Quickstart

Get up and running with Checkrd in under 5 minutes.

1. Install

pip install checkrd
# or
npm install checkrd

2. Create an agent + key

In the dashboard:

1. Create an agent. Copy the agent ID — it's a UUID like 0193b8b4-1c2d-7e3f-a4b5-c6d7e8f9a0b1, not the human-readable name you gave it. Both are shown on the agent's detail page; the SDK needs the UUID.
2. Create an API key for your workspace. Copy it.
3. Publish a starter policy on the agent's Policy tab — the dashboard ships with a default allow-all-GETs / deny-everything-else template you can edit later.

3. Wrap your client

The SDK boots, fetches your published policy from the control plane, installs it, and starts enforcing — all from a single call. No local YAML, no policy= argument in your app code.

from checkrd import Checkrd
import httpx

checkrd = Checkrd(
    agent_id="01234567-89ab-cdef-0123-456789abcdef",
    api_key="ck_live_...",
)
client = checkrd.wrap(httpx.Client())

# Every request through `client` is policy-evaluated before it
# leaves the machine, signed for telemetry, and logged to your
# dashboard. Use it like the underlying httpx client.
response = client.get("https://api.salesforce.com/services/data/v58.0/sobjects/Contact")

import { Checkrd } from "checkrd";

const checkrd = new Checkrd({
  agentId: "01234567-89ab-cdef-0123-456789abcdef",
  apiKey: "ck_live_...",
});
await checkrd.ready();          // awaits the bundle fetch + install
const fetch = checkrd.wrap(globalThis.fetch);

// Every request through `fetch` is policy-evaluated, signed for
// telemetry, and logged to your dashboard. Replace the URL below
// with whichever endpoint your agent hits.
const response = await fetch("https://api.salesforce.com/services/data/v58.0/sobjects/Contact");

That's it. Outbound requests now go through your dashboard's published policy. Edit the policy in the dashboard and the SDK picks up the new version over the SSE control channel in milliseconds — no redeploy required.

4. Load your API key from the environment

For anything checked into source control, read the key from the environment instead:

import os
api_key = os.environ["CHECKRD_API_KEY"]

const apiKey = process.env.CHECKRD_API_KEY!;

What about local development?

For one-off local testing without the control plane, you can supply a policy directly:

# Pure-local: no api_key, no control plane. Use a YAML file or a dict.
client = wrap(
    httpx.Client(),
    agent_id="01234567-89ab-cdef-0123-456789abcdef",
    policy="policy.yaml",
)

Mixing policy= and api_key= is intentionally refused in production — the local policy would silently shadow whatever your dashboard publishes. If you need it for development, opt in explicitly:

export CHECKRD_ALLOW_LOCAL_POLICY=1

Editing your policy

Policies live on each agent in the dashboard. Start in mode: dry_run so decisions are logged to the Events table but no requests are actually blocked. Once the dashboard view matches your intent, flip to mode: enforce.

mode: dry_run        # logs everything, blocks nothing — flip to enforce later
default: deny

rules:
  - name: read-salesforce
    allow:
      method: [GET]
      url: "api.salesforce.com/**"

  - name: block-mutations
    deny:
      method: [POST, PUT, PATCH, DELETE]
      url: "**"

Next Steps

• Error handling — how the SDK surfaces denied requests and the three ways to handle them
• Integrations — Next.js, Hono, Cloudflare Workers, Vercel AI SDK, LangChain, Mastra, MCP, OpenAI Agents, Claude Agent SDK
• Python SDK README — full API documentation
• Security architecture — how Checkrd protects your data