Support Surfaces

The OpenAPI specification is the canonical integration contract for all Keel surfaces.

First-class runtime SDKs

Python and TypeScript are the only first-class runtime SDKs. They are release-gated and kept in semantic lockstep with the Keel runtime — new primitives ship to both simultaneously or nothing tags.


pip install keel-sdk        # Python
npm install keel-sdk        # TypeScript

Infrastructure surfaces

Terraform is the official policy-as-code surface for Keel — workspaces, users and roles, API keys, policy attachments, and audit export configuration. The Terraform provider interoperates with OPA for plan-time policy evaluation.

MCP governance is exposed through the /v1/mcp/* API surface. Keel governs MCP tools/call execution through permits and audit evidence; it should not be described as a generic MCP server or submitted to MCP registries.

Generated reference client

Go is published as an official generated/reference client for infrastructure teams. It is not a first-class runtime SDK — it is generated from the OpenAPI specification and intended for integrations where the canonical HTTP contract is sufficient.


go get github.com/keelapi/keel-go

Release verification

Every keel-verifier release from v2.2.0 onward is signed through GitHub Actions OIDC with Sigstore and logged to Rekor. Download the wheel, Sigstore bundle, release manifest, manifest bundle, SBOM, and SBOM attestation bundle from the GitHub Release before verifying.

Verify the wheel:


cosign verify-blob \
  --certificate-identity-regexp 'https://github.com/keelapi/keel-verifier/\.github/workflows/release\.yml@refs/tags/v.*' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  --bundle keel_verifier-<VERSION>-py3-none-any.whl.sigstore \
  keel_verifier-<VERSION>-py3-none-any.whl

Verify the signed release manifest:


cosign verify-blob \
  --certificate-identity-regexp 'https://github.com/keelapi/keel-verifier/\.github/workflows/release\.yml@refs/tags/v.*' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  --bundle manifest.json.sigstore \
  manifest.json

Verify the CycloneDX SBOM attestation against the wheel:


cosign verify-blob-attestation \
  --certificate-identity-regexp 'https://github.com/keelapi/keel-verifier/\.github/workflows/release\.yml@refs/tags/v.*' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  --type cyclonedx \
  --bundle keel_verifier-<VERSION>-sbom.intoto.jsonl \
  keel_verifier-<VERSION>-py3-none-any.whl

Other languages

Clients for other languages can be generated directly from the OpenAPI specification. They are not maintained as official Keel SDKs.

Why a narrow support promise? Keel’s value is the integrity of its permits, evidence, and verifier — properties that depend on lockstep semantics across the surfaces that customers actually run. A short list of well-maintained surfaces is a stronger guarantee than a long list of half-maintained ones. The OpenAPI contract is the universal escape hatch for everything else.

Promotion-from-archive rule

Any archived language (Swift, C#/.NET, PHP, Ruby, Rust) exits the archive only via:

A named, paying design-partner+ customer requiring the language as a contract condition, or
Three consecutive quarters of organic inbound requests citing the language as a procurement blocker.

Ecosystem catalysts alone (e.g., Apple Intelligence MCP support, Microsoft Agent Framework adoption, Laravel AI SDK growth) are signal, not trigger. Customer pull is the trigger.