Developers · SDKs

Four languages, one deterministic signature.

Python, Node.js, Go, Java. Every SDK produces the same canonical bytes, the same signature, the same proof — conformance-tested in CI against shared golden vectors.

Each Veridra SDK exposes the same three primitives: a Govern client for system registration and policy lookup, an Attest client for canonicalize/sign/log/verify, and a Watch client for drift and incident events. A decision signed in Python is bit-for-bit identical to the same decision signed in Go.

Design contract

Method names and payload shapes are normalized across languages. Transport defaults to gRPC over mTLS, with a REST fallback. BYOK is mandatory. The SDK never holds signing material; it talks to your KMS and to the Veridra signer separately.

Language support

Python — veridra

pip install veridra. Wheels for Python 3.10+. Async-first client built on httpx and grpclib, with a sync facade for notebooks and batch jobs. Pydantic models for every request and response. Native AWS KMS, Azure Key Vault, and GCP KMS integrations via boto3, azure-identity, and google-cloud-kms.

Node.js / TypeScript — @veridra/sdk

npm install @veridra/sdk. Node 18 LTS and 20 LTS. TypeScript types generated from the same protobufs as the server. Works in edge runtimes (Vercel, Cloudflare Workers) when paired with a remote KMS, with full KMS client bindings on Node.

Go — github.com/veridra/veridra-go

go get github.com/veridra/veridra-go. Go 1.21+. Context-aware API, zero-allocation canonicalization on the hot path, and native gRPC streaming for high-volume signers. We treat this as the reference implementation for performance-sensitive workloads.

Java / JVM — com.veridra:veridra-sdk

Maven and Gradle coordinates published to Central. Java 17 LTS and 21 LTS; Kotlin and Scala consume the same artifact. Reactive (Project Reactor) and blocking clients. Integrates with AWS, Azure, GCP, and HashiCorp Vault SDKs already present in JVM enterprise stacks.

Shared primitives

Canonicalize

RFC 8785 JCS implementation, conformance-tested against the published test vectors plus an internal golden set that's replayed in CI for every SDK on every release.

Sign

Ed25519 via your KMS. The SDK builds the signing request, your KMS produces the signature, and the SDK attaches it to the canonical payload. Keys never leave your boundary.

Log

Synchronous append to your tenant-isolated Trillian tree. Inclusion proof returned in the same call. Retries are idempotent — re-submitting an identical payload returns the original proof rather than a duplicate.

Verify

Every SDK ships an offline verify() that takes a signed record and a public key and returns true or a typed failure. Mirrors the veridra-verify CLI byte for byte.

Determinism is the product

Why four first-party SDKs instead of one polyglot wrapper

A generated wrapper around a single reference implementation drifts the moment a language idiom (integer width, string normalization, map ordering) pushes the canonical bytes apart. Each Veridra SDK adheres to the specification and is tested against the same vectors, ensuring a Python producer and Java verifier align on every byte consistently.

Open source

Apache 2.0 — audit us, fork us, embed us

Every SDK is Apache-licensed. Your security team can read the canonicalization code, your compliance team can verify the signing path, and your internal registry can host a private build. The SDK is not a trade secret — it's a conformance surface.

Quickstart →CLI and tools →API reference →