Skip to main content

Prerequisites

  • Node.js 18 or later
  • A Veto API key — create one before continuing

Steps

1

Install the SDK

Install the @useveto/node package from npm.
npm install @useveto/node
2

Create a client

Import VetoClient and initialize it with your API key. Use an environment variable — never hardcode the key.
import { VetoClient } from "@useveto/node";

const veto = new VetoClient({ apiKey: process.env.VETO_API_KEY! });
3

Register an agent

Call veto.createAgent() to register your AI system. The name is a human-readable label; the returned id is what you’ll use in every authorization check.
const agent = await veto.createAgent({
  name: "support-bot",
  description: "Customer support agent",
});

console.log(agent.id); // e.g. "a1b2c3d4-..."
4

Create a policy

Policies define what an agent can do. Create a policy with a tool_allowlist rule to grant access to specific tools.
const policy = await veto.createPolicy({
  agentId: agent.id,
  name: "Support bot — allowed tools",
  rules: [
    {
      type: "tool_allowlist",
      tools: ["send_email", "lookup_order"],
    },
  ],
});
The tools array supports exact names. An agent with this policy can call send_email and lookup_order — and nothing else.
5

Authorize a tool call

Before your agent executes a tool, call veto.authorize() with the agent ID, tool name, and any parameters. Check the allowed field on the result.
const result = await veto.authorize(agent.id, "send_email", {
  to: "customer@example.com",
  subject: "Your order has shipped",
});

if (result.allowed) {
  await sendEmail(result); // your tool implementation
} else {
  console.log(`Blocked: ${result.reason}`);
}

Full example

import { VetoClient } from "@useveto/node";

const veto = new VetoClient({ apiKey: process.env.VETO_API_KEY! });

async function main() {
  // 1. Register the agent
  const agent = await veto.createAgent({
    name: "support-bot",
    description: "Customer support agent",
  });

  // 2. Create a policy
  await veto.createPolicy({
    agentId: agent.id,
    name: "Support bot — allowed tools",
    rules: [
      {
        type: "tool_allowlist",
        tools: ["send_email", "lookup_order"],
      },
    ],
  });

  // 3. Check authorization before executing a tool
  const result = await veto.authorize(agent.id, "send_email", {
    to: "customer@example.com",
    subject: "Your order has shipped",
  });

  if (result.allowed) {
    console.log("Authorized — executing tool");
  } else {
    console.log(`Blocked: ${result.reason}`);
  }

  // 4. Try a tool that isn't in the allowlist
  const denied = await veto.authorize(agent.id, "delete_record", {
    id: "rec_123",
  });

  console.log(denied.allowed);  // false
  console.log(denied.reason);   // "No policy explicitly allows this action (default deny)"
}

main();
Because Veto uses a default-deny model, any tool not explicitly listed in an allowlist rule is blocked. In the example above, delete_record is denied because no policy covers it — even though the agent exists and has a policy for other tools.

Next steps