TrustLoop — API Documentation

Quickstart

The fastest way to add TrustLoop to an existing agent is the OpenAI proxy. Change one line of code — that's it.

python

          from openai import OpenAI

client = OpenAI(
    api_key="sk-your-openai-key",
    base_url="https://api.trustloop.live/v1",
    default_headers={"x-api-key": "tl_your_trustloop_key"}
)

# Your existing code works unchanged — TrustLoop intercepts automatically
response = client.chat.completions.create(
    model="gpt-4o-mini",
    messages=[{"role": "user", "content": "Transfer £5000 to supplier"}],
    tools=[...]
)
          import OpenAI from 'openai';

const client = new OpenAI({
  apiKey: 'sk-your-openai-key',
  baseURL: 'https://api.trustloop.live/v1',
  defaultHeaders: { 'x-api-key': 'tl_your_trustloop_key' }
});

// Your existing code works unchanged
const response = await client.chat.completions.create({
  model: 'gpt-4o-mini',
  messages: [{ role: 'user', content: 'Transfer £5000 to supplier' }],
  tools: [...]
});
          curl -X POST https://api.trustloop.live/v1/chat/completions \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer sk-your-openai-key" \
  -H "x-api-key: tl_your_trustloop_key" \
  -d '{
    "model": "gpt-4o-mini",
    "messages": [{"role": "user", "content": "Transfer 5000 to supplier"}],
    "tools": [...]
  }'
        

That's it. TrustLoop intercepts all tool calls, evaluates them against your governance rules, and either allows, blocks, or routes them for human approval — automatically.

Authentication

All API requests require a TrustLoop API key. Pass it in the x-api-key header or as a query parameter.

http
# Header (recommended)
x-api-key: tl_your_api_key_here

# Query parameter (for browser/CSV export)
GET /api/logs/export?api_key=tl_your_api_key_here

Get your API key by signing up at trustloop.live/signup or from your dashboard.

Base URL

url
https://api.trustloop.live

OpenAI Proxy

The proxy intercepts tool_calls in OpenAI responses and applies your governance rules before returning results to the client.

POST /v1/chat/completions 🔑 x-api-key required OpenAI-compatible proxy

How it works

1. Your agent sends a request exactly as it would to OpenAI (with Authorization: Bearer sk-xxx).
2. TrustLoop forwards to OpenAI and intercepts the response.
3. If the response contains tool_calls, each is evaluated against your rules.
4. Result is either ALLOWED, BLOCKED, or PENDING (routed for approval).

Response format

All responses include a _trustloop field:

json — allowed
// Tool was allowed — normal OpenAI response + metadata
{
  "choices": [...],
  "_trustloop": { "status": "allowed", "tool": "read_file" }
}

json — blocked
{
  "choices": [{ "message": { "content": "Tool 'delete_file' is blocked by governance policy." } }],
  "_trustloop": { "blocked": true, "tool": "delete_file", "rule": "Block all file deletions" }
}

json — pending approval
{
  "choices": [{ "message": { "content": "Tool requires human approval. Retry once approved." } }],
  "_trustloop": {
    "status": "pending_approval",
    "approval_id": "uuid-here",
    "tool": "wire_transfer"
  }
}

Direct Intercept API

For non-OpenAI frameworks (LangChain custom tools, AutoGen, custom agents), use the intercept endpoint directly in your tool execution logic.

POST /api/intercept 🔑 x-api-key required

Request body

Field	Type	Description
tool_name	string	The name of the tool being called
arguments	object	The tool's arguments (optional)

python — langchain example
import requests

def trustloop_check(tool_name, args):
    res = requests.post(
        "https://api.trustloop.live/api/intercept",
        headers={"x-api-key": "tl_your_key"},
        json={"tool_name": tool_name, "arguments": args}
    ).json()

    if not res["allowed"]:
        raise PermissionError(res["message"])

# In your tool executor:
trustloop_check("delete_records", {"table": "customers"})
# Tool only executes if TrustLoop allows it

MCP Protocol

Connect Claude Desktop or any MCP-compatible client via Server-Sent Events.

GET /sse?api_key=tl_xxx MCP SSE

Add TRUSTLOOP_MCP_URL=https://api.trustloop.live/sse?api_key=tl_xxx to your .env and configure your MCP client to use it.

SDKs

Official SDKs wrap the REST API with a clean interface. Zero config beyond your API key.

Python — `pip install trustloop-sdk`

bash
pip install trustloop-sdk

# With LangChain support
pip install trustloop-sdk[langchain]

# With CrewAI support
pip install trustloop-sdk[crewai]

# With async support (httpx)
pip install trustloop-sdk[async]

python
from trustloop import TrustLoop, TrustLoopBlockedError

tl = TrustLoop(api_key="tl_your_key", agent_name="my-agent")

# Manual check
result = tl.intercept("send_email", {"to": "ceo@bank.com"})
if not result["allowed"]:
    raise RuntimeError(result["message"])

# Or use the decorator
@tl.guard("delete_records")
def delete_records(table, where):
    ...  # only runs if TrustLoop allows it

# LangChain — wrap all tools in one line
from trustloop.integrations.langchain import wrap_tools
tools = wrap_tools(raw_tools, tl)

# CrewAI — decorate your tool class
from trustloop.integrations.crewai import governed_tool

@governed_tool(tl)
class MyTool(BaseTool):
    ...

