Get Started

Your first pilot: one masked database for CI

You do not need a full platform rollout on day one. The fastest way to see Ark's value is a single source database, one approved config, and one ephemeral sandbox your tests can hit today.

Start the walkthrough Read platform overview

Recommended path

Why start with a CI test database?

This pilot exercises the full chain — subsetting, classification-backed masking, agent execution in your VPC, and a ready DSN — without asking every team to change how they work on day one.

  • Prove that masked data can be provisioned without copying raw production to the cloud
  • Show engineering a ready DSN they can plug into CI or a local test runner
  • Validate subset size, masking policy, and agent execution inside your VPC
  • Establish a repeatable pattern before rolling out to staging or broader teams

Before you begin

What must be in place first

Most pilots stall because the agent or source profile is not ready. Confirm these items with your admin and security contact before running CLI commands.

Requirement Who owns it What to verify
Tenant and users Ark / tenant admin Your organization has a tenant. At least one admin can log into the console and invite engineers.
Agent in your VPC Platform / DevOps ark-agent is running with a valid token, heartbeating in the console, and outbound access to the control plane.
Source connection Platform / DBA Register a source database with read-only credentials, or connect to a production replica instead of the primary. The agent only needs SELECT access — connectivity is tested through the agent, not from SaaS.
Source profile + config Security + platform A source profile exists with classification reviewed and masking approved. A config binds it to row limits and target settings.
ark-cli or API key Engineering / CI For automation, create a tenant API key (recommended for CI) or log in with a JWT from the console login flow.

Walkthrough

Console first, then CLI

Governance happens in the console. Repeatable provisioning happens in ark-cli or your CI pipeline.

Console

Confirm the foundation

  1. Log into the Ark console and open your tenant
  2. Verify the agent shows as connected under Agents
  3. Open Connections and confirm the source database is healthy
  4. Open the source profile — classification should be reviewed and masking rules approved
  5. Open Configs and note the config ID you will use for the pilot
CLI

Provision your first sandbox

  1. Install ark-cli on your laptop or CI runner
  2. Authenticate with your control plane URL and API key (or JWT)
  3. Run configs list and copy the config ID for your pilot
  4. Create a test environment with --wait until status is ready
  5. Copy the DSN from the output and run a smoke query or test suite against it
Wrap up

Prove value and clean up

  1. Confirm row counts and referential integrity match expectations
  2. Spot-check masked fields — emails, names, IDs should not be raw production values
  3. Share the DSN pattern with one engineering team for a real test run
  4. Destroy the test environment when finished, or set a short TTL
  5. Document the config ID and API key flow for your CI pipeline template

Hands-on

Copy-paste CLI sequence

Replace URLs, tenant ID, API key, and config UUID with your values. For CI, prefer API keys over JWT — they avoid refresh and login steps.

1 — Authenticate (CI: use API key)

ark-cli login \
  --api-url "https://control.your-ark-instance" \
  --api-key "$ARK_API_KEY" \
  --tenant-id "$ARK_TENANT_ID"

2 — Find your config

ark-cli configs list

3 — Create masked sandbox and wait

ark-cli testenvs create \
  --config "550e8400-e29b-41d4-a716-446655440000" \
  --ttl "2h" \
  --wait

4 — Tear down when done

ark-cli testenvs destroy "<testenv-id>"

Tip: Pass --token directly on a single command instead of login when running from ephemeral CI runners that should not write credential files.

Done right

How you know the pilot succeeded

Agent connected

Console → Agents shows a recent heartbeat

Job completed

Test environment status moves to ready without errors

DSN works

Your test runner connects and queries return masked, subset data

Data boundary held

No raw production dump appeared outside your VPC object storage

Pilot complete?

Read the full platform guide for data boundaries, governance workflows, and SDK options. Or explore how jobs flow between SaaS and your VPC.

Open documentation See architecture flow
entr