Go SDK
Full reference for the Thoth Go SDK — Config, NewClient(), WrapTool(), WrapToolFunc(), StartSession(), Session, PolicyViolationError, StepUpRequiredError.
Installation
Go 1.25+ required. The SDK has no required external dependencies beyond the Go standard library.
Config
Config holds configuration for the Thoth client. APIURL is required (directly or via
THOTH_API_URL). Other string fields support environment-variable fallbacks.
Enforcement values
| Value | Behavior |
|---|---|
"observe" | Log only; never block or step-up |
"progressive" | Escalating enforcement (default) |
"step_up" | Require human approval for out-of-scope calls |
"block" | Immediately reject with PolicyViolationError |
NewClient()
Initialize a Thoth client. Returns an error only if required configuration is missing after env var fallbacks are applied.
Close()
Close() flushes buffered behavioral events and releases HTTP resources. Always defer it.
WrapTool()
Wrap a string-in / string-out tool function with Thoth governance. This is the most common variant for LLM tool calling, where both input and output are plain strings.
Enforcement semantics
- ALLOW — the tool executes normally; a behavioral event is emitted.
- BLOCK — execution is prevented;
*PolicyViolationErroris returned. - STEP_UP — execution pauses; the enforcer waits for human approval. On timeout or denial,
*PolicyViolationErroris returned. - Enforcer unreachable — execution is blocked (fail-closed) and a policy violation error is returned.
Example
WrapToolFunc()
Wrap a map-based tool function with Thoth governance. Use this variant when your LLM framework passes
tool arguments as map[string]any (e.g. OpenAI function calling, Anthropic tool use).
Example
StartSession()
Create a new agent session with its own isolated tool-call history and tracer. Recommended for per-request isolation in servers.
| Parameter | Description |
|---|---|
agentID | Override the agent ID for this session. Pass "" to use the client's agent ID. |
sessionID | Custom session ID. Pass "" to auto-generate a UUID. |
Example
Session
Session represents an active agent session.
Session.WrapTool()
Identical to Client.WrapTool() but scoped to this session's tool-call history.
Session.WrapToolFunc()
Identical to Client.WrapToolFunc() but scoped to this session.
Session.Close()
Emits a session_end behavioral event and marks the session as closed. Idempotent.
PolicyViolationError
Returned when the enforcer blocks a tool call.
Handling
StepUpRequiredError
Exported for step-up approval workflows where callers choose to handle approval out-of-band.
Current WrapTool / WrapToolFunc behavior waits inline and surfaces timeout/deny as
PolicyViolationError, so StepUpRequiredError is not emitted by those wrappers today.
Complete example
Environment Variables
| Variable | Description |
|---|---|
THOTH_API_KEY | API key for hosted Thoth authentication |
THOTH_TENANT_ID | Default tenant ID |
THOTH_AGENT_ID | Default agent ID |
THOTH_API_URL | Required tenant API base URL used for both enforcement and event ingestion |
THOTH_ENV | Policy environment scope (default: prod) |
THOTH_USER_ID | Default user ID for policy evaluation |
THOTH_APPROVED_SCOPE | Comma-delimited default approved tool list |
THOTH_SESSION_INTENT | Session intent for HIPAA minimum-necessary checks |
THOTH_ENFORCEMENT_TRACE_ID | Explicit correlation ID for enforcement requests |