Environment variable shortcut: set TRUSTLOOP_API_KEY and call TrustLoop() with no arguments.

Node.js — `npm install trustloop`

javascript
import TrustLoop from 'trustloop';

const tl = new TrustLoop({ apiKey: 'tl_your_key' });

const result = await tl.intercept('send_email', { to: 'ceo@bank.com' });
if (!result.allowed) throw new Error(result.message);

// OpenAI proxy shortcut
const openai = new OpenAI(TrustLoop.openai('sk-openai-key', 'tl_your_key'));

Python SDK on GitHub 📦 PyPI — trustloop-sdk 📦 npm — trustloop

Custom GPTs (OpenAI Enterprise)

Add TrustLoop as a GPT Action so every Custom GPT in your organisation is governed — no code changes, just configuration.

Step 1 — Add TrustLoop as a GPT Action

Open your Custom GPT in the OpenAI editor → Configure → Add actions
Click Import from URL and paste:
https://trustloop.live/openapi.json
Under Authentication → select API Key → Auth type: Custom → Header name: x-api-key → paste your TrustLoop API key
Save the action.

Step 2 — Add this to your GPT's system prompt

This instructs the GPT to check with TrustLoop before taking any sensitive action:

system prompt
Before taking any sensitive action — including sending emails, accessing
databases, calling external APIs, transferring data, modifying files, or
any operation that affects systems outside this conversation — you MUST
call the TrustLoop interceptToolCall action first.

Pass the action name as tool_name and all relevant parameters as arguments.
Set agent_name to the name of this GPT.

Rules:
- If the response is allowed: true → proceed with the action.
- If the response is allowed: false and status is BLOCKED → do NOT proceed.
  Tell the user: "This action was blocked by your organisation's AI
  governance policy: [message from TrustLoop]"
- If the response is allowed: false and status is PENDING → do NOT proceed.
  Tell the user: "This action requires approval from your administrator.
  They have been notified. Please wait for their approval before retrying."

Never skip this check for sensitive operations.

Step 3 — Test it

Ask the GPT to do something that should be blocked (e.g. "Send an email to all customers"). You should see TrustLoop return a BLOCKED or PENDING response, and the GPT should refuse to proceed.

Check your TrustLoop dashboard — the intercept should appear in the audit log within seconds.

For OpenAI Enterprise with multiple GPTs: give each GPT a distinct agent_name in the system prompt (e.g. "finance-assistant", "hr-copilot"). TrustLoop tracks and displays each agent separately in your dashboard, and you can set per-agent kill-switch rules.

OpenAPI schema

📄 trustloop.live/openapi.json Get free API key →

Audit Logs

GET /api/logs 🔑 required Last 100 tool calls

GET /api/logs/export 🔑 required Download as CSV

GET /api/stats 🔑 required Counts by status

Approval Rules

Natural language rules evaluated by AI against every tool call.

GET /api/approval-rules 🔑 required

POST /api/approval-rules 🔑 required

DELETE /api/approval-rules/:id 🔑 required

Create a rule

Field	Type	Description
rule_text	string	Plain English rule (e.g. "Any wire transfer over £1,000 needs approval")
action	approve \| block	"approve" = route for human approval. "block" = reject immediately.
approver_email	string?	Email to notify. Overrides default notification email.

Pending Approvals

GET /api/pending-approvals 🔑 required

POST /api/pending-approvals/:id/decide 🔑 required Body: {"action": "approved" | "denied"}

GET /api/approve/:token public One-click approve from email

GET /api/deny/:token public One-click deny from email

Auto-expiry: Pending approvals are automatically denied after 24 hours of inactivity. The approver receives an expiry notification email.

Notification Settings

GET /api/notification-settings 🔑 required

PUT /api/notification-settings 🔑 required

Field	Type	Description
notify_email	string?	Default approver email (used when rule has no approver_email)
slack_webhook_url	string?	Slack incoming webhook URL
teams_webhook_url	string?	Microsoft Teams incoming webhook URL

Blocked Tools (Kill Switch)

GET /api/blocked-tools 🔑 required

POST /api/blocked-tools 🔑 required Body: {"tool_name": "delete_file"}

DELETE /api/blocked-tools/:tool_name 🔑 required

Errors

Status	Meaning
401	Missing or invalid x-api-key
400	Missing required field in request body
500	Internal server error — contact support if this persists

API Documentation

Quickstart

Authentication

Base URL

OpenAI Proxy

How it works

Response format

Direct Intercept API

Request body

MCP Protocol

SDKs

Python — pip install trustloop-sdk

Node.js — npm install trustloop

Custom GPTs (OpenAI Enterprise)

Step 1 — Add TrustLoop as a GPT Action

Step 2 — Add this to your GPT's system prompt

Step 3 — Test it

OpenAPI schema

Audit Logs

Approval Rules

Create a rule

Pending Approvals

Notification Settings

Blocked Tools (Kill Switch)

Errors

Python — `pip install trustloop-sdk`

Node.js — `npm install trustloop`