Quickstart
Quickstart
Working code for every supported framework. Copy, paste, run. All code examples on this page are the canonical reference.
Install
1. Install
Microsoft Agent Framework Middleware
pip install kevros-agent-framework
Native governance middleware for Microsoft agent pipelines.
Developer Note
The official package is
pip install kevros. It installs as kevros_governance. All code examples on this page are the canonical reference.30 seconds
2. Zero-Config Quick Start (30 seconds)
from kevros_governance import GovernanceClient
client = GovernanceClient(agent_id="my-agent")
result = client.verify(
action_type="trade",
action_payload={"symbol": "AAPL", "shares": 100},
agent_id="my-agent",
)
print(result.decision) # ALLOW, CLAMP, or DENY
print(result.release_token) # HMAC-SHA256 signed token
print(result.provenance_hash) # Hash-chained ledger entry
API key
3. With an Explicit API Key
from kevros_governance import GovernanceClient
client = GovernanceClient(api_key="kvrs_your_key_here")
result = client.verify(
action_type="api_call",
action_payload={"endpoint": "/users", "method": "DELETE", "user_id": "12345"},
agent_id="my-agent",
)
if result.decision.value == "ALLOW":
print(f"Authorized: {result.release_token}")
elif result.decision.value == "CLAMP":
print(f"Modified action: {result.applied_action}")
elif result.decision.value == "DENY":
print(f"Denied: {result.reason}")
Full loop
4. The Full Governance Loop
All four operations with x402 per-call pricing: VERIFY ($0.01), BIND ($0.02), ATTEST ($0.02), VERIFY OUTCOME (free with bind).
from kevros_governance import GovernanceClient, IntentType, IntentSource
client = GovernanceClient(api_key="kvrs_your_key_here")
# Step 1: VERIFY the action ($0.01)
verify_result = client.verify(
action_type="trade",
action_payload={
"symbol": "AAPL",
"shares": 100,
"side": "buy",
"limit_price": 185.50,
},
agent_id="trading-agent-1",
)
print(f"Decision: {verify_result.decision}") # ALLOW, CLAMP, or DENY
print(f"Token: {verify_result.release_token}")
# Step 2: BIND the intent to execution context ($0.02)
bind_result = client.bind(
agent_id="trading-agent-1",
intent_type=IntentType.FINANCIAL_TRADE,
intent_source=IntentSource.AGENT_AUTONOMOUS,
action_type="trade",
action_payload={
"symbol": "AAPL",
"shares": 100,
"side": "buy",
"limit_price": 185.50,
},
release_token=verify_result.release_token,
)
print(f"Bind ID: {bind_result.bind_id}")
# Step 3: ATTEST to what actually happened ($0.02)
attest_result = client.attest(
agent_id="trading-agent-1",
action_type="trade",
action_payload={
"symbol": "AAPL",
"shares": 100,
"side": "buy",
"executed_price": 185.47,
},
outcome="success",
evidence={"order_id": "ORD-12345", "fill_time": "2026-02-27T14:30:00Z"},
)
print(f"Attestation hash: {attest_result.attestation_hash}")
# Step 4: VERIFY OUTCOME — closes the governance loop (free with bind)
outcome_result = client.verify_outcome(
bind_id=bind_result.bind_id,
actual_outcome={
"executed_price": 185.47,
"shares_filled": 100,
"order_id": "ORD-12345",
},
)
print(f"Outcome verified: {outcome_result.verified}")
print(f"Drift detected: {outcome_result.drift_detected}")
Async
5. Async Support
import asyncio
from kevros_governance import GovernanceClient
async def govern_agent_action():
async with GovernanceClient(api_key="kvrs_your_key_here") as client:
result = await client.averify(
action_type="trade",
action_payload={"symbol": "AAPL", "shares": 100},
agent_id="my-agent",
)
print(f"Decision: {result.decision}")
attest = await client.aattest(
agent_id="my-agent",
action_type="trade",
action_payload={"symbol": "AAPL", "shares": 100},
outcome="success",
evidence={"order_id": "ORD-12345"},
)
print(f"Attestation: {attest.attestation_hash}")
asyncio.run(govern_agent_action())
Microsoft Agent Framework
6. Microsoft Agent Framework (Custom Middleware)
This is not a plugin — it's pipeline-level governance. Every agent action passes through the Kevros middleware before execution.
