TrigGuard
TRIGGUARD
Open Console

QUICKSTART

Quickstart (4 steps, no signup for steps 1-3)

Hit the live TrigGuard authority in this order: verify a receipt, verify a signature, inspect capabilities, then request execution access. Every shape on this page matches the deployed TrigGuard authority, not hand-maintained static copy.

Live today

  • Offline verify: `trigguard verify-receipt` /verify
  • Public keys: GET `/.well-known/trigguard-keys.json`
  • Inspect protocol: GET `/protocol/capabilities`
  • Request access: POST `/api/request-access`

Private beta (request access)

  • Execution authorization gateway
  • Public POST `/execute` on host `api.trigguardai.com`
  • `trigguard/authorize` GitHub Action
EndpointStatusAuth
`trigguard verify-receipt` (CLI) /verifyCanonicalNone
GET `/.well-known/trigguard-keys.json`LiveNone
GET `/protocol/capabilities`LiveNone
POST `/api/request-access`LiveNone
POST `/execute` (api host)Private betaAPI key (on request)
`trigguard/authorize` (GitHub Action)Private betaRequest access

Minimal flow: install the SDK, authorize before side effects, verify the signed receipt offline. Full walkthrough: First 10 minutes.

1

Install

npm install trigguard
pip install trigguard

One package for authorization and receipt verification on POST /execute (Node or Python).

2

Authorize

import { createTrigGuard } from "trigguard";

const tg = createTrigGuard({
  gatewayUrl: process.env.TRIGGUARD_GATEWAY_URL,
  apiKey: process.env.TRIGGUARD_API_KEY,
});

const result = await tg.authorize({
  surface: "deploy.release",
  actorId: "my-service",
  context: { environment: "production" },
});
import os
from trigguard import TrigGuard

tg = TrigGuard(
    api_key=os.environ.get("TRIGGUARD_API_KEY"),
    gateway_url=os.environ.get("TRIGGUARD_GATEWAY_URL", "https://api.trigguardai.com"),
)

result = tg.authorize(
    surface="deploy.release",
    actor="my-service",
    context={"environment": "production"},
)

Policy evaluates on the gateway - your app does not implement authorization locally.

3

Receive decision + receipt

{
  "decision": "PERMIT",
  "receipt": { "...": "signed execution receipt" }
}

Decisions are deterministic: PERMIT, DENY, SILENCE. Only PERMIT allows execution.

4

Verify receipt offline

const trusted = await tg.verify(result.receipt);
if (!trusted) throw new Error("Receipt verification failed");
trusted = tg.verify(result["receipt"])
if not trusted:
    raise RuntimeError("Receipt verification failed")

Offline verification - no trust in logs alone. See verification guide.

NEXT: DEEPER DOCS

Full API reference openapi.yaml, canonical contract Decision model: permit / deny / silence Receipt schema & verification Security model