Get started¶

This tutorial introduces the core steps involved in building, reviewing, launching, and triggering an agentic workflow. Rather than walking through a specific use case, the goal is to help you understand how to build, review, launch, and trigger agentic workflows in OPAQUE.

By the end of this guide, you’ll know how to:

• Build a workflow in an agentic AI workspace.
• Move a workflow through review and launch.
• Invoke a launched workflow programmatically using the OPAQUE Python SDK.

Before you begin¶

To build and operate a workflow, you’ll need:

• Access to an agentic AI workspace.
• A local environment with Python 3.10+ and the OPAQUE Python SDK installed, which you’ll use later to trigger a launched workflow. (See Local setup for details.)
• The app subdomain of your OPAQUE deployment to invoke workflows via the SDK. This is the domain configured during deployment (for example, through Azure Marketplace). If you’re not sure where to find it, ask your workspace admin.

Workflow lifecycle¶

Every agentic workflow moves through three stages: draft → review → launch. Understanding these stages helps you understand when you can make changes, when approvals are required, and when a workflow becomes callable.

In the draft stage, you define your workflow’s structure and logic. You add and connect nodes, configure their behavior, and test changes as you go. Workflows remain fully editable while they are in draft.

Once your workflow is ready, you submit it for approval in multiparty workspaces. Reviewers verify that the workflow’s configuration aligns with workspace policies and governance requirements. If changes are required, they can reject it; the workflow creator then returns it to draft, revises it, and resubmits it for approval.

After approval, you launch the workflow to activate it as a persistent, callable service. At this point, the workflow’s structure and definition are locked. You can stop or restart it, but you can’t modify its definition without returning it to draft.

Step 1. Build your first workflow¶

Start by navigating to the workspace where your workflow will live.

1. Go to Workspaces, open an agentic AI workspace from the list, and select the Workflows tab. This tab lists all workflows created in the selected workspace. If none exist, the page will be blank.

   

2. Click Create workflow.

3. Enter a name (max. 50 characters) and optional description (max. 150 characters), then click Create workflow again.

When the workflow builder opens, you’ll see a new canvas with Start and End nodes. The Start node defines where inputs enter the workflow (typically via API), and the End node collects the response returned to the caller.

On the left, you’ll see the Nodes panel. This is where you select the capabilities your workflow will use. Each node represents a single step in execution, such as calling a model, retrieving data, or applying a utility. Nodes are grouped by category and include the following nodes:

• LLMs
  • Anthropic Service: Call Claude models hosted by Anthropic for text generation and reasoning tasks.
  • OpenAI Service: Call GPT-4 or GPT-3.5 via OpenAI.
  • vLLM Service: Run private or self-hosted models using vLLM for high-throughput inference.
• Data connectors
  • Azure AI Retriever: Retrieve relevant documents from content indexed in Azure AI Search.
  • PostgreSQL Connector: Query structured data from a PostgreSQL database using SQL.
• Agents
  • Agent: Execute a goal-directed reasoning step that can coordinate model calls and tools dynamically.
• Utilities
  • MCP API Tool: Call external tools or services that implement the Model Context Protocol (MCP).
  • OPAQUE Redact: Remove or mask personally identifiable or sensitive data before data is passed to external services or models.
  • OPAQUE Unredact: Restore redacted values when data returns to a trusted environment.

These categories reflect what role a node plays in execution, not how complex it is. Most workflows combine nodes across categories.

Add steps to your workflow¶

To add steps to your workflow, drag nodes from the Nodes panel onto the canvas. For example, to create a simple retrieval-augmented structure, expand the Data connectors and LLMs categories, then:

1. Click or drag a retriever node (e.g., Azure AI Retriever) onto the canvas.
2. Click or drag a model node (e.g., OpenAI Service, Anthropic Service, or vLLM Service) onto the canvas.

This creates a simple two-step flow: retrieve relevant context first, then pass it to a language model to generate a response.

At this point, the nodes are not yet connected or configured.

Configure nodes¶

Click a node to reveal its toolbar. The toolbar includes three options:

• Settings ()
• Guardrails ()
• Delete ()

Use Settings to define how the node behaves when the workflow runs. Use Guardrails to apply node-level policy or safety constraints. After making changes in either panel, click Save changes to apply them.

If you added a node by mistake, use Delete to remove it from the canvas.

Connect nodes¶

To define execution order, connect nodes from Start to End. For this example:

1. Drag a connection from the output port of the Start node to the input port of the retriever node.
2. Drag a connection from the output port of the retriever node to the prompt port of the model node.
3. Drag a connection from the output port of the model node to the End node.

These connections define the execution path: input enters through Start, flows through retrieval and model processing, and is returned through End.

Step 2. Prepare for review¶

In multiparty workspaces, workflows must be reviewed and approved according to the approval policy defined in the workspace settings before they can be launched. If you're working in a single-party workspace, your workflow will be automatically approved when you request approval.

