Skip to main content

CLI Overview

Use the kt CLI to manage the public Keeptrusts workflow from the terminal.

Start here

If you need to...Start with
Bootstrap a configkt init
Validate config and policyConfig Validation and Policy Lifecycle
Run a gatewaykt gateway run
Manage profiles and regionsRegions Overview and Region Commands
Connect an MCP client to KeeptrustsGateway MCP Surface
Inspect runtime outcomeskt events and kt export-jobs
Review immutable audit evidencekt trail
Manage tokens and authkt auth
Review spend and budgetskt spend

Public command groups

WorkflowCommands
Bootstrap and diagnosticskt init, kt doctor, kt config validate
Auth and tokenskt auth ..., kt token ...
Policy authoringkt policy lint/test/push/deploy for runtime config; kt policy diff/apply/evaluate/export for IAM
Gateway runtimekt gateway ...
Profiles, regions, and localitykt configure ..., kt regions ..., kt --region ...
Published-hostname MCPGateway-hosted /mcp surface on a published agent hostname
Events and evidencekt events ..., kt trail ..., kt export-jobs ..., kt escalation ...
Cache and secretskt cache ..., kt secret ..., kt secrets ...
IAM and agentskt user ..., kt team ..., kt role ..., kt iam policy ..., kt agent ...
Spend and budgetskt spend summary, kt spend budget ..., kt spend provider-budget ...
Declarative control planekt control plan/apply/export

This site focuses on the customer-facing command groups that are documented for public use.

Typical public workflow

export KEEPTRUSTS_API_URL="https://api.keeptrusts.com"
export KEEPTRUSTS_API_TOKEN="kt_your_authorized_token"

kt init
kt config validate --file policy-config.yaml
kt policy lint --file policy-config.yaml
kt policy test --json
kt gateway check --config policy-config.yaml
# Add a provider target and its referenced secret before serving model traffic.
# Replace docs-demo with an existing control-plane agent name.
kt gateway run --agent docs-demo --listen 127.0.0.1:41002 --policy-config policy-config.yaml
kt events tail --since 5m --json

Common global options

--lang and the compatibility --region shim are top-level global options. The other flags below are command-specific; use them only when the selected subcommand documents them.

FlagMeaning
--langSelect localized CLI output, overriding KT_LANG and the OS locale
--jsonRequest JSON output when the command supports it
--configChoose a local CLI config file when the command supports it
--api-urlOverride the API base URL on supported API-backed commands
--api-tokenOverride the API token on supported API-backed commands
--profileChoose a named CLI profile on supported API-backed commands
--regionSet process-wide region context for local runtime surfaces that still honor the compatibility shim; API commands usually expose their own --region option

The default CLI config file path is ~/.keeptrusts/config.yaml.

Declarative-config precedence

Use ~/.keeptrusts/config.yaml for CLI profile defaults such as the requested region. Use policy-config.yaml for gateway runtime and provider routing, including locality-sensitive behavior. kt regions current helps you inspect the former; it does not rewrite the latter.

Key environment variables

VariablePurpose
KEEPTRUSTS_API_URLKeeptrusts API base URL
KEEPTRUSTS_API_TOKENDirect CLI credential or connected-runtime service credential, depending on the process; it is not automatically the application bearer token for model requests
KEEPTRUSTS_REGIONCompatibility process-wide region context for surfaces that still honor it; it is not the API-command region fallback
KEEPTRUSTS_OPENAI_API_KEYRecommended OpenAI provider secret name; reference this exact name through secret_key_ref.env
KEEPTRUSTS_CONFIGPath to a local CLI config file

Provider credentials are resolved only from the exact environment or secret store name declared by the target. The gateway does not implicitly fall back to generic provider variables such as OPENAI_API_KEY.

Next steps