The authorization layer for AI agents. Intercept, validate, and control every tool call.

Veto is an open-source authorization layer that sits between an AI agent and its tools. Every tool call is intercepted, validated against your rules, and either allowed, blocked, or escalated for human approval. The agent never knows the guardrail exists.

How it works

Agent calls tool ──▶ Veto validates ──▶ Tool executes
                          │
                     ┌────┴────┐
                     │         │
                   allow     deny / require approval

Using an AI coding agent?

Copy the integration prompt — paste into Claude Code, Cursor, OpenCode, Codex, etc. Full details

The integration pattern

Install the SDK, wrap your tools, define rules in YAML. The agent code doesn't change.

import { Veto } from 'veto-sdk';

const veto = await Veto.init();
const tools = veto.wrap(myTools); // drop-in replacement

const agent = createAgent({ tools }); // agent is unaware of Veto

from veto import Veto

veto = await Veto.init()
tools = veto.wrap(my_tools)  # drop-in replacement

agent = create_agent(tools=tools)  # agent is unaware of Veto

Rules live in YAML files that the SDK loads automatically:

veto/rules/defaults.yaml

rules:
  - id: limit-transfers
    action: block
    tools: [transfer_funds]
    conditions:
      - field: arguments.amount
        operator: greater_than
        value: 10000

See the Quick Start for complete, runnable examples with OpenAI, Anthropic, Vercel AI SDK, LangChain, Python, and MCP.

Features

Local-first — works out of the box with YAML rules, no API key or account needed
One-line integration — veto.wrap(tools) works with any provider, any framework
Human-in-the-loop — escalate sensitive tool calls for human approval before execution
Policy draft review — queue AI-proposed policy changes for explicit human approve/reject
LLM validation — natural language policies for cases static rules can't cover
Budget constraints — per-session cost circuit breaker for tool calls
Session-aware — track per-session call counts, argument history, and cross-tool constraints
CLI tooling — veto/veto studio (Veto Studio interactive mode), veto policy generate|apply, veto guard check (headless), veto cloud login (device auth), plus veto compile, veto learn, veto test, veto scan, and veto diff
TypeScript + Python — identical APIs, identical behavior
Real-time dashboard — monitor every decision at runveto.com

SDK modes

The SDK auto-detects which mode to use based on how you call init():

Mode	How to activate	Best for
Local (default)	`Veto.init()`	Development, CI, air-gapped environments. YAML rules evaluated in-process, zero network calls.
Cloud (recommended)	`Veto.init({ apiKey: "veto_..." })`	Production. Dashboard, analytics, human-in-the-loop approvals, LLM validation.
Self-hosted	`Veto.init({ endpoint: "https://..." })`	Enterprises with data residency requirements. Server-side validation on your infrastructure (dashboard not included).

Start local, upgrade to cloud when you need visibility. The SDK manages policy caching, approval polling, and decision logging. See SDK Modes.

Framework support

The SDK wraps any tool format. Deep integrations for OpenAI SDK, OpenAI Agents, Anthropic, Google Gemini, Vercel AI SDK, LangChain, LangGraph, MCP, Browser-Use, Playwright, CrewAI, and PydanticAI.

Next steps

Where to go	What you'll learn
Quick Start	End-to-end setup with runnable examples for every framework
YAML Rule Format	Complete rule syntax — actions, conditions, severity levels
How Validation Works	Architecture deep dive — caching, approval flow, session tracking
Post-launch Runbook	Deploy order, smoke checks, incident triage, and rollback steps

What is Veto?

The integration pattern

Features

SDK modes

Framework support

Next steps

On this page