ArmorIQ SDK
Build secure AI agents with cryptographic intent verification
ArmorIQ SDK
One API key. Email per request. Done.
The ArmorIQ SDK lets you build AI agents whose every action is cryptographically verified against an explicit plan — before it ever reaches an MCP tool.
Why ArmorIQ
- Simple — one API key, no cloud credentials, no user/agent IDs to manage
- Secure — every tool call is cryptographically verified against a signed plan
- Auditable — every decision (allow / hold / block) is attributed to an end-user email
- Framework-native — drop into Google ADK (Python) today; more adapters coming
How it works
- You initialize the client once with your API key.
- For each end-user interaction you open a per-user scope:
client.for_user(email). - The agent produces a plan. The SDK canonicalizes it, mints an intent token
(via CSRG-IAP), and every
invoke()call is checked against it at the proxy.
Traditional approach:
# Direct calls — no verification
api.call("service1", "action1")
api.call("service2", "action2")
api.call("service3", "action3") # Could be malicious!// Direct calls — no verification
api.call('service1', 'action1');
api.call('service2', 'action2');
api.call('service3', 'action3'); // Could be malicious!ArmorIQ approach:
from armoriq_sdk import ArmorIQClient
client = ArmorIQClient() # reads ARMORIQ_API_KEY
scope = client.for_user("alice@example.com")
plan = {
"goal": "Fetch sales data and analyze Q4 performance",
"steps": [
{"action": "fetch_sales", "mcp": "data-mcp", "params": {"quarter": "Q4"}},
{"action": "analyze", "mcp": "analytics-mcp", "params": {"metrics": ["revenue"]}},
],
}
captured = scope.capture_plan(llm="gpt-4", prompt="...Q4 performance", plan=plan)
token = scope.get_intent_token(captured)
scope.invoke("data-mcp", "fetch_sales", token, {"quarter": "Q4"}) # OK
scope.invoke("analytics-mcp", "analyze", token, {"metrics": ["revenue"]}) # OK
scope.invoke("data-mcp", "delete_all", token, {}) # blockedimport { ArmorIQClient } from '@armoriq/sdk';
const client = new ArmorIQClient(); // reads ARMORIQ_API_KEY
const scope = client.forUser('alice@example.com');
const plan = {
goal: 'Fetch sales data and analyze Q4 performance',
steps: [
{ action: 'fetch_sales', mcp: 'data-mcp', params: { quarter: 'Q4' } },
{ action: 'analyze', mcp: 'analytics-mcp', params: { metrics: ['revenue'] } },
],
};
const captured = scope.capturePlan('gpt-4', '...Q4 performance', plan);
const token = await scope.getIntentToken(captured);
await scope.invoke('data-mcp', 'fetch_sales', token, { quarter: 'Q4' }); // OK
await scope.invoke('analytics-mcp', 'analyze', token, { metrics: ['revenue'] }); // OK
await scope.invoke('data-mcp', 'delete_all', token, {}); // blockedThe SDK validates your plan, CSRG-IAP creates the cryptographic proof
(plan_hash, merkle_root, step_proofs), and each invoke() is verified
against it at the Proxy. This prevents:
- Prompt-injection attacks that try to execute unplanned actions
- Unauthorized tool calls
- Plan tampering or modification
Getting started
Installation
Install the SDK (Python or TypeScript) and the CLI
Client Initialization
One-key + email-per-request setup
CLI
armoriq init, login, register, and friends (Python)
Google ADK Integration
Drop ArmorIQ into an ADK agent (Python)
Documentation
- Installation — install the SDK and the
armoriqCLI - Client Initialization — one-key setup,
for_user(email)scopes - CLI — the
armoriqcommand (init,login,validate,register,orgs,status,logs) - Integrations — Google ADK (Python, live); CrewAI, LangChain, OpenAI, Anthropic — and all TypeScript adapters — coming soon
- Configuration — the
armoriq.yamlschema - Core Methods —
capture_plan,get_intent_token,invoke,delegate - Data Models — plan, token, result schemas
- MCP Directory — MCP registration format
- Error Handling — exception types and recovery
- Advanced Usage — caching, batching, pooling
- Troubleshooting — common issues
- Best Practices — testing, monitoring, lifecycle