Skip to content

Connecting Your Agent

The KeyRunner SDK connects your agent to the Control Plane so that every tool call it makes is governed by your policies automatically.

Your workspace ID and agent ID are shown in a ready-to-copy snippet on the agent's detail page - you do not need to look them up manually.

Node.js

bash
npm install @keyrunner/sdk
typescript
import { KeyRunnerSDK } from '@keyrunner/sdk';

const sdk = new KeyRunnerSDK({
  workspaceId: '<your-workspace-id>',
  agentId: '<your-agent-id>',
});

// Execute a governed tool call
const result = await sdk.execute('tool_name', { arg: 'value' });

// List the tools your agent is allowed to call
const tools = await sdk.getTools();

Python

bash
pip install keyrunner
python
from keyrunner import KeyRunnerSDK

sdk = KeyRunnerSDK(
    workspace_id="<your-workspace-id>",
    agent_id="<your-agent-id>",
)

# Execute a governed tool call
result = await sdk.execute("tool_name", {"arg": "value"})

# List the tools your agent is allowed to call
tools = await sdk.get_tools()

When a call is blocked

If a call does not meet your policy requirements, the SDK raises an error with a clear reason - for example, the tool is not in the agent's policy, or the tool has been disabled. Your agent code can catch this and handle it appropriately:

typescript
try {
  const result = await sdk.execute('tool_name', args);
} catch (err) {
  if (err.denied) {
    console.log(err.reason); // what blocked the call
  }
}

Credentials are never exposed to the agent

The SDK does not handle API credentials. When a call is allowed, KeyRunner retrieves the credentials for that API from your configured secret store on the server side and executes the request on behalf of the agent. The agent process never sees the raw credentials.

Released under the MIT License.