Python SDK
Use the OpenAI Python SDK with Keeptrusts by setting base_url to the Keeptrusts gateway address. All requests pass through Keeptrusts's policy engine with no code changes beyond the URL. The integration is compatible with any library that wraps the OpenAI API, including Anthropic, LiteLLM, and LangChain.
Use this page when
- You need the exact command, config, API, or integration details for Python SDK.
- You are wiring automation or AI retrieval and need canonical names, examples, and constraints.
- If you want a guided rollout instead of a reference page, use the linked workflow pages in Next steps.
Primary audience
- Primary: AI Agents, Technical Engineers
- Secondary: Technical Leaders
Prerequisites
- Keeptrusts gateway running locally (
kt gateway run --policy-config policy-config.yaml) - A policy config that declares a provider target
- Python 3.9+
pip install openai # OpenAI SDK
pip install anthropic # Anthropic SDK (optional)
pip install litellm # LiteLLM (optional)
pip install langchain-openai # LangChain OpenAI integration (optional)
Configuration
A minimal config for routing through Keeptrusts to OpenAI:
pack:
name: python-app-governance
version: 1.0.0
enabled: true
providers:
targets:
- id: openai-primary
provider: openai
model: gpt-4o
base_url: https://api.openai.com
secret_key_ref:
env: OPENAI_API_KEY
policies:
chain:
- prompt-injection
- pii-detector
- audit-logger
policy:
pii-detector:
action: redact
audit-logger:
retention_days: 30
Start the gateway:
export OPENAI_API_KEY=sk-...
kt policy lint --file policy-config.yaml
kt gateway run --policy-config policy-config.yaml
# Gateway listening on http://localhost:41002
Connection Settings
| Parameter | Type | Default | Description |
|---|---|---|---|
base_url | str | — | Point to http://localhost:41002/v1 (or your deployed gateway URL). |
api_key | str | — | Pass "any" when the gateway holds the upstream key; pass the real key to forward it per-request. |
default_headers | dict | — | Headers added to every request (e.g., {"x-kt-api-key": ...} for consumer-group routing). |
http_client | httpx.Client | — | Custom httpx client for mTLS, gateways, or custom cert bundles. |
Supported Models
The Python SDK works with any model your Keeptrusts provider targets expose. Common examples:
| Model | Provider target |
|---|---|
gpt-4o, gpt-4o-mini | openai:chat:<model> |
claude-opus-4-5, claude-sonnet-4-5 | anthropic:chat:<model> |
gemini-2.0-flash | google-vertex:chat:<model> |
llama-3.1-70b | ollama:chat:<model> or upstream provider |
Client Examples
- OpenAI SDK
- Anthropic SDK
- cURL
from openai import OpenAI
# Gateway holds the upstream key; pass "any" here
client = OpenAI(
base_url="http://localhost:41002/v1",
api_key="any",
)
response = client.chat.completions.create(
model="gpt-4o",
messages=[
{"role": "system", "content": "You are a helpful assistant."},
{"role": "user", "content": "What are the key principles of AI governance?"},
],
temperature=0.7,
max_tokens=512,
)
print(response.choices[0].message.content)
import anthropic
client = anthropic.Anthropic(
base_url="http://localhost:41002",
api_key="any",
)
message = client.messages.create(
model="claude-opus-4-5",
max_tokens=1024,
messages=[{"role": "user", "content": "What are the key principles of AI governance?"}],
)
print(message.content[0].text)
curl http://localhost:41002/v1/chat/completions \
-H "Content-Type: application/json" \
-H "Authorization: Bearer any" \
-d '{
"model": "gpt-4o",
"messages": [
{ "role": "system", "content": "You are a helpful assistant." },
{ "role": "user", "content": "What are the key principles of AI governance?" }
],
"temperature": 0.7,
"max_tokens": 512
}'
Streaming
Streaming works without any change beyond stream=True. Keeptrusts passes SSE chunks through after applying streaming-compatible policy checks.
