Thoth SDK
sdk v0.1.6 / proxy v0.2.7

Welcome to Thoth SDK

Runtime action governance for AI agents — enforce decisions before execution and generate audit-grade evidence for regulated workflows.

What is Thoth?

Thoth is Aten Security's open-source runtime action governance layer for AI agents. It sits in the execution path, checks policy before a tool call runs, and writes an evidence record after the call completes.

Use it when you need to control what agents can do in production, not just what prompts they can read.

Category framing:

  • Broad: Runtime Action Governance for AI Agents
  • Wedge: Runtime Action Governance for Regulated AI Workflows

Headless-first model

Thoth is built to run without a UI dependency.

  • Browser and MCP first: Start with Claude Desktop Proxy to govern MCP tool calls on endpoints.
  • Control plane via CLI/API: Use thothctl and GovAPI to bootstrap tenant settings, webhooks, and MDM sync.
  • Native security stack integration: Stream events to your SIEM/SOAR and connect identity/admin systems through integration APIs.
  • GitOps-first operations: Use Headless GitOps support for Terraform, Pulumi, Argo CD, and API-driven reconciliation.

SDKs

SDKPackageEnforcementEvent Emission
Pythonaten-thoth (PyPI)YesYes
Gogithub.com/atensecurity/thoth-goYesYes
TypeScript@atensec/thoth (npm)YesYes

All SDKs share the same shape: instrument tools, enforce decisions, emit evidence.

Key Concepts

  • Tool Wrapping — Check policy before execution and emit evidence after execution.
  • Enforcement Modesobserve, progressive, step_up, or block.
  • Step-Up Auth — Pause high-risk calls until an approver responds.
  • Sessions — Keep policy and evidence scoped to one workflow execution.

Quick Example

from thoth import instrument
 
instrument(
    agent,
    agent_id="invoice-processor-v2",
    approved_scope=["search_docs", "read_invoice", "submit_payment"],
    tenant_id="acme-corp",
    enforcement="progressive",
)
 
agent.run("Process invoice #INV-2024-001")

Authentication

export THOTH_API_KEY="thoth_live_..."

SDKs read THOTH_API_KEY from the environment by default.

Get started now →

On this page