Frequently Asked Questions

How do I get started with Elemm?

Getting started with Elemm takes less than 5 minutes. First, install the core gateway library via pip:

pip install elemm

Then, spin up the local command-line interface gateway to start routing:

elemm-gateway

Finally, configure your LLM client (like Claude Desktop) to connect. For detailed, step-by-step setup guides, check out our Installation & Quickstart Docs.

What system prompt do I need to give my LLM?

Theoretically, none. You do not need to write long system prompts instructing the LLM on how to use your tools, how to recover from errors, or how to search the API.

The Elemm Gateway registers tools as structured Landmarks. These landmarks bundle descriptions, allowed options, behavioral guidelines (instructions), and failure remedies directly inside their schemas. When the LLM inspects a landmark, it receives these instructions dynamically. If a tool call fails, the gateway automatically appends the target remedy to the error payload, allowing the LLM to self-correct on the fly without system prompt bloat.

Can I run my Elemm Gateway in the cloud?

Yes, absolutely. Unlike classic MCP, which is primarily restricted to local STDIO execution on your local machine, Elemm is built from the ground up to be cloud-native.

While you can run Elemm locally for desktop integration, you can also package your landmark server (e.g., using Docker) and deploy it to any cloud provider (AWS, GCP, Fly.io, etc.) as a standard Python web application. By binding the FastAPIGateway to FastAPI, your agents can connect to your secure cloud endpoints dynamically over HTTPS or Server-Sent Events (SSE).

How do I secure an Elemm Gateway hosted in the cloud?

Securing your cloud-deployed gateway involves standard web application security practices:

1. Enforce HTTPS: Always terminate TLS (HTTPS) at your load balancer, CDN (like Cloudflare), or reverse proxy (Nginx, Traefik) to encrypt all communication between the agent and the server.

2. Reverse Proxy & Rate Limiting: Deploy Nginx, Traefik, or Caddy in front of the gateway to manage routing, rate-limiting, and to prevent DDoS attempts.

3. Authentication Headers: Secure the FastAPI endpoints using standard authentication layers (e.g., Bearer Tokens, API Keys, or OAuth2). Only authorized agents carrying the correct headers can query the manifest or execute landmarks.

4. VPC & IP Whitelisting: Restrict access to known agent IPs or run the gateway inside a private virtual cloud (VPC) connected directly to your LLM application environment.

If I host the elemm-gateway CLI on a VPS, how do I secure it from unauthorized access?

By default, running elemm-gateway --transport sse starts a web server listening on all interfaces (0.0.0.0) without built-in authentication. To prevent unauthorized execution of your tools, you should secure your VPS deployment using one of these standard methods:

1. Nginx/Caddy Reverse Proxy with Auth: Bind the gateway only to localhost (elemm-gateway --transport sse --host 127.0.0.1 --port 8000). Place Nginx or Caddy in front of it to handle HTTPS. Configure the proxy to verify an API key or Bearer Token (e.g. via Nginx's auth_request or simple header validation) before forwarding traffic. When configuring your LLM client, pass the credentials in the connection headers.

2. Private VPN (Tailscale/WireGuard): Bind the gateway to your private VPN interface IP (e.g. elemm-gateway --transport sse --host 100.x.y.z). This ensures the gateway is invisible to the public internet, and only devices on your secure private network (like your laptop running Claude Desktop) can connect.

3. Cloudflare Tunnel (cloudflared): Run the gateway locally, and use a Cloudflare Tunnel to expose the /sse endpoint without opening firewall ports. You can then apply Cloudflare Access policies (such as Service Tokens) to control access.

How does Elemm save up to 90% of token costs?

Traditional AI tool call integrations dump raw, unfiltered JSON payloads directly into the LLM's context window. For large APIs, this consumes massive amounts of tokens and increases processing latency.

Elemm introduces Response Hygiene via the ResponseSquisher engine. It intercepts payloads and allows the agent to filter, slice, or query the data dynamically using query parameters (like _select, _filter, and _limit). The agent receives only the relevant tokens it requested, lowering latency and slashing API operational costs.

Is my API data secure when using Elemm?

Yes, absolutely. Elemm enforces a zero-trust security architecture:

1. The Guardian: A policy engine that intercept tool parameters, validates schemas, checks whitelists, and blocks malicious injection patterns (like shell or SQL exploits) before they reach your code.

2. The Vault: Keeps API keys, OAuth tokens, and certificates encrypted server-side. The gateway automatically injects credentials during execution, meaning the AI agent never sees or leaks your raw API keys.

Can I migrate my existing MCP configurations?

Yes! The Elemm Gateway includes a native compatibility layer for classic MCP servers. You can import your current mcp_servers.json or mcp_servers.yaml directly into the gateway configuration.

The gateway mounts your local MCP servers dynamically under the mcp://local namespace, giving your agents instant landmark-based access without requiring any changes to your existing tools.