Install the Gateway

Get the kt binary on your machine, generate a starter policy-config.yaml, and run governed AI traffic locally.

Use this page when

• You need to install the kt CLI binary on macOS, Linux, Windows, or Docker.
• You are bootstrapping a new local gateway with kt init and a starter policy-config.yaml.
• You want to verify the install with kt --version and kt doctor, then send your first governed request.

Primary audience

• Primary: Technical Engineers
• Secondary: AI Agents, Technical Leaders

One-line install

macOS

brew install keeptrusts/tap/kt

Or download the universal disk image directly:

curl -fsSLO https://dl.keeptrusts.com/releases/latest/kt-macos-universal.dmg
hdiutil attach kt-macos-universal.dmg
cp /Volumes/Keeptrusts\ Gateway/kt /usr/local/bin/kt
hdiutil detach /Volumes/Keeptrusts\ Gateway

Linux (x86_64)

Use the package format that matches your distribution:

Debian/Ubuntu:

curl -fsSLO https://dl.keeptrusts.com/releases/latest/kt-linux-x86_64.deb
sudo dpkg -i kt-linux-x86_64.deb

RHEL/Fedora:

curl -fsSLO https://dl.keeptrusts.com/releases/latest/kt-linux-x86_64.rpm
sudo rpm -i kt-linux-x86_64.rpm

Linux (ARM64)

curl -fsSL https://dl.keeptrusts.com/releases/latest/kt-linux-aarch64.tar.gz \
  | sudo tar xz -C /usr/local/bin kt

Windows

# Download and extract
Invoke-WebRequest -Uri "https://dl.keeptrusts.com/releases/latest/kt-windows-x86_64.zip" -OutFile kt-windows-x86_64.zip
Expand-Archive kt-windows-x86_64.zip -DestinationPath "$env:LOCALAPPDATA\keeptrusts"
# Add to PATH
$env:PATH += ";$env:LOCALAPPDATA\keeptrusts"

Docker

docker pull ghcr.io/keeptrusts/kt:latest
docker run --rm -p 41002:41002 ghcr.io/keeptrusts/kt gateway run

Verify the install

kt --version

You should see output like kt 1.x.x.

Run the health check

kt doctor

This validates your environment, checks connectivity, and reports any missing configuration.

Create a starter config

Bootstrap a starter project:

kt init

Then update policy-config.yaml so it includes both your policies and your provider target:

policy-config.yaml

pack:
  name: gateway-local
  version: 0.1.0
  enabled: true

providers:
  targets:
    - id: openai-primary
      provider: openai
      model: gpt-4o
      base_url: https://api.openai.com
      secret_key_ref:
        env: OPENAI_API_KEY

policies:
  chain:
    - prompt-injection
    - pii-detector
    - audit-logger

policy:
  pii-detector:
    action: redact

  audit-logger:
    retention_days: 30

Validate the config

kt policy lint --file policy-config.yaml
kt policy test --json

Start the gateway

Export the provider credential and run the gateway:

export OPENAI_API_KEY="sk-..."
kt gateway run --policy-config policy-config.yaml

If you are running a hosted gateway instead of a local one, store the credential as a config variable and switch the provider target to secret_key_ref rather than secret_key_ref.

Gateway auto-registration

The first time your gateway sends a telemetry heartbeat to the control plane, it is automatically registered and appears in the console under Gateways. The default display name is derived from the server hostname (the $HOSTNAME environment variable). You can rename the gateway at any time from the console Settings → Gateways page or via the API:

kt gateway update --id <gateway-id> --name "Production US-East"

No manual registration step is required — traffic can start flowing immediately after the first heartbeat.

Verify the running config

curl http://localhost:8080/keeptrusts/config

Send your first request

The gateway is OpenAI-compatible. Point any SDK at http://localhost:8080:

curl http://localhost:8080/v1/chat/completions \
  -H "Content-Type: application/json" \
  -d '{
    "model": "gpt-4o",
    "messages": [{"role": "user", "content": "Hello, world!"}]
  }'

Your request is now governed by the config you just validated.

For AI systems

• Canonical terms: Keeptrusts, kt CLI, gateway, policy-config.yaml, kt init, kt gateway run, kt doctor, kt policy lint, kt policy test.
• Install methods: Homebrew (keeptrusts/tap/kt), .deb, .rpm, .tar.gz, .zip, Docker (ghcr.io/keeptrusts/kt).
• Default gateway port: 8080. Auto-registration on first heartbeat.
• Related pages: Quickstart, Declarative Config Reference, Gateway Runtime Features.

For engineers

• Run kt --version to confirm the binary is on PATH.
• Run kt doctor to validate environment, connectivity, and configuration.
• Run kt policy lint --file policy-config.yaml before starting the gateway.
• The gateway is OpenAI-compatible — point any SDK at http://localhost:8080.
• For hosted gateways, use secret_key_ref (config variable) instead of env for provider credentials.

For leaders

• The gateway installs in under 2 minutes on any developer workstation — no infrastructure provisioning needed for local evaluation.
• Auto-registration means gateways appear in the console immediately after first traffic, with no manual onboarding step.
• Docker deployment supports containerized CI/CD pipelines and hosted gateway topologies.

Next steps

• Quickstart — follow the full config-first setup path
• Declarative Config Reference — learn the supported schema
• Policy Controls Catalog — browse available policy kinds
• Configurations — save versions and roll them out
• Gateway Runtime Features — understand the public runtime surface