Guard SDK
Embed live Safeguard policy enforcement directly into your MCP server or AI agent process with the Guard SDK for Python, TypeScript, and Go.
Guard SDK
The Guard SDK lets you enforce your organization's Safeguard security policy directly inside your own MCP server or AI agent process. Once configured, it continuously pulls your live policy in the background and applies it to every request — no manual policy files to write, no service restarts to roll out an update, and no separate proxy to run. You get consistent, up-to-date guardrails wherever your agents run, with a couple of lines of setup.
Generate a Secret Key
The Guard SDK authenticates using a secret key tied to your organization.
- Navigate to Settings
- Click the Developer tab
- Click Generate Secret Key
- Copy the key and store it somewhere safe — it is only shown once
Treat this key like a credential. Anyone with it can pull your organization's policy, so store it in a secrets manager or inject it via an environment variable rather than committing it to source control.
Install the SDK
| Language | Package | Install |
|---|---|---|
| Python | safeguard-sh-guard | pip install safeguard-sh-guard |
| TypeScript / JavaScript | @safeguard-sh/guard-sdk | npm install @safeguard-sh/guard-sdk |
| Go | github.com/safeguard-sh/guard-sdk | go get github.com/safeguard-sh/guard-sdk |
The Python and TypeScript packages manage a small local process automatically behind the scenes — you never need to run or configure anything yourself beyond the steps below.
Configure the SDK
Set the secret key as an environment variable named SG_SECRET_KEY, then initialize the SDK. It handles the rest — fetching your policy, keeping it current, and enforcing it on every call.
import os
from safeguard_sh_guard import Guard
guard = Guard(secret_key=os.environ["SG_SECRET_KEY"], guard_base_url="https://guard.safeguard.sh")
# Analyze a request before it executes
result = guard.analyze_request(request_body_bytes)
if result["action"] == "block":
raise PermissionError(result["reason"])import { Guard } from "@safeguard-sh/guard-sdk";
const guard = await Guard.create({
secretKey: process.env.SG_SECRET_KEY,
guardBaseUrl: "https://guard.safeguard.sh",
});
// Analyze a request before it executes
const result = await guard.analyzeRequest(requestBody);
if (result.action === "block") {
throw new Error(result.reason);
}import (
"context"
"github.com/safeguard-sh/guard-sdk"
)
client, err := sdk.NewClient(context.Background(), sdk.ClientConfig{
SecretKey: os.Getenv("SG_SECRET_KEY"),
GuardBaseURL: "https://guard.safeguard.sh",
})
if err != nil {
log.Fatal(err)
}
defer client.Close()
// Analyze a request before it executes
result := client.Guard().AnalyzeRequest(context.Background(), requestBody)
if result.Blocked() {
// handle result.Reason
}Once initialized, the SDK keeps your policy in sync automatically. When you update rules in Safeguard, the change applies to every running instance of your agent within moments — no redeploy or restart required.
OAuth Login
If your team prefers not to manage a static secret key, the Guard SDK also supports an OAuth-based login flow. This is useful for shared or interactive environments where you want individual developer identity attached to policy pulls instead of a single shared key.
guard = Guard(oauth_token=token, tenant_id=tenant_id, guard_base_url="https://guard.safeguard.sh")const guard = await Guard.create({ oauthToken: token, tenantId: tenantId, guardBaseUrl: "https://guard.safeguard.sh" });client, err := sdk.NewClient(context.Background(), sdk.ClientConfig{
OAuthToken: token,
TenantID: tenantID,
GuardBaseURL: "https://guard.safeguard.sh",
})Both authentication methods grant the same runtime behavior — the only difference is how the SDK identifies itself to Safeguard.
FAQ & Troubleshooting
What happens if my network can't reach Safeguard? The SDK keeps enforcing the last policy it successfully retrieved and automatically retries in the background. Your agent keeps running under known-good rules rather than failing open or blocking entirely.
How quickly do policy changes take effect? Within moments of being published — the SDK pulls updates continuously in the background, so there's no need to restart your service.
Can I use the Guard SDK alongside the main Safeguard SDK? Yes. The Guard SDK is focused on policy enforcement inside agent processes, while the main SDKs cover the broader REST API (findings, SBOMs, remediation, and more). They can be used together in the same project.
Do I need to configure a policy manually? No. The Guard SDK pulls whatever policy is currently live for your organization in Safeguard. Manage the policy itself from your Safeguard workspace; the SDK stays in sync automatically.
Which languages are supported? Python, TypeScript/JavaScript, and Go are supported today.
Related
- SDKs — the general-purpose Safeguard SDKs for the REST API.
- MCP Integrations — connect an AI assistant to Safeguard directly.
- Webhooks & Events — react to policy and findings changes elsewhere in your stack.