Skip to main content

Feature and Support Matrix

This matrix maps customer jobs to the documented, supported surface. A feature name in source code, a catalog entry, or a UI placeholder is not a customer support commitment.

Customer surfaces

SurfaceStatusUse it forImportant boundary
Management consoleSupportedInteractive organization, agent, gateway, identity, evidence, and billing workflowsBrowser traffic uses API-owned cookie, CORS, and CSRF behavior.
kt CLISupportedLocal gateway operation and scripted control-plane workflowsCheck the command's own auth, region, and mutation flags.
Public API v1SupportedProgrammatic control and audit workflows present in /v1/openapi.jsonEndpoint-specific schemas and permissions are authoritative.
OpenAI-compatible SDK useSupported for documented gateway familiesPoint standard SDKs at the gateway base URLGovernance coverage differs by request family.
Server-side TypeScript gateway workflowSupported through the standard OpenAI clientFollow the TypeScript page to call a Keeptrusts gateway from server-side codeThe @keeptrusts/agent 0.1.0 package is not adoption-ready and cannot currently be imported as a working runtime.

Product feature coverage

JobConsoleCLIPublic API guidance
AgentsAgentsAgents CLIOpenAPI agent operations
Gateway runtimeGateway FleetGateway AdministrationGateway registry and telemetry operations
Runtime configurationConfigurationsPolicy LifecycleConfiguration operations in OpenAPI
IAM, users, teams, rolesIdentity and AccessIAM CLIIdentity/access operations in OpenAPI
SSO and SCIMConnection and SCIM administration are exposed; the current console browser callback is not adoption-ready—see SSO and SCIMControl manifest only for supported organization browser-auth and SSO-discovery policy; not connection or SCIM administrationIdentity/access operations are present in OpenAPI, subject to the documented browser-flow boundary
OAuth clientsRegistry and PKCE mechanics are visible in OAuth Clients, but there is no supported end-to-end public bearer flowRegistry and PKCE endpoints are present in OpenAPI; observe the documented token-authentication boundary
MFA and passkeysMFA and PasskeysAuthentication operations in OpenAPI
Events and escalationsOverview and agent/gateway monitoring for Events; Inbox for escalationsEvents, EscalationsGovernance operations in OpenAPI
Trail evidenceTrail and Audit EvidenceTrail CLITrail operations in OpenAPI
HistoryConsole HistoryHistory CLIHistory operations in OpenAPI
Spend and budgetsBilling and PaymentsSpend CLISpend/budget operations in OpenAPI
Resource tagsResource TagsAgent tags in supported control manifests; no generic kt tag commandResource-tag operations
Context FabricAgent and gateway detail viewsGateway/config workflowsContext Fabric Lifecycle
SecretsConsole SecretsSecret and Credential ManagementSecret operations in OpenAPI
Region discoveryConsole locality fieldsRegions CLIRegion operations in OpenAPI

An em dash means this site does not document an equivalent customer workflow on that surface. It does not invite use of an internal route.

Gateway request families

FamilyPublic routeCurrent boundary
Chat CompletionsPOST /v1/chat/completionsOpenAI-compatible JSON or SSE; executes the documented input/output policy path
ResponsesPOST /v1/responsesResponses-style JSON or SSE; executes the documented input/output policy path
Anthropic Messages shapePOST /v1/messagesAuthentication, connected billing, and provider routing; does not execute Chat/Responses policy evaluation
EmbeddingsPOST /v1/embeddingsVector-generation path; use a documented embeddings provider
Audio transcriptionPOST /v1/audio/transcriptionsSpeech-to-text path
Audio speechPOST /v1/audio/speechBinary text-to-speech response
ModerationPOST /v1/moderationsRoute-specific runtime behavior
ModelsGET /v1/models and GET /v1/models/:model_idPublished model discovery
WebSocket/v1/chat/completions/ws, /v1/responses/wsUpgrade/proxy compatibility; no frame-level governance
Published-host MCPGET /mcp, POST /mcpPublished agent-hostname MCP surface and its documented capability limits

See Runtime Request Families before choosing a route. Never infer policy parity from a similar request body.

Documented live provider setup guides

The following providers have customer setup guides for the implemented adapter or OpenAI-compatible contract:

  • AIML API
  • Azure OpenAI
  • Cerebras
  • Cloudera AI Inference
  • Cloudflare AI Gateway
  • Databricks
  • DeepSeek
  • Fireworks AI
  • Google AI Studio
  • Google Vertex AI
  • Groq
  • Hugging Face
  • Mistral
  • OpenAI
  • OpenRouter
  • Perplexity
  • QuiverAI
  • Replicate
  • Amazon SageMaker
  • Together AI
  • Vercel AI Gateway
  • Voyage AI
  • xAI

Use the specific page under Integrations. Its request-family, credential, endpoint, and production caveats take precedence over this list.

Catalog presence is not live verification. Validate the exact provider, region, model, credential, request family, streaming mode, and required policy path before production use.

SDK guidance

For production application integration, prefer a standard OpenAI-compatible client or direct HTTP against a supported gateway request family:

The TypeScript agent page is a server-side gateway workflow implemented with the standard OpenAI client. The published @keeptrusts/agent 0.1.0 package is not adoption-ready and cannot currently be imported as a working runtime; do not make it a production dependency.

How to verify a claimed capability

Before depending on a feature:

  1. Find it in this matrix and its owning guide.
  2. Confirm the operation in /v1/openapi.json or the current kt --help.
  3. Validate the exact environment and credentials.
  4. Exercise a representative success case.
  5. Exercise the expected deny or failure case.
  6. Verify current state and evidence in the owning surface.

If the feature is absent from both public docs and public discovery, do not infer support from an old README, a generated type, a catalog count, or an internal route.

Next steps