- OpenAI SDK
- Anthropic SDK
- cURL
from openai import OpenAI
client = OpenAI(base_url="http://localhost:41002/v1", api_key="any")
with client.chat.completions.stream(
model="gpt-4o",
messages=[{"role": "user", "content": "Explain the EU AI Act in plain language."}],
) as stream:
for text in stream.text_stream:
print(text, end="", flush=True)
import anthropic
client = anthropic.Anthropic(base_url="http://localhost:41002", api_key="any")
with client.messages.stream(
model="claude-opus-4-5",
max_tokens=1024,
messages=[{"role": "user", "content": "Explain the EU AI Act in plain language."}],
) as stream:
for text in stream.text_stream:
print(text, end="", flush=True)
curl http://localhost:41002/v1/chat/completions \
-H "Content-Type: application/json" \
-H "Authorization: Bearer any" \
--no-buffer \
-d '{
"model": "gpt-4o",
"messages": [{ "role": "user", "content": "Explain the EU AI Act in plain language." }],
"stream": true
}'
Advanced Configuration
Consumer Groups
Pass the x-kt-api-key header to identify a consumer group and apply per-consumer policies:
from openai import OpenAI
client = OpenAI(
base_url="http://localhost:41002/v1",
api_key="any",
default_headers={"x-kt-api-key": "consumer-group-key-abc123"},
)
Tool Use (Function Calling)
from openai import OpenAI
import json
client = OpenAI(base_url="http://localhost:41002/v1", api_key="any")
tools = [
{
"type": "function",
"function": {
"name": "get_policy_status",
"description": "Get the current AI policy status for a given scope",
"parameters": {
"type": "object",
"properties": {
"scope": {"type": "string", "description": "Policy scope (e.g., 'finance', 'hr')"}
},
"required": ["scope"],
},
},
}
]
response = client.chat.completions.create(
model="gpt-4o",
messages=[{"role": "user", "content": "What is the policy status for the finance scope?"}],
tools=tools,
tool_choice="auto",
)
tool_call = response.choices[0].message.tool_calls[0]
print("Tool:", tool_call.function.name)
print("Args:", json.loads(tool_call.function.arguments))
Structured Output
from openai import OpenAI
from pydantic import BaseModel
from typing import List, Literal
client = OpenAI(base_url="http://localhost:41002/v1", api_key="any")
class PolicyAssessment(BaseModel):
risk_level: Literal["low", "medium", "high", "critical"]
findings: List[str]
recommended_action: str
response = client.beta.chat.completions.parse(
model="gpt-4o",
messages=[
{"role": "system", "content": "You are an AI governance assessor."},
{
"role": "user",
"content": "Assess the risks of deploying an unmonitored LLM in a customer-facing chatbot.",
},
],
response_format=PolicyAssessment,
)
assessment = response.choices[0].message.parsed
print("Risk level:", assessment.risk_level)
print("Findings:", assessment.findings)
LiteLLM
import os
import litellm
os.environ["OPENAI_BASE_URL"] = "http://localhost:41002/v1"
os.environ["OPENAI_API_KEY"] = "any"
response = litellm.completion(
model="openai/gpt-4o",
messages=[{"role": "user", "content": "What are the key principles of AI governance?"}],
)
print(response.choices[0].message.content)
LangChain
from langchain_openai import ChatOpenAI
llm = ChatOpenAI(
openai_api_base="http://localhost:41002/v1",
openai_api_key="any",
model="gpt-4o",
)
response = llm.invoke("What are the key principles of AI governance?")
print(response.content)
Best Practices
- Never hardcode upstream API keys in client code. Let the Keeptrusts gateway hold the keys via
secret_key_refin the policy config; pass"any"asapi_keyin the SDK constructor. - Use
default_headersfor consumer identity rather than embedding consumer context in message content. Thex-kt-api-keyheader is the supported signal for per-consumer policy routing. - Handle policy-block errors explicitly. When a request is blocked, the gateway returns HTTP 422. Catch
openai.APIStatusErrorand checkerror.status_code == 422to distinguish policy blocks from upstream errors. - Use
httpx.Clientwith a timeout for production workloads:OpenAI(http_client=httpx.Client(timeout=30.0)). This prevents hangs when the gateway or upstream is slow. - Prefer
stream=Truefor long completions to reduce perceived latency and allow early policy-check failures to surface before the full response is buffered.
For AI systems
- Canonical terms: Keeptrusts gateway, Python SDK, OpenAI Python SDK,
openaipackage,base_url, access key, httpx. - Integration pattern: Override
base_urlto point at the Keeptrusts gateway (http://localhost:8080/v1); setapi_keyto your Keeptrusts access key. - Key behavior: The standard OpenAI Python SDK works unchanged — only
base_urland optionallyapi_keyare modified. - Best next pages: Node.js SDK integration, OpenAI integration, Quickstart.
For engineers
- Prerequisites: Python 3.8+,
openaipackage installed (pip install openai), Keeptrusts gateway running. - Set
base_url="http://localhost:8080/v1"andapi_keyto your Keeptrusts access key (or"unused"if auth is handled by the gateway). - Use
httpx.Client(timeout=30.0)for production:OpenAI(http_client=httpx.Client(timeout=30.0))— prevents hangs. - Prefer
stream=Truefor long completions to reduce perceived latency and surface early policy failures. - Validate: run your script and check the Keeptrusts console Events dashboard for request records.
- Async usage:
AsyncOpenAI(base_url="http://localhost:8080/v1")withawait client.chat.completions.create(...).
For leaders
- Zero application code changes beyond
base_url— existing Python applications can adopt Keeptrusts governance instantly. - All requests are audit-logged regardless of upstream provider, providing compliance evidence without application-side instrumentation.
- httpx timeout configuration prevents cascading failures — important for production reliability.
- Works with any OpenAI-compatible provider behind the gateway — model/provider switching is invisible to application code.
Next steps
- Node.js SDK integration — equivalent guide for Node.js/TypeScript applications
- OpenAI integration — gateway-side OpenAI provider configuration
- Vercel AI SDK integration — framework-specific integration
- Policy configuration — policy chain reference
- Quickstart — install
ktand run your first gateway