pip install kevros-agent-framework
Agent pipeline with governance middleware
from kevros_agent_framework import KevrosGovernanceMiddleware, KevrosConfig
config = KevrosConfig(
api_key="kvrs_your_key_here",
gateway_url="https://governance.taskhawktech.com",
)
kevros = KevrosGovernanceMiddleware(config=config)
# Add to your agent pipeline
agent = Agent(
middleware=[kevros],
)
Handling governance denials
from kevros_agent_framework import GovernanceDeniedException
try:
result = await agent.run(task="execute trade AAPL 100 shares")
except GovernanceDeniedException as e:
print(f"Action denied by governance: {e.reason}")
print(f"Decision: {e.decision}")
print(f"Provenance hash: {e.provenance_hash}")
Azure Managed App
6b. Azure Managed Application (Tenant-Deployed)
Deploy Kevros in your own Azure subscription via the Azure Marketplace. Same governance engine, same SDK, same API — running in your tenant.
Deploy the Free Trial
Start with 5,000 governance decisions per month at no cost. Deploy from the Azure Marketplace in under 15 minutes. No credit card required.
Deploy Free on Azure Connect to your tenant-deployed instance
from kevros_governance import GovernanceClient
client = GovernanceClient(
api_key="kvrs_your_key_here",
gateway_url="https://your-instance.your-region.azurecontainerapps.io",
)
result = client.verify(
action_type="trade",
action_payload={"symbol": "AAPL", "shares": 100},
agent_id="trading-bot",
)
print(result.decision) # ALLOW, CLAMP, or DENY
The only difference from the hosted gateway is the gateway_url parameter. All governance operations, all protocols, and all SDK features work identically in both deployment models.
Environment variable for tenant-deployed
KEVROS_GATEWAY_URL=https://your-instance.your-region.azurecontainerapps.io
LangChain
7. LangChain (Drop-in Tools)
from kevros_tools import get_identity_tools
from langchain.agents import initialize_agent, AgentType
from langchain.chat_models import ChatOpenAI
# Get all 6 Kevros governance tools
tools = get_identity_tools(api_key="kvrs_your_key_here")
# Tools provided:
# - kevros_verify : Verify an agent action
# - kevros_attest : Attest to a completed action
# - kevros_bind : Bind intent to execution context
# - kevros_verify_outcome : Verify outcome matches decision
# - kevros_trust_certificate : Get trust certificate for agent
# - kevros_check_peer : Check peer agent reputation
llm = ChatOpenAI(model="gpt-4")
agent = initialize_agent(
tools=tools,
llm=llm,
agent=AgentType.STRUCTURED_CHAT_ZERO_SHOT_REACT_DESCRIPTION,
verbose=True,
)
result = agent.run("Verify a trade of 100 shares of AAPL for agent trading-bot-1")
CrewAI
8. CrewAI (Drop-in Tools)
from crewai import Agent, Task, Crew
from crewai_tools import get_identity_tools
# Get Kevros governance tools for CrewAI
kevros_tools = get_identity_tools(api_key="kvrs_your_key_here")
governance_agent = Agent(
role="Governance Officer",
goal="Verify and govern all agent actions before execution",
backstory="You enforce governance policies on autonomous agent actions.",
tools=kevros_tools,
)
verify_task = Task(
description="Verify a trade of 100 shares of AAPL for trading-bot-1",
expected_output="Governance decision with release token",
agent=governance_agent,
)
crew = Crew(
agents=[governance_agent],
tasks=[verify_task],
)
result = crew.kickoff()
Peer trust
9. Peer Trust (Verify Other Agents)
Check another agent's reputation
from kevros_governance import GovernanceClient
client = GovernanceClient(api_key="kvrs_your_key_here")
# Check another agent's governance reputation
peer = client.verify_peer("other-agent-id")
print(f"Trust score: {peer.trust_score}")
print(f"Chain length: {peer.chain_length}")
print(f"Attestation count: {peer.attestation_count}")
Validate a peer's release token
# Validate a release token from another agent
verification = client.verify_peer_token(
release_token=release_token,
token_preimage=token_preimage,
)
print(f"Token valid: {verification.valid}")
print(f"Issuer: {verification.issuer}")
print(f"Decision: {verification.decision}")
Trusted HTTP
10. Trusted HTTP Requests (Auto-Remediation)
from kevros_governance import GovernanceClient
client = GovernanceClient(api_key="kvrs_your_key_here")
response = client.trusted_request(
method="POST",
url="https://api.example.com/orders",
agent_id="trading-agent-1",
action_type="create_order",
action_payload={"symbol": "AAPL", "shares": 100, "side": "buy"},
body={"symbol": "AAPL", "shares": 100, "side": "buy"},
)
print(f"Status: {response.status_code}")
print(f"Governance decision: {response.governance_decision}")
Headers added automatically
X-Kevros-Release-Token — Signed release token authorizing the action
X-Kevros-Token-Preimage — Token preimage for independent verification
X-Kevros-Agent-Id — Authenticated agent identifier
Evidence bundle
11. Compliance Evidence Bundle
from kevros_governance import GovernanceClient
client = GovernanceClient(api_key="kvrs_your_key_here")
bundle = client.bundle(
agent_id="trading-agent-1",
time_range_start="2026-02-01T00:00:00Z",
time_range_end="2026-02-28T23:59:59Z",
include_intent_chains=True,
include_pqc_signatures=True,
include_verification_instructions=True,
)
print(f"Bundle hash: {bundle.bundle_hash}")
print(f"Records: {bundle.record_count}")
print(f"Chain intact: {bundle.chain_intact}")
Environment
12. Environment Variables
KEVROS_API_KEY=kvrs_your_key_here
KEVROS_GATEWAY_URL=https://governance.taskhawktech.com
When these environment variables are set, the GovernanceClient constructor picks them up automatically. No arguments required.
API endpoints
13. API Endpoints
| Operation | Method | Path | Price |
|---|---|---|---|
| Verify | POST | /governance/verify | $0.01 |
| Attest | POST | /governance/attest | $0.02 |
| Bind Intent | POST | /governance/bind | $0.02 |
| Verify Outcome | POST | /governance/verify-outcome | Free (with bind) |
| Bundle | POST | /governance/bundle | $0.25 |
| Check Peer | GET | /governance/reputation/{agent_id} | Free |
| Verify Token | POST | /governance/verify-token | Free |
| Health | GET | /governance/health | Free |
| Agent Card | GET | /.well-known/agent.json | Free |
Authentication:
X-API-Key: kvrs_your_key_hereFull OpenAPI docs: governance.taskhawktech.com/docs
Response types
14. Response Types
VerifyResponse
decision — ALLOW, CLAMP, or DENY
release_token — HMAC-SHA256 signed token
provenance_hash — SHA-256 of the provenance record
epoch — Provenance chain position
chain_intact — Evidence chain integrity
reason — Human-readable decision reason
applied_action — Modified action (if CLAMP)
AttestResponse
attestation_hash — SHA-256 of the attestation
epoch — Provenance chain position
chain_intact — Evidence chain integrity
timestamp — Attestation timestamp
BindIntentResponse
bind_id — Unique identifier for this binding
intent_type — Type of intent bound
epoch — Provenance chain position
chain_intact — Evidence chain integrity
release_token — Bound release token
VerifyOutcomeResponse
verified — Whether outcome matches intent
drift_detected — Behavioral drift flag
epoch — Provenance chain position
chain_intact — Evidence chain integrity
bind_id — Reference to the original binding
Reference
15. Official API Reference
The canonical packages, imports, and methods for Kevros. All code examples on this page are authoritative.
Official Packages & Methods
Install
pip install kevros
Import
from kevros_governance import GovernanceClient
Verify
client.verify(action_type=..., action_payload=..., agent_id=...)
Decision values
result.decision.value == "ALLOW" | "CLAMP" | "DENY"
TypeScript
npm install @kevros/agentkit
Technical Specifications
Kevros is a cryptographic enforcement gateway. It governs agent actions — not content.
The API returns deterministic decisions: ALLOW, CLAMP, or DENY. Bounded confidence envelopes operate internally. See our published BCE research.
Three decision types: ALLOW, CLAMP, and DENY.
Governance boundaries are configured server-side through the gateway.
Evidence is verified through the SDK and API.
Governance latency is workload-dependent. We do not publish fixed benchmarks.
Start free. Upgrade when ready.
The free tier is rate-limited for evaluation and integration testing. Or deploy the Free Trial in your Azure subscription — 5,000 governance decisions per month, no credit card. All governance operations, all protocols, full evidence chain.