Thoth SDK
sdk v0.1.15 / proxy v0.3.4

Welcome to Thoth Docs

Runtime action governance for AI agents with SDK, control-plane, Terraform, and Pulumi documentation.

What is Thoth?

Thoth is Aten Security's open-source runtime action governance layer for AI agents. It sits in the execution path, checks policy before a tool call runs, and writes an evidence record after the call completes.

Use it when you need to control what agents can do in production, not just what prompts they can read.

Category framing:

  • Broad: Runtime Action Governance for AI Agents
  • Wedge: Runtime Action Governance for Regulated AI Workflows

Headless-first model

Thoth is built to run without a UI dependency.

  • Browser and MCP first: Start with Claude Desktop Proxy to govern MCP tool calls on endpoints.
  • Control plane via CLI/API: Use thothctl and the Thoth Control Plane API to bootstrap tenant settings, webhooks, and MDM sync.
  • Terraform for IaC workflows: Use the Thoth Terraform Provider to manage control-plane resources as code.
  • Pulumi for IaC workflows: Use the Thoth Pulumi Provider to manage control-plane resources in Pulumi programs.
  • Kubernetes-native reconciliation: Use the Thoth Kubernetes Operator for cluster-local, GitOps-managed tenant reconciliation.
  • Native security stack integration: Stream events to your SIEM/SOAR and connect identity/admin systems through integration APIs.
  • Automation-first operations: Use Headless operations for API-driven and CI/CD-driven reconciliation.

Current stable versions

As of June 8, 2026:

ComponentStable versionRelease tag
Thoth binary line (thoth + thothctl)v0.3.4thoth/v0.3.4
Go SDKv0.1.15sdk/go/v0.1.15
Python SDKv0.5.11sdk/python/v0.5.11
TypeScript SDKv0.5.11sdk/npm/v0.5.11
Terraform Providerv0.1.11provider/terraform/thoth/v0.1.11
Pulumi Providerv0.1.11provider/pulumi/thoth/v0.1.11
Kubernetes Operatorv0.1.0platform/public/thoth-operator@0.1.0

SDKs

SDKPackageEnforcementEvent Emission
Pythonaten-thoth (PyPI)YesYes
Gogithub.com/atensecurity/thoth-goYesYes
TypeScript@atensec/thoth (npm)YesYes

All SDKs share the same shape: instrument tools, enforce decisions, emit evidence.

Infrastructure as Code

  • Terraform Provider: Get started
  • Terraform Registry: registry.terraform.io/providers/atensecurity/thoth/latest
  • Pulumi Provider: Get started
  • Pulumi package: pulumi.com/registry/packages/thoth
  • Kubernetes Operator: Get started

Key Concepts

  • Tool Wrapping — Check policy before execution and emit evidence after execution.
  • Enforcement Modesblock (default), step_up, progressive, or observe.
  • Step-Up Auth — Pause high-risk calls until an approver responds.
  • Sessions — Keep policy and evidence scoped to one workflow execution.

Quick Example

from thoth import instrument
 
instrument(
    agent,
    agent_id="invoice-processor-v2",
    approved_scope=["search_docs", "read_invoice", "submit_payment"],
    tenant_id="acme-corp",
    enforcement="block",
)
 
agent.run("Process invoice #INV-2024-001")

Authentication

export THOTH_API_KEY="thoth_live_..."

SDKs read THOTH_API_KEY from the environment by default.

Get started now →

Next

Installation

On this page