# Creating a Gateway

## Overview

In order to install and setup a Keeper Gateway device, you need to have a few resources set up:

* Shared Folders to hold the PAM Resources (Machines, Databases, Users, etc)
* Keeper Secrets Manager application
* PAM Configuration

To simplify the process, we have a new Gateway wizard which creates all of the necessary components. Or, you can run each step individually.

## Using the Gateway Wizard

The fastest way to create a Gateway and associated resources is using the Gateway Wizard. From the Web Vault or Desktop App, click on **Create New** > **Gateway.**

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FrperdEulgHMqKZAh4itn%2FScreenshot%202025-04-19%20at%207.46.13%E2%80%AFPM.png?alt=media&#x26;token=fcadc16c-003b-46f2-b6b7-8666d91c27a2" alt=""><figcaption><p>Creating a Gateway</p></figcaption></figure>

The below link describes how to create a sandbox environment in just a few steps:

* [Quick Start: Sandbox](/keeperpam/privileged-access-manager/quick-start-sandbox.md)

***

## Using Keeper Secrets Manager

To set up a Keeper Gateway manually using the Keeper Secrets Manager application resources, follow these steps.

{% stepper %}
{% step %}
**Create a Secrets Manager Application**

* In the Keeper Web Vault or Desktop App user interface, create a Shared Folder. This Shared Folder will contain the PAM resource records.
* Navigate to the "Secret Managers" tab on the left and click on "Create Application" to create a KSM application
* In the prompted window:
  * Enter the name of your KSM application
  * Choose the Shared Folder
  * Set the Record Permissions for Application to "Can Edit"
  * Click on "Generate Access Token" and then click on "OK"
  * You can safely ignore the first One-Time Access Token generated for the newly created KSM application. When creating a Keeper Gateway device, a different One-Time Access Token will be created.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FGfrKhg3EYK2mAtfmsq1x%2FScreenshot%202023-05-01%20at%2011.37.56%20AM.jpg?alt=media&#x26;token=21236241-e0f2-4b54-b7dd-9f3cea8ab53c" alt=""><figcaption><p>Create a KSM Application</p></figcaption></figure>
{% endstep %}

{% step %}
**Generate the Gateway Token**

* From the Application screen, open the **Gateways** tab
* Click on **Provision Gateway**
* Select a name for the Gateway and the operating system
* Follow the on-screen instructions based on the type of install

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FJKAv2CyVdxhUf7m7k7TY%2FScreenshot%202023-09-14%20at%205.46.20%20PM.png?alt=media&#x26;token=b1b3336b-b34d-4faa-aa75-1b5f54170233" alt=""><figcaption><p>Windows Gateway</p></figcaption></figure>
{% endstep %}
{% endstepper %}

***

## Using Commander CLI

You can also create a Gateway and configuration file from the Commander CLI. The below CLI commands will create a Secrets Manager application, shared folders and other resources before creating a Gateway instance.

#### Create an Application

```
secrets-manager app create "My Infrastructure"
```

#### Create Folders

```
mkdir -uf "My Infrastructure"
mkdir -sf -a "My Infrastructure/Resources"
mkdir -sf -a "My Infrastructure/Users"
```

#### Share the KSM app to the Shared Folders

```
secrets-manager share add --app "My Infrastructure" --secret <Resources folder UID>
secrets-manager share add --app "My Infrastructure" --secret <Users folder UID>
```

#### Create a Gateway

To initialize a Gateway for [Linux](/keeperpam/privileged-access-manager/getting-started/gateways/linux-installation.md) or [Windows](/keeperpam/privileged-access-manager/getting-started/gateways/windows-installation.md) native install methods, the one-time token method is used:

```
pam gateway new -n "My Demo Gateway" -a "My Infrastructure"
```

To initialize a Gateway using [Docker](/keeperpam/privileged-access-manager/getting-started/gateways/gateway-with-docker.md), the base64 configuration is provided as `GATEWAY_CONFIG` environment variable as described in the [Docker Installation](/keeperpam/privileged-access-manager/getting-started/gateways/gateway-with-docker.md) instructions.

```
pam gateway new -n "My Demo Gateway" -a "My Infrastructure" -c b64
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/keeperpam/privileged-access-manager/getting-started/gateways/one-time-access-token.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.