Skip to main content
VetoClient is the main entry point for the Veto SDK. Use it to check authorization, manage agents and policies, and query the audit log.

Constructor

import { VetoClient } from "@useveto/node";

const veto = new VetoClient({
  apiKey: process.env.VETO_API_KEY!,
});

Options

apiKey
string
required
Your Veto API key. Get one from the Veto dashboard. Pass it via an environment variable — do not hardcode it in source.
endpoint
string
default:"https://api.veto.tools"
The base URL of the Veto API. Override this when running a local Veto instance.
timeout
number
default:"5000"
Request timeout in milliseconds. If a request takes longer than this, it throws a VetoError with code "TIMEOUT".

Authorization

authorize

Check whether an agent is allowed to call a tool with the given parameters. This is the primary method — call it before every tool execution. 
authorize(
  agentId: string,
  toolName: string,
  parameters?: Record<string, unknown>,
): Promise<AuthorizationResult>
AuthorizationResult has these fields:
FieldTypeDescription
allowedbooleantrue if the action is permitted
outcome"allowed" | "denied" | "escalated"The authorization decision
matchedPolicyIdstring | nullID of the policy that produced the decision, or null for default deny
reasonstringHuman-readable explanation of the decision
evaluatedAtstringISO timestamp of when the decision was made
authorize() does not throw when a tool is denied. It returns { allowed: false, ... }. Errors are only thrown for network failures, timeouts, and authentication problems. See Error Handling for details.
const result = await veto.authorize("support-bot", "send_email", {
  to: "user@example.com",
  subject: "Refund confirmation",
});

if (!result.allowed) {
  console.log(`Blocked: ${result.reason}`);
  return;
}

// proceed with the tool call
await sendEmail(params);

Agents

Agents represent AI systems registered with Veto. Each agent has a unique ID used in authorization checks.

createAgent

createAgent(input: CreateAgentInput): Promise<Agent>
name
string
required
A human-readable name for the agent.
description
string
An optional description of what this agent does.
const agent = await veto.createAgent({
  name: "support-bot",
  description: "Handles customer support requests",
});

console.log(agent.id); // use this as agentId in authorize()

listAgents

listAgents(): Promise<Agent[]>
Returns all agents in your account.

getAgent

getAgent(agentId: string): Promise<Agent>
Returns a single agent by ID.

deleteAgent

deleteAgent(agentId: string): Promise<void>
Permanently deletes an agent and all associated policies.

Policies

Policies define what an agent is allowed to do. Each policy contains one or more rules.

createPolicy

createPolicy(input: CreatePolicyInput): Promise<Policy>
agentId
string
required
The ID of the agent this policy applies to.
name
string
required
A human-readable name for the policy.
rules
PolicyRule[]
required
The rules that make up the policy. See Policies for the full rule schema.
priority
number
default:"0"
Policies with higher priority are evaluated first. Useful when you have multiple policies for the same agent.
enabled
boolean
default:"true"
Set to false to disable the policy without deleting it.
const policy = await veto.createPolicy({
  agentId: agent.id,
  name: "Email allowlist",
  rules: [
    {
      type: "tool_allowlist",
      tools: ["send_email"],
    },
  ],
});

listPolicies

listPolicies(agentId?: string): Promise<Policy[]>
Returns all policies. Pass agentId to filter to a specific agent.

getPolicy

getPolicy(policyId: string): Promise<Policy>
Returns a single policy by ID.

updatePolicy

updatePolicy(policyId: string, input: UpdatePolicyInput): Promise<Policy>
Partially updates a policy. All fields are optional — only the ones you provide are changed.
name
string
Updated policy name.
rules
PolicyRule[]
Replaces the entire rules array.
priority
number
Updated priority.
enabled
boolean
Enable or disable the policy.
// Disable a policy temporarily
await veto.updatePolicy(policy.id, { enabled: false });

deletePolicy

deletePolicy(policyId: string): Promise<void>
Permanently deletes a policy.

Audit logs

Every authorization decision is recorded. Use queryAuditLog to retrieve them.

queryAuditLog

queryAuditLog(filters?: AuditLogFilters): Promise<AuditLogEntry[]>
All filter fields are optional:
agentId
string
Filter to a specific agent.
action
string
Filter by action string.
toolName
string
Filter by tool name.
result
"allowed" | "denied" | "escalated"
Filter by authorization outcome.
from
string
ISO 8601 timestamp — return entries at or after this time.
to
string
ISO 8601 timestamp — return entries at or before this time.
limit
number
Maximum number of entries to return (max 1000).
offset
number
Number of entries to skip, for pagination.
// Get the last 50 denied actions for a specific agent
const entries = await veto.queryAuditLog({
  agentId: "support-bot",
  result: "denied",
  limit: 50,
});

for (const entry of entries) {
  console.log(`${entry.timestamp}${entry.toolName}: ${entry.reason}`);
}