Quick Start

Get from zero to a governed LLM call in about three minutes.

What you need

• A TapPass gateway URL — http://localhost:9620 for local dev, or the deployment URL your platform team gave you (e.g. https://tappass.example.com).
• A TapPass API key — created in the dashboard, starts with tp_.
• An existing app that already talks to OpenAI, Anthropic, Gemini, Bedrock, or any OpenAI-compatible API.

You do not need provider keys in your app. TapPass holds them in its vault and injects them upstream.

How it connects

Your app talks to TapPass. TapPass runs the governance pipeline, then talks to the provider.

┌──────────┐       ┌──────────────┐       ┌──────────────┐
│ Your     │ tp_   │              │ sk_   │ OpenAI       │
│ App      │──────▶│   TapPass    │──────▶│ Anthropic    │
│          │◀──────│   Gateway    │◀──────│ Gemini, AWS, │
└──────────┘       └──────────────┘       │ Azure, …     │
  You have:          Configured by        └──────────────┘
  - Gateway URL      your platform team:
  - tp_ API key      - Provider API keys  You do NOT
                     - Governance policy  need the
                     - Pipeline config    provider key.

Point your app at the gateway

The gateway speaks two wire protocols. Pick the one that matches the SDK your app already uses — no code changes, just environment variables.

If your app uses…	Set these env vars	Base URL value
OpenAI SDK	OPENAI_BASE_URL OPENAI_API_KEY	<gateway>/v1
Anthropic SDK	ANTHROPIC_BASE_URL ANTHROPIC_API_KEY	<gateway>
LangChain / LlamaIndex	OPENAI_BASE_URL OPENAI_API_KEY	<gateway>/v1
CrewAI / Pydantic AI	OPENAI_BASE_URL OPENAI_API_KEY	<gateway>/v1
LiteLLM	api_base in config api_key in config	<gateway>/v1
Vercel AI SDK	OPENAI_BASE_URL or provider override OPENAI_API_KEY	<gateway>/v1
Raw HTTP (curl, fetch, …)	Authorization: Bearer <tp_key>	<gateway>/v1/chat/completions or <gateway>/v1/messages

Replace <gateway> with your TapPass URL — http://localhost:9620 for local dev, or your deployment URL.

Why two base-URL shapes? That’s SDK convention, not a TapPass quirk. The OpenAI SDK appends /chat/completions to the base, so the base must contain /v1. The Anthropic SDK appends /v1/messages, so its base must not. Copy the value in the table exactly and both SDKs just work.

The API key is your tp_ key — not the provider key. TapPass replaces the provider key in the existing env var. Your app still uses the OpenAI/Anthropic SDK unchanged.

Example: OpenAI SDK, zero-code

export OPENAI_BASE_URL=http://localhost:9620/v1
export OPENAI_API_KEY=tp_abc123...

from openai import OpenAI

client = OpenAI()   # reads the env vars above
response = client.chat.completions.create(
    model="gpt-4o",
    messages=[{"role": "user", "content": "Summarize Q4 revenue"}],
)
print(response.choices[0].message.content)

Every call now routes through the governance pipeline before reaching OpenAI.

Example: Anthropic SDK, zero-code

export ANTHROPIC_BASE_URL=http://localhost:9620
export ANTHROPIC_API_KEY=tp_abc123...

import anthropic

client = anthropic.Anthropic()
response = client.messages.create(
    model="claude-3-5-sonnet-latest",
    max_tokens=1024,
    messages=[{"role": "user", "content": "Summarize Q4 revenue"}],
)
print(response.content[0].text)

What about Gemini, Bedrock, Mistral, Vertex?

Use the OpenAI env vars above and change the model string. TapPass routes upstream based on the model prefix — no extra endpoint, no SDK swap.

client.chat.completions.create(
    model="google/gemini-1.5-pro",          # Gemini via AI Studio
    # or "vertex/gemini-1.5-pro"            — Vertex AI (EU residency)
    # or "bedrock/anthropic.claude-3-sonnet" — AWS Bedrock
    # or "mistral/mistral-large-latest"     — Mistral
    messages=[{"role": "user", "content": "…"}],
)

Provider credentials stay in the TapPass vault. See Providers for the full list of supported model strings.

Smoke test with curl

Before wiring it into your app, confirm the gateway is reachable:

# OpenAI-compatible endpoint
curl -sS http://localhost:9620/v1/chat/completions \
  -H "Authorization: Bearer $OPENAI_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"model":"gpt-4o-mini","messages":[{"role":"user","content":"ping"}]}'

# Anthropic-compatible endpoint
curl -sS http://localhost:9620/v1/messages \
  -H "x-api-key: $ANTHROPIC_API_KEY" \
  -H "anthropic-version: 2023-06-01" \
  -H "Content-Type: application/json" \
  -d '{"model":"claude-3-5-sonnet-latest","max_tokens":64,"messages":[{"role":"user","content":"ping"}]}'

A 200 response means the gateway is proxying. A 403 with a TapPass policy code means governance blocked the call — which is also a working gateway.

When you want governance-aware code

Sometimes you want more than env-var passthrough — typed response metadata, structured exceptions, per-agent correlation IDs, and deep links to the audit trail. That’s what the Python SDK is for.

pip install tappass>=0.6.0

Governed chat:

from tappass import Agent, PolicyBlockError

agent = Agent("https://tappass.example.com", api_key="tp_...")

try:
    r = agent.chat("Summarize Q4 revenue")
    print(r.content)
    print(r.session_id, r.audit_url)   # deep link to dashboard
except PolicyBlockError as e:
    print(f"Blocked by {e.blocked_by}: {e.reason}")

Govern a CrewAI run end-to-end — every tool call is audited with correlation IDs that tie back to the crew run:

from crewai import Crew
from tappass.integrations.crewai import guard_crew

with guard_crew(crew, tappass_url=..., api_key="tp_...") as session:
    result = session.kickoff()
    print(session.audit_url)

See the SDK reference for the full surface: tappass_session ambient context, GovernanceDecision exceptions (block, redact, approve, trust-tier, break-glass, tool-integrity), and every framework integration.

What’s next

• Your First Agent — governance flags, streaming, async, errors
• Integrations — per-framework walkthroughs (LangChain, CrewAI, LlamaIndex, Google ADK, Vercel AI, MCP, n8n)
• Providers — supported model strings for OpenAI, Anthropic, Gemini, Vertex, Bedrock, Mistral, vLLM
• Governance Flags — control PII masking, budgets, tool access per call