Enforgate
Start free
Browse documentation

How do I call Enforgate from my code?

Official, zero-dependency SDKs for TypeScript and Python wrap the advisory check API, and the enforgate CLI lets you gate calls and lint or simulate policies from your terminal or CI.

TypeScript SDK

@enforgate/sdk wraps POST /v1/check. Get a verdict for a tool call, or guard inline.

TypeScript
import { EnforgateClient, EnforgateError } from "@enforgate/sdk";

const enforgate = new EnforgateClient({
  apiKey: process.env.ENFORGATE_API_KEY!,
  baseUrl: process.env.ENFORGATE_GATEWAY_URL ?? "http://localhost:3000",
});

// Advisory check — get a verdict, decide what to do.
const v = await enforgate.check({
  serverName: "demo",
  toolName: "send_email",
  args: { to: "person@example.com" },
});
if (v.decision !== "allow") throw new Error(v.reason);

// Or guard inline — throws EnforgateError unless the call is allowed.
await enforgate.guard({ serverName: "demo", toolName: "delete_file", args: { path } });

Python SDK

enforgate (PyPI) is pure standard library — no third-party dependencies.

Python
import os
from enforgate import EnforgateClient, EnforgateError

client = EnforgateClient(api_key=os.environ["ENFORGATE_API_KEY"])

verdict = client.check("demo", "send_email", {"to": "person@example.com"})
if not verdict.allowed:
    raise RuntimeError(verdict.reason)

# Or guard inline — raises EnforgateError unless allowed.
client.guard("demo", "delete_file", {"path": "/etc/passwd"})

CLI

The enforgate CLI checks a tool call against the gateway and lints or simulates a policy file offline. checksets its exit code from the verdict (allow → 0, deny → 1, hold → 2) so you can gate CI on it.

terminal
# Check a call (key from --key or ENFORGATE_API_KEY)
enforgate check demo send_email --args '{"to":"a@b.com"}'

# Validate a policy file's rule shape
enforgate lint ./policy.json

# Dry-run a policy against a tool name (offline, name-only)
enforgate simulate ./policy.json send_email

Which surface should I use?

The SDKs and CLI wrap the advisory /v1/check API — your code asks for a verdict and decides what to do. For the enforcingpath, point an MCP client at the gateway's /mcp endpoint so every tool call is guarded in the data path. See the API reference and action-boundary enforcement.