TrigGuard
TRIGGUARD DEVELOPERS
Request a demo

Developer Integration

Protect your first execution surface in under 10 minutes. GitHub Action, REST API, or CLI.

// Quick Start

GitHub Action

Add TrigGuard to your deployment workflow. DENY unauthorized deploys before they reach production.

# .github/workflows/deploy.yml
name: Deploy to Production

on:
  push:
    branches: [main]

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Request TrigGuard Authorization
        id: trigguard
        uses: trigguard/authorize@v1
        with:
          api-key: ${{ secrets.TRIGGUARD_API_KEY }}
          surface: deploy.release
          action: promote-to-production
          context: |
            commit: ${{ github.sha }}
            branch: ${{ github.ref_name }}
            actor: ${{ github.actor }}

      - name: Deploy (only if authorized)
        if: steps.trigguard.outputs.decision == 'PERMIT'
        run: |
          echo "Receipt: ${{ steps.trigguard.outputs.receipt_id }}"
          ./deploy.sh production

// REST API

Direct Integration

Call the API from any language or platform. Single endpoint, deterministic response.

# cURL example
curl -X POST https://api.trigguardai.com/execute \
  -H "Authorization: Bearer $TRIGGUARD_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "surface": "infra.apply",
    "action": "terraform-apply",
    "context": {
      "workspace": "production",
      "plan_hash": "sha256:abc123...",
      "changes": 12
    }
  }'
# Python example
import requests

response = requests.post(
    "https://api.trigguardai.com/execute",
    headers={"Authorization": f"Bearer {api_key}"},
    json={
        "surface": "database.migrate",
        "action": "run-migration",
        "context": {
            "migration_id": "20260313_add_users_table",
            "database": "production"
        }
    }
)

if response.json()["decision"] == "PERMIT":
    receipt = response.json()["receipt_id"]
    run_migration()
else:
    print(f"Blocked: {response.json()['reason']}")

// CLI

Command Line Interface

Wrap any command with TrigGuard authorization. The CLI blocks execution if authorization fails.

# Install CLI
curl -sSL https://get.trigguard.com | sh

# Configure API key
export TRIGGUARD_API_KEY="tg_key_..."

# Wrap a command
tg exec --surface deploy.release --action helm-upgrade \
  -- helm upgrade myapp ./chart --namespace production

# Output
[TrigGuard] Requesting authorization...
[TrigGuard] Decision: PERMIT
[TrigGuard] Receipt: tg_rcpt_7f3a9c...
[TrigGuard] Executing: helm upgrade myapp ./chart --namespace production

// Verification

Verify Receipts in Your Pipeline

Store receipts as artifacts. Verify them offline during audits or compliance reviews.

# Verify a receipt
tg verify --receipt ./deploy-receipt.json

# Output
Receipt ID:    tg_rcpt_7f3a9c2b1d4e5f6a
Decision:      PERMIT
Surface:       deploy.release
Timestamp:     2026-03-13T14:22:00Z
Signature:     VALID (key: tg_key_2026_03)
Status:        ✓ VERIFIED

Offline Verification

Cache public keys locally. Verify receipts without network access to TrigGuard. Keys available at /.well-known/trigguard-keys.json

// Integration Guides

Platform-Specific Documentation

GitHub Actions

Official Action with OIDC support, matrix builds, and workflow artifacts.

GitLab CI

Pipeline integration with Job tokens and protected environments.

Terraform

Pre-apply hooks and plan verification with drift detection.

Kubernetes

Admission controller and ArgoCD integration for GitOps workflows.

// API Reference

Endpoints

POST /execute Request execution authorization
GET /receipts/{id} Retrieve receipt by ID
GET /.well-known/trigguard-keys.json Public keys for verification
GET /health Service health check

// Execution Authorization Model

POST /execute and runtime decision flow

Runtime systems submit an action request to POST /execute before side effects happen. TrigGuard evaluates policy and context, then returns a deterministic authorization outcome and receipt metadata.

// Decision Outcomes

PERMIT, DENY, and SILENCE

PERMIT Execution is authorized and can proceed with receipt issuance.
DENY Execution is explicitly blocked due to policy or risk constraints.
SILENCE No affirmative authorization is granted; callers should fail closed.

// Execution Receipts

Receipt generation and verification

Each authorization decision can generate an execution receipt containing decision evidence, metadata, and signature material. Receipts can be verified through TrigGuard verification flows to confirm integrity and authenticity.

// Runtime Integration

Integrating Gate into execution paths

Integrate Gate at the boundary where actions become irreversible. Pipelines, services, and automation systems should request authorization first, enforce only on PERMIT, and attach receipts to logs and artifacts.

// Example Runtime Flow

Action request
→ POST /execute
→ Signal aggregation
→ TGSafetyEngine
→ PERMIT | DENY | SILENCE
→ Execution receipt

// Related Links

/products/gate · /products/arbiter · /products/verify · /protocol · /docs/api · /pricing

// Get Access

Request API Key

TrigGuard is currently in private beta. Request access to start protecting your execution surfaces.

Request Access Protocol Spec