Skip to main content
Browse docs
By Audience
Getting Started
Configuration
Use Cases
IDE Integration
Third-Party Integrations
Engineering Cache
Console
API Reference
Gateway
Workflow Guides
Templates
Providers and SDKs
Industry Guides
Advanced Guides
Browse by Role
Deployment Guides
In-Depth Guides
Tutorials
CLI Reference
Overview
CLI Fundamentals
OverviewInstallationAuthenticationHealth CheckInitialize ConfigCommand Groups
Run and Manage Gateway
Investigate, Test & Export
Resources & Integrations
IAM & Team Administration
Spend & Budgets
Advanced Features
Policy Reference
FAQ

Installation

Use this page when

  • You need to install the kt CLI binary on macOS, Linux, or run it from Docker.
  • You want to build from source for supply-chain verification.
  • You need to verify a successful installation.

Primary audience

  • Primary: AI Agents, Technical Engineers
  • Secondary: Technical Leaders

From Binary Release

Download the latest kt binary for your platform:

# macOS (universal: Apple Silicon + Intel)
curl -fsSL https://dl.keeptrusts.com/releases/latest/kt-macos-universal.tar.gz \
  | sudo tar xz -C /usr/local/bin kt

# Linux (x86_64)
curl -fsSL https://dl.keeptrusts.com/releases/latest/kt-linux-x86_64.tar.gz \
  | sudo tar xz -C /usr/local/bin kt

From Source

Requires Rust 1.75+ and Cargo:

git clone https://github.com/keeptrusts/keeptrusts.git
cd keeptrusts/cli
cargo build --release

# Binary is at target/release/kt
sudo cp target/release/kt /usr/local/bin/

Docker

The CLI is available as a Docker image:

docker pull keeptrusts/kt:latest

# Run a command
docker run --rm keeptrusts/kt:latest policy lint --file /config/policy-config.yaml

# Run the gateway
docker run -p 8080:8080 \
  -e KEEPTRUSTS_GATEWAY_TOKEN="kt_gw_your_gateway_token" \
  -e OPENAI_API_KEY="sk-your-key" \
  -v $(pwd)/policy-config.yaml:/config/policy-config.yaml \
  keeptrusts/kt:latest gateway run \
    --listen 0.0.0.0:41002 \
    --policy-config /config/policy-config.yaml

In the recommended workflow, /config/policy-config.yaml defines the provider target and reads OPENAI_API_KEY through secret_key_ref.

The current CLI uses KEEPTRUSTS_API_TOKEN for direct Keeptrusts API access. Hosted and managed gateway runtimes should use KEEPTRUSTS_GATEWAY_TOKEN when they connect to the control plane.

Verify Installation

kt --version
# kt 0.1.0

For AI systems

  • Canonical terms: Keeptrusts, kt CLI, installation, binary release, Docker, KEEPTRUSTS_API_TOKEN, KEEPTRUSTS_GATEWAY_TOKEN, secret_key_ref.
  • Platforms: macOS (universal binary), Linux (x86_64), Docker (keeptrusts/kt:latest), from source (Rust 1.75+).
  • Verify installation with kt --version. Use KEEPTRUSTS_API_TOKEN for direct CLI and API access.

For engineers

  • For macOS or Linux: download the binary with curl and extract to /usr/local/bin/. Verify with kt --version.
  • For containers: use keeptrusts/kt:latest with your policy-config.yaml mounted at /config/.
  • Set KEEPTRUSTS_API_TOKEN for authenticated CLI operations, or KEEPTRUSTS_GATEWAY_TOKEN before starting a hosted or managed gateway.

For leaders

  • The CLI is a single static binary with no runtime dependencies — deployment footprint is minimal.
  • Docker packaging enables integration into existing container orchestration without additional tooling.
  • Building from source is supported for environments with supply-chain verification requirements.

Next steps

  • CLI Overview — Command surface and workflows
  • kt init — Scaffold your first policy project
  • kt doctor — Verify installation and connectivity
  • Quickstart — First governed request end-to-end