (in this case, a simple prompt)

Each part is annotated for clarity.

# Import the standard libraries used
import os
import uuid
from opaque.workflow import WorkflowService

# Set the environment variables used by the SDK
os.environ["OPAQUE_DATAPLANE_DOMAIN"]="<your_workflow_service_domain>"
os.environ["OPAQUE_REST_URL"]="app.<app_subdomain>"
os.environ["OPAQUE_API_KEY"] = "<your_api_key_here>"

# Define the UUID of the workflow you want to call
WORKFLOW_SERVICE_UUID = "<your_UUID>"

# Create a workflow client using that UUID
workflow_service = WorkflowService(workflow_uuid=uuid.UUID(WORKFLOW_SERVICE_UUID))

# Define the input payload — this must match the expected input schema 
# for the nodes connected to the start node in your workflow.
rag_request = {"prompt": "Is the claim eligible for reimbursement?"}

# Submit the request and capture the response
workflow_response = workflow_service.submit(rag_request)

# Print the result to the terminal
print(workflow_response)

When you submit a request, OPAQUE runs your input through the full agentic workflow—from Start to End—and returns a structured response based on the final connected node(s). In most cases, that means getting a model-generated output or decision.

For example, if the last node before the end node is a language model, your response might look like:

'output': "Yes, the claim is eligible for reimbursement because..."}

This response is returned as a dictionary and printed to your terminal when using the example script.

You can reuse this same pattern to trigger any approved workflow you've built. Just update the UUID and adjust your input payload to match the schema expected by the Start node and its connected agents.

That’s it—you’ve built and deployed your first agentic workflow. You can now invoke it as a secure, callable service from any AI-driven system or automation.

(Optional) Request proof of attestation¶

When you trigger a workflow, you can also request a proof of attestation—a signed record that confirms the workflow ran inside a trusted, tamper-resistant computing environment. This proof, known as an attestation report, is automatically validated by OPAQUE to verify that your workflow executed on genuine confidential hardware and wasn’t modified during runtime.

Note

In OPAQUE 2.5, attestation report verification works only when this code runs on a machine that meets both network requirements:

Private endpoint access: The machine running this code must have network access to the oas endpoint deployed by OPAQUE’s Azure Managed App, either within the same VNet as the deployment VNet or in a peered VNet.
Private DNS zone link: The machine’s VNet must be linked to the private DNS zone controlplane.opaque-int.com, deployed by OPAQUE AMA.

If you’re unsure whether your environment meets these requirements, reach out to your OPAQUE contact.

To do this, modify your .submit() call as follows:

workflow_response = workflow_service.submit(
    rag_request,

    # Ask the SDK to request an attestation report from the workflow
    # (Disabled by default to avoid additional latency.)
    request_report=True,

    # Save attestation reports in the given directory (optional)
    report_path="/home/your_user/workflow_reports",

    # Save appraisal logs that explain how the report was verified (optional)
    appraisal_path="/home/your_user/workflow_reports",
)

Note

Save reports and logs in a shared, agreed-upon location where those responsible for verification—such as developers, auditors, or compliance teams—can easily access them.

When you request an attestation report, the workflow produces a signed record verifying the integrity of its execution inside a trusted hardware environment.

OPAQUE automatically validates this report before returning the response.

Info

For details on verifying and interpreting attestation reports, see Working with attestation reports.

Attestation reminder

Your workflow always runs in a trusted environment, but a verifiable attestation report is only produced if you request it when triggering the workflow. Without it, you have no proof of attestation for that run.