Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.veto.tools/llms.txt

Use this file to discover all available pages before exploring further.

1

Create a workspace

Sign up at app.veto.tools and create a workspace. A workspace is the container for your agents, policies, and audit logs.
2

Get your API key

In the dashboard, go to Settings → API Keys and create a new key.
The raw API key is shown once at creation and never again — only the key prefix is stored. Copy it immediately and save it somewhere secure, such as a password manager or secrets vault.
Your key will look like this:
veto_a3f8c2e1d4b7...
For local development, store it in an environment variable:
export VETO_API_KEY=veto_a3f8c2e1d4b7...
3

Install the SDK

npm install @useveto/node
4

Create an agent

An agent represents an AI actor — a bot, workflow, or model — that calls tools. Register one using the SDK or the dashboard.
import { VetoClient } from "@useveto/node";

const veto = new VetoClient({ apiKey: process.env.VETO_API_KEY! });

const agent = await veto.createAgent({
  name: "support-bot",
  description: "Customer support agent that can send emails and look up orders",
});

console.log(agent.id); // e.g. "agent_01j..."
You can also create agents directly in the dashboard under Agents → New agent. Copy the agent ID — you’ll use it in authorization checks.
5

Create a policy

Policies define what your agent is allowed to do. The following example creates a policy that allows the support-bot agent to call send_email and lookup_order, and nothing else.
const policy = await veto.createPolicy({
  agentId: agent.id,
  name: "Support bot — allowed tools",
  rules: [
    {
      type: "tool_allowlist",
      tools: ["send_email", "lookup_order"],
    },
  ],
  priority: 10,
  enabled: true,
});

console.log(policy.id);
Any tool not on the allowlist is blocked by default — you don’t need to define a denylist.
6

Make an authorization check

Call veto.authorize() before each tool execution. Pass the agent ID, the tool name, and (optionally) the call parameters.
const result = await veto.authorize(
  agent.id,        // agentId: string
  "send_email",    // toolName: string
  {                // parameters (optional)
    to: "customer@example.com",
    subject: "Your order has shipped",
  },
);

if (result.allowed) {
  // proceed with the tool call
  await sendEmail(result);
} else {
  console.log(`Blocked: ${result.reason}`);
}
The response includes:
FieldTypeDescription
allowedbooleanWhether the action is permitted
outcome"allowed" | "denied"The decision
matchedPolicyIdstring | nullThe policy that produced this decision, or null for default deny
reasonstringHuman-readable explanation
evaluatedAtstringISO 8601 timestamp of the evaluation
A denied response looks like this:
{
  "allowed": false,
  "outcome": "denied",
  "matchedPolicyId": null,
  "reason": "No policy allows tool 'delete_account' for this agent",
  "evaluatedAt": "2026-04-08T12:00:00.000Z"
}

What’s next

Authentication

Learn about API key scopes, rate limits, and secure key management.

Policies

Explore all five rule types — allowlists, denylists, parameter constraints, rate limits, and time windows.

Node.js SDK

Full SDK reference including MCP middleware.

API Reference

REST API reference for every endpoint.