Feature and Support Matrix
This matrix maps customer jobs to the documented, supported surface. A feature name in source code, a catalog entry, or a UI placeholder is not a customer support commitment.
Customer surfaces
| Surface | Status | Use it for | Important boundary |
|---|---|---|---|
| Management console | Supported | Interactive organization, agent, gateway, identity, evidence, and billing workflows | Browser traffic uses API-owned cookie, CORS, and CSRF behavior. |
kt CLI | Supported | Local gateway operation and scripted control-plane workflows | Check the command's own auth, region, and mutation flags. |
| Public API v1 | Supported | Programmatic control and audit workflows present in /v1/openapi.json | Endpoint-specific schemas and permissions are authoritative. |
| OpenAI-compatible SDK use | Supported for documented gateway families | Point standard SDKs at the gateway base URL | Governance coverage differs by request family. |
| Server-side TypeScript gateway workflow | Supported through the standard OpenAI client | Follow the TypeScript page to call a Keeptrusts gateway from server-side code | The @keeptrusts/agent 0.1.0 package is not adoption-ready and cannot currently be imported as a working runtime. |
Product feature coverage
| Job | Console | CLI | Public API guidance |
|---|---|---|---|
| Agents | Agents | Agents CLI | OpenAPI agent operations |
| Gateway runtime | Gateway Fleet | Gateway Administration | Gateway registry and telemetry operations |
| Runtime configuration | Configurations | Policy Lifecycle | Configuration operations in OpenAPI |
| IAM, users, teams, roles | Identity and Access | IAM CLI | Identity/access operations in OpenAPI |
| SSO and SCIM | Connection and SCIM administration are exposed; the current console browser callback is not adoption-ready—see SSO and SCIM | Control manifest only for supported organization browser-auth and SSO-discovery policy; not connection or SCIM administration | Identity/access operations are present in OpenAPI, subject to the documented browser-flow boundary |
| OAuth clients | Registry and PKCE mechanics are visible in OAuth Clients, but there is no supported end-to-end public bearer flow | — | Registry and PKCE endpoints are present in OpenAPI; observe the documented token-authentication boundary |
| MFA and passkeys | MFA and Passkeys | — | Authentication operations in OpenAPI |
| Events and escalations | Overview and agent/gateway monitoring for Events; Inbox for escalations | Events, Escalations | Governance operations in OpenAPI |
| Trail evidence | Trail and Audit Evidence | Trail CLI | Trail operations in OpenAPI |
| History | Console History | History CLI | History operations in OpenAPI |
| Spend and budgets | Billing and Payments | Spend CLI | Spend/budget operations in OpenAPI |
| Resource tags | Resource Tags | Agent tags in supported control manifests; no generic kt tag command | Resource-tag operations |
| Context Fabric | Agent and gateway detail views | Gateway/config workflows | Context Fabric Lifecycle |
| Secrets | Console Secrets | Secret and Credential Management | Secret operations in OpenAPI |
| Region discovery | Console locality fields | Regions CLI | Region operations in OpenAPI |
An em dash means this site does not document an equivalent customer workflow on that surface. It does not invite use of an internal route.
Gateway request families
| Family | Public route | Current boundary |
|---|---|---|
| Chat Completions | POST /v1/chat/completions | OpenAI-compatible JSON or SSE; executes the documented input/output policy path |
| Responses | POST /v1/responses | Responses-style JSON or SSE; executes the documented input/output policy path |
| Anthropic Messages shape | POST /v1/messages | Authentication, connected billing, and provider routing; does not execute Chat/Responses policy evaluation |
| Embeddings | POST /v1/embeddings | Vector-generation path; use a documented embeddings provider |
| Audio transcription | POST /v1/audio/transcriptions | Speech-to-text path |
| Audio speech | POST /v1/audio/speech | Binary text-to-speech response |
| Moderation | POST /v1/moderations | Route-specific runtime behavior |
| Models | GET /v1/models and GET /v1/models/:model_id | Published model discovery |
| WebSocket | /v1/chat/completions/ws, /v1/responses/ws | Upgrade/proxy compatibility; no frame-level governance |
| Published-host MCP | GET /mcp, POST /mcp | Published agent-hostname MCP surface and its documented capability limits |
See Runtime Request Families before choosing a route. Never infer policy parity from a similar request body.
Documented live provider setup guides
The following providers have customer setup guides for the implemented adapter or OpenAI-compatible contract:
- AIML API
- Azure OpenAI
- Cerebras
- Cloudera AI Inference
- Cloudflare AI Gateway
- Databricks
- DeepSeek
- Fireworks AI
- Google AI Studio
- Google Vertex AI
- Groq
- Hugging Face
- Mistral
- OpenAI
- OpenRouter
- Perplexity
- QuiverAI
- Replicate
- Amazon SageMaker
- Together AI
- Vercel AI Gateway
- Voyage AI
- xAI
Use the specific page under Integrations. Its request-family, credential, endpoint, and production caveats take precedence over this list.
Catalog presence is not live verification. Validate the exact provider, region, model, credential, request family, streaming mode, and required policy path before production use.
SDK guidance
For production application integration, prefer a standard OpenAI-compatible client or direct HTTP against a supported gateway request family:
- Node.js SDK Integration
- Python SDK Integration
- Node.js Workflow
- Python Workflow
- Java and Spring Workflow
- .NET Workflow
The TypeScript agent page is a server-side gateway workflow implemented with
the standard OpenAI client. The published @keeptrusts/agent 0.1.0 package is
not adoption-ready and cannot currently be imported as a working runtime; do
not make it a production dependency.
How to verify a claimed capability
Before depending on a feature:
- Find it in this matrix and its owning guide.
- Confirm the operation in
/v1/openapi.jsonor the currentkt --help. - Validate the exact environment and credentials.
- Exercise a representative success case.
- Exercise the expected deny or failure case.
- Verify current state and evidence in the owning surface.
If the feature is absent from both public docs and public discovery, do not infer support from an old README, a generated type, a catalog count, or an internal route.