checkrd
v0.3 · public preview on PyPI + npm

The control plane every AI agent needs before production.

Set policy on what agents can do. Halt them in a second if something breaks. Prove later what they did, without ever storing a prompt.

Get started How it works

Drop-in for OpenAI · Anthropic · Cohere · Groq · Together · Google GenAI|Apache-2.0 OSS · RFC 9421

What you’ll see in your dashboard
example feed
02:14:09openai.chatALLOW
02:14:11openai.embedALLOW
02:14:13anthropicRATE-LIMIT
02:14:14stripeDENY
02:14:14policyWARN
02:14:18kill-switchHALT
2,147,388 actions evaluated this week · 471 haltedtailing
product

What Checkrd does.

Four pieces. All four are on the free tier.

Rate limits

Set limits by model, endpoint, or request body field. An agent stuck in a retry loop hits a counter, not your billing page.

Policy enforcement

Write rules in YAML to allow, deny, or throttle requests by URL, header, or body. Every rule is evaluated in your application before the request reaches the network.

Audit log

Every telemetry batch is Ed25519-signed. Every mutation to the control plane is logged. Filter by actor, action, resource, or time.

Dashboard

Every host, method, status code, and latency for every agent. Prompts and completions are never stored. The schema doesn't have fields for them.

enforce

Set policy. Halt agents.

Every outbound API request runs through Checkrd before it reaches the network. Allow it, throttle it, or stop it. If something goes wrong in production, one toggle stops every agent across your fleet.

  • Rules are written in YAML and match URLs, headers, and request bodies.
  • Dry-run mode runs your policy without enforcing, so you can review what would have changed.
  • Kill switch propagates in under a second on the hosted control plane. Air-gap deployments react within one poll interval.
Stop every agent. Now.

Sub-second across the fleet on the hosted control plane. In air-gap mode, the SDK polls a sentinel file every 5 seconds (configurable).

Your application
agent code · openai · anthropic · httpx
Checkrd engine, in your process
policy · rate limit · kill switch · sign
External API
OpenAI · Anthropic · Stripe · anywhere
signed metadata only → control plane

host · method · status · latency · signature

isolate

We never see your prompts.

Prompts, completions, and request bodies stay on your machine. The telemetry schema has no fields for them, and a compile-time test in CI fails any pull request that tries to add one.

  • Telemetry events carry host, method, status code, and latency.
  • PII allowlist tested at compile time. Schema additions fail CI.
  • Self-host the control plane in your VPC, or run air-gapped with no network calls.
audit

Provable, not just logged.

Every decision ships with a cryptographic signature. Prove later what your agents did, and what they didn’t. Org-wide rules apply top-down; a single team can’t loosen them by accident.

  • Telemetry batches Ed25519-signed (RFC 9421); audit-log API for control-plane mutations
  • Filter the audit log by actor, action, resource, or time window
  • Org-level deny rules unremovable by individual teams (IAM SCP model)
Audit query: one line, every agent
GET /v1/dashboard/events
  ?agent_id=checkout-agent
  &from=2026-03-14T02:14Z
  &to=2026-03-14T02:17Z

→ 47 events, all matched a policy rule
→ 0 prompt bodies, 0 completion bodies (PII is structurally
   absent from the schema, not redacted)

The auditor’s question, answered in seconds. Against an event schema where prompt and completion bodies literally cannot be stored.

comparison

How Checkrd compares.

Observability tools record what happened. Gateways route between providers. Checkrd enforces and audits.

Helicone / Langfuse

Enforce
Kill switch
Signed audit
Structural PII
Self-host
OSS

LiteLLM proxy

Enforce
Kill switch
Signed audit
Structural PII
Self-host
OSS

Microsoft AGT

Enforce
Kill switch
Signed audit
Structural PII
Self-host
OSS

Checkrd

Enforce
Kill switch
Signed audit
Structural PII
Self-host
OSS

Read the full comparison

use cases

Built for high-stakes teams.

When agents touch money, health records, and customer data, the cost of getting it wrong jumps.

Fintech

PCI-aware policy

Write rules that match card numbers, CVVs, or SSNs in request bodies and headers, and keep them inside your environment.

Healthtech

PHI stays local

Request bodies never reach the Checkrd control plane. Use policy rules to control which upstream APIs your agents are allowed to call.

AI startups

One kill switch

Stop every agent across your fleet from a single toggle. Cap per-agent or per-model spend before a runaway loop becomes a bill.

under the hood

Open source, standards-based.

IETF standards

Signed using HTTP Message Signatures (RFC 9421) and Content-Digest (RFC 9530). Policy bundles use DSSE.

Tested against Wycheproof

The Ed25519 verification path runs against all 150 Project Wycheproof vectors and the RFC 9421 §B.2.6 worked example before each release.

Apache-2.0 source

The WASM core, the SDKs, and the policy schema are on GitHub. Read the code, run the tests, verify the binary hashes.

OpenAIAnthropicCohereGroqTogetherGoogle GenAIOpenTelemetry
free tier

100K events / month, free forever.

The WASM engine is open source and self-hostable. The hosted control plane is free under the cap. Pay when you exceed it.

See pricing
open source · Apache 2.0

Try Checkrd in your application.

The SDK is on PyPI and npm. The WASM engine is open source. Self-host the control plane, use the hosted one, or run air-gapped.

Read the quickstartStar on GitHubTalk to the founder