Step 3. Launch your workflow¶

When your workflow is ready, click Launch workflow to bring it online. At this point, the status pill indicator next to the workflow name changes from Ready to launch to Starting to Running.

Launching a workflow activates it as a persistent, callable service endpoint. At this point, the workflow’s definition is locked. You can stop or restart it, but you can’t modify its structure without returning it to draft.

Use the built-in input form¶

Launching a workflow also enables the built-in execution interface, which provides a quick way to trigger and verify the workflow:

1. Switch to the Execution tab.
2. Enter a value (for example, a query for a retriever-based workflow).

3. Click Run workflow to execute it and view the response.

   

Stop or modify a running workflow¶

• To stop the workflow, open the Actions menu and select Stop workflow.
• To make changes, select Actions → Return to draft.

After making changes, you must resubmit the workflow for approval before you can launch it again (see Step 2).

What’s next¶

The built-in execution UI is ideal for testing and validation. To integrate workflows into applications, automate executions, or request attestation reports, you’ll use the OPAQUE SDK.

In the next step, you’ll learn how to trigger a running workflow programmatically.

Step 4. Trigger your workflow via the SDK¶

After a workflow is launched, you can invoke it programmatically using the OPAQUE Python SDK to run it with real inputs.

Triggering a workflow sends an input request to the running service and returns a structured response for that execution. This is how you connect a launched workflow to real systems and applications, for example:

• A web app that submits user queries
• An internal service that triggers workflows on a schedule
• A notebook that submits structured inputs to a deployed agentic workflow

Collect the required values¶

Before triggering a workflow via the SDK, gather the following information:

• Your API key: Click API key in the left-hand navigation.
• Your workflow service UUID and domain: Click the icon above your canvas to open the Trigger the SDK drawer.
• The REST URL of your OPAQUE deployment: This is the API domain used when deploying OPAQUE via Azure Marketplace. Ask your workspace admin or deployment contact if you don’t have it.

Trigger the SDK¶

Submit a request using the SDK via a Python script.

The following script:

• Sets the necessary environment variables
• Initializes a connection to your workflow
• Submits a request (in this case, a simple prompt)

Each part is annotated for clarity.

# Import the standard libraries used
import os
import uuid
from opaque.workflow import WorkflowService

# Set the environment variables used by the SDK
os.environ["OPAQUE_DATAPLANE_DOMAIN"]="<your_workflow_service_domain>"
os.environ["OPAQUE_REST_URL"]="app.<app_subdomain>"
os.environ["OPAQUE_API_KEY"] = "<your_api_key_here>"

# Define the UUID of the workflow you want to call
WORKFLOW_SERVICE_UUID = "<your_UUID>"

# Create a workflow client using that UUID
workflow_service = WorkflowService(workflow_uuid=uuid.UUID(WORKFLOW_SERVICE_UUID))

# Define the input payload — this must match the expected input schema 
# for the nodes connected to the start node in your workflow.
rag_request = {"prompt": "Is the claim eligible for reimbursement?"}

# Submit the request and capture the response
workflow_response = workflow_service.submit(rag_request)

# Print the result to the terminal
print(workflow_response)

When you submit a request, OPAQUE runs your input through the full workflow—from Start to End—and returns a structured response based on the final connected node(s). In most cases, that means getting a model-generated output or decision.

For example, if the last node before the End node is a language model, your response might look like:

'output': "Yes, the claim is eligible for reimbursement because..."}

This response is returned as a dictionary and printed to your terminal when using the example script.

You can reuse this same pattern to trigger any approved workflow you've built. Just update the UUID and adjust your input payload to match the schema expected by the Start node and its connected nodes.

(Optional) Request attestation for a workflow run¶

Attestation reports are optional and requested per execution. A workflow always runs in a trusted, hardware-isolated environment. A verifiable attestation report, however, is only produced if you explicitly request it when triggering the workflow.

When requested, the workflow generates a signed attestation report—a cryptographic record confirming that the workflow executed in an untampered environment. OPAQUE automatically validates this report before returning the workflow’s response.

To request attestation for a workflow run, modify your .submit() call as follows:

workflow_response = workflow_service.submit(
    rag_request,

    # Ask the SDK to request an attestation report from the workflow
    # (Disabled by default to avoid additional latency.)
    request_report=True,

    # Save attestation reports in the given directory (optional)
    report_path="/home/your_user/workflow_reports",

    # Save appraisal logs that explain how the report was verified (optional)
    appraisal_path="/home/your_user/workflow_reports",
)

When request_report=True, the workflow produces a signed attestation record for that execution and OPAQUE validates it before returning the response.

Be sure to save reports and logs in a shared, agreed-upon location where those responsible for verification—such as developers, auditors, or compliance teams—can easily access them.