Provenant client SDK — authorize, simulate, and complete agent actions through the control plane.
Project description
provenant-sdk (Python SDK)
First-party Python client for the Provenant control-plane API — the few lines an autonomous agent adds to become governable.
- Zero dependencies. Standard library only (
urllib,json,dataclasses,typing). Offline-friendly and trivial to vendor. - Mirrors the TypeScript SDK (
@identiqube/provenant-sdk) surface, paths, headers, and accepted status codes — using Pythonsnake_casemethod names.
Install
pip install provenant-sdk
Or vendor the provenant_sdk/ package directly — it has no third-party deps.
Quickstart — authorize → act → complete
import os
from provenant_sdk import ProvenantClient
provenant = ProvenantClient(
"https://provenant.identiqube.com",
api_key=os.environ["PROVENANT_KEY"],
)
decision = provenant.authorize({
"type": "payment.send",
"resource": "vendor:acme",
"valueCents": 25_00,
})
if decision["status"] == "authorized":
ref = pay_vendor(...) # your real-world side effect
provenant.complete(decision["id"], {
"success": True,
"externalRef": ref,
"warrant": decision["authorizationToken"], # proves possession
})
else:
# A `deny` decision is returned (not raised) — branch on it.
print("blocked:", decision["decision"]["reason"])
A deny decision is returned, not raised, so you can branch on
decision["status"]. Auth/validation failures raise ProvenantError.
Binding enforcement — invoke
Act on a resource through Provenant. The control plane evaluates policy and only performs the downstream call (using the connector's server-held credential) when allowed — your agent never holds the credential and cannot bypass the decision.
res = provenant.invoke({
"type": "payment.send",
"resource": "vendor:acme",
"valueCents": 25_00,
"request": {
"method": "POST",
"path": "/v1/charges",
"body": '{"amount": 2500, "currency": "usd"}',
},
})
if res["status"] == "executed":
print(res["output"]) # { "status", "headers", "body" } from the connector
else:
print("blocked/held:", res["action"]["status"])
Convenience — guard
Authorize, run your work if allowed, then report completion automatically. If your
callback raises, the action is completed with success=False and the error re-raised.
def execute(decision):
ref = pay_vendor(...)
return {"result": ref, "externalRef": ref}
outcome = provenant.guard(
{"type": "payment.send", "resource": "vendor:acme", "valueCents": 25_00},
execute,
)
if outcome["authorized"]:
print("done:", outcome["result"])
else:
print("blocked:", outcome["decision"]["decision"]["reason"])
Methods
| Method | HTTP |
|---|---|
authorize(input) |
POST /v1/actions/authorize (ok: 200, 202, 403) |
get_action(action_id) |
GET /v1/agent/actions/{id} |
simulate(input) |
POST /v1/actions/simulate (ok: 200) |
complete(action_id, result) |
POST /v1/actions/{id}/complete (ok: 200) |
invoke(input) |
POST /v1/gateway/invoke (ok: 200, 202, 403, 502) |
mint_credential(input) |
POST /v1/gateway/credential (ok: 200, 202, 403) |
connectors() |
GET /v1/connectors/available → connectors list |
spawn(input) |
POST /v1/agents/delegate (ok: 201) |
guard(input, execute) |
convenience: authorize → execute → complete |
Auth header: x-provenant-key: <api_key>. Request bodies are JSON
(content-type: application/json).
Errors
On a non-ok status, methods raise ProvenantError(code, message, status), parsed from
the JSON {"error": {"code", "message"}} envelope (falling back to request_failed /
HTTP {status}).
from provenant_sdk import ProvenantError
try:
provenant.authorize({"type": "payment.send", "resource": "vendor:acme"})
except ProvenantError as e:
print(e.code, e.status, e.message)
Testing
ProvenantClient accepts an injectable opener so you can test offline without a
network. See tests/test_client.py.
client = ProvenantClient("https://api.test", "key", opener=my_stub_opener)
License
Apache-2.0 (see the LICENSE file in this package). This SDK is open source; the Provenant server product it talks to is separately licensed (proprietary).
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file provenant_sdk-0.8.3.tar.gz.
File metadata
- Download URL: provenant_sdk-0.8.3.tar.gz
- Upload date:
- Size: 13.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
952b0f191b905b9c02bb63e8f0e8e6987569aea30a9008970d673602feaa812c
|
|
| MD5 |
7dba087707bdcccc48795548910146d9
|
|
| BLAKE2b-256 |
080a6bce7843245acc803dbca511d9f4864d2d99091f9a94f5b116301ff7dde3
|
Provenance
The following attestation bundles were made for provenant_sdk-0.8.3.tar.gz:
Publisher:
release.yml on IdentiQube/Provenant
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
provenant_sdk-0.8.3.tar.gz -
Subject digest:
952b0f191b905b9c02bb63e8f0e8e6987569aea30a9008970d673602feaa812c - Sigstore transparency entry: 2172555121
- Sigstore integration time:
-
Permalink:
IdentiQube/Provenant@0064c93249acf2630076f8575fd72928c979eb2a -
Branch / Tag:
refs/tags/v0.8.3 - Owner: https://github.com/IdentiQube
-
Access:
private
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@0064c93249acf2630076f8575fd72928c979eb2a -
Trigger Event:
push
-
Statement type:
File details
Details for the file provenant_sdk-0.8.3-py3-none-any.whl.
File metadata
- Download URL: provenant_sdk-0.8.3-py3-none-any.whl
- Upload date:
- Size: 12.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
af41b3a106086a7dc72bee40209ea2c2bf28c3a9c689e8d8c6f822cf0894d1d8
|
|
| MD5 |
54c8d90834f123e7b0cdc8f39e9d8bfd
|
|
| BLAKE2b-256 |
c1aba2296e3af79a9951a92272cbca9ed8142f6138665050808ef96ae045fe92
|
Provenance
The following attestation bundles were made for provenant_sdk-0.8.3-py3-none-any.whl:
Publisher:
release.yml on IdentiQube/Provenant
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
provenant_sdk-0.8.3-py3-none-any.whl -
Subject digest:
af41b3a106086a7dc72bee40209ea2c2bf28c3a9c689e8d8c6f822cf0894d1d8 - Sigstore transparency entry: 2172555181
- Sigstore integration time:
-
Permalink:
IdentiQube/Provenant@0064c93249acf2630076f8575fd72928c979eb2a -
Branch / Tag:
refs/tags/v0.8.3 - Owner: https://github.com/IdentiQube
-
Access:
private
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@0064c93249acf2630076f8575fd72928c979eb2a -
Trigger Event:
push
-
Statement type: