Production SDKDeterministic railsSigned receiptsLeast privilegenpm i proofgateBase: https://api.proofgate.dev

ProofGate TypeScript SDK. Ship rails, not vibes.

Keep model output untrusted. Enforce explicit policy gates. Execute side effects only when ProofGate returns signed decision + execution receipts.

Production API Base URL

https://api.proofgate.dev

All SDK examples on this page are configured for the base above.

View API Docs OpenAPI Spec API Base

Official package

One client for execute, approvals, receipts, and audit output.

Receipts on every call

Decision receipt + execution receipt returned deterministically for audit and replay safety.

Runtime friendly

Works in Node services and Next.js route handlers (server-side) out of the box.

Typed payloads

Payload + scopes are explicit. No hidden authority. No implicit tool access.

Deterministic execution

The SDK is a thin rail: the server enforces invariants, approvals, and signature rules.

Audit-first

Every call maps cleanly into an append-only audit trail with signed receipts.

Install

npm i proofgate

Keep your API key on the server. Never ship it in a browser bundle.

Server integration (Express / API worker)

Copy-paste ready • Scrolls inside the box

import crypto from "crypto";
import express from "express";
import { ProofGateClient } from "proofgate";

const app = express();
app.use(express.json());

// Production base URL:
const proofgate = new ProofGateClient({
  baseUrl: "https://api.proofgate.dev",
  apiKey: "YOUR_API_KEY"
});

app.post("/agent/action", async (req, res) => {
  const result = await proofgate.execute({
    intentId: crypto.randomUUID(),
    action: "email.send",
    actor: { actorId: req.body.userId, actorType: "human" },
    payload: req.body.payload,
    requestedScopes: ["email.send"],
    meta: { source: "support-agent" }
  });

  res.json(result);
});

Browser usage via your backend endpoint

Copy-paste ready • Scrolls inside the box

// Browser code (no API key in the client bundle)
// Always call your backend. Your backend calls ProofGate.

await fetch("/api/proofgate/execute", {
  method: "POST",
  headers: { "content-type": "application/json" },
  body: JSON.stringify({
    intentId: "intent_checkout_01",
    action: "email.send",
    actor: { actorId: "user_123", actorType: "human" },
    payload: {
      to: ["customer@company.com"],
      cc: [],
      bcc: [],
      subject: "Order confirmation",
      body: "Your order is confirmed.",
      links: []
    },
    requestedScopes: ["email.send"],
    meta: { flow: "checkout" }
  })
});

// Next.js Route Handler (server-side)
import { ProofGateClient } from "proofgate";

const proofgate = new ProofGateClient({
  baseUrl: "https://api.proofgate.dev",
  apiKey: "YOUR_API_KEY"
});

export async function POST(req: Request) {
  const input = await req.json();
  const result = await proofgate.execute(input);
  return Response.json(result);
}

What you get back

Every execute returns deterministic proof artifacts you can store, display, and verify.

Full docs →

Decision receipt

Signed verdict for the intent: allowed/denied + applied policy + scope resolution.

Execution receipt

Signed record of tool execution: what ran, what was sent, and what the tool returned.

Audit line

Append-only JSON event suitable for long-term audit and incident reconstruction.