Language support
| Package | Runtime | Surface |
|---|---|---|
@knoxcall/sdk | Node.js ≥ 18, TypeScript-first | Full management + data plane |
knoxcall | Python ≥ 3.10, sync and async | Full management + data plane |
knoxcall-go | Go, stdlib only (zero dependencies) | Full management + data plane |
knoxcall/knoxcall-php | PHP ≥ 8.1, ext-curl + ext-json only | Full management + data plane |
knoxcall | Ruby ≥ 3.1, stdlib only | Full management + data plane |
terraform-provider-knoxcall | Terraform (Plugin Framework) | Routes, secrets, clients, webhooks as code |
@knoxcall/browser + @knoxcall/react | Any modern browser / React ≥ 18 | Client-side sealing + iframe Elements |
What every SDK guarantees
The core SDKs are held to a single parity spec (sdk/PARITY.md in the monorepo), with test coverage required for each behavior:
- Automatic retries — HTTP 408, 429, 500, 502, 503, 504 retried with exponential half-jitter backoff;
Retry-Afterhonored on 429 (capped at 30s); 409 is never retried (a real conflict does not resolve by replaying). - Idempotency by default — every mutating request carries a ULID
X-Idempotency-Keygenerated once per logical request and stable across retries, so replays are safe. - Transparent 401 re-mint — a 401 purges the cached token and retries once with fresh credentials before surfacing an error. Long-lived processes never wedge on a revoked or rotated token.
- Token lifecycle — tokens cached per tenant + scope with single-flight refresh, refresh-ahead, and a stale-but-valid fallback when the token endpoint is briefly unreachable.
- DPoP sender-constrained tokens (RFC 9449) — Node.js and Python auto-upgrade to DPoP when the OAuth client requires it (
dpop: "auto", the default) and support"always". Go, PHP, and Ruby do not sign DPoP proofs yet: they fail fast with a clear typed error rather than mis-authenticating — use a Bearer OAuth client with those SDKs. - Secret redaction — client secrets, access tokens, and OIDC subject tokens never appear in debug output, logs, or error messages.
- Typed errors with request IDs — 401/403/404/409/422/429/5xx each map to a named error type carrying the server’s
request_id(quote it when contacting support). - Envelope + pagination — the server wraps JSON responses in
{data, meta}. Single-object methods returndataunwrapped; paginated lists takepage/per_page(default 20, cap 100) and return{data: [...], meta: {total, page, per_page, total_pages, request_id}}, with an iterator that walks every page for you. - Raw data plane — proxy calls (
call()/ bound routes /ephemeral()) return the raw HTTP response and never raise on the upstream’s status; legacytk_…/AKE…keys automatically travel asx-knoxcall-key. Mutating data-plane requests are never replayed after they may have reached the wire. - Webhook
constructEvent— verify the delivery’s HMAC-SHA256 signature and parse it into a typed event in one step, across all six signature formats (legacy,stripe,github,slack,aws-sns,custom), with constant-time comparison and replay protection. - Sandbox mode — a
sandboxconstructor option targets the isolated Test environment (sandbox.knoxcall.commanagement host,sandbox-{tenant}.knoxcall.comproxy host) with atk_test_key. - Credential-less
signup()— create an account headlessly with no constructed client (see AI agent onboarding).
Authentication quickstart
Every SDK resolves credentials the same way: explicit constructor options beat environment variables, and conflicting options fail at construction. Set the environment once and construct with zero arguments:tenant (or setting KNOXCALL_TENANT) just skips the discovery lookup.
Canonical environment variables
| Variable | Meaning |
|---|---|
KNOXCALL_CLIENT_ID / KNOXCALL_CLIENT_SECRET | OAuth client-credentials grant |
KNOXCALL_API_KEY | pre-acquired key or token (KNOXCALL_ACCESS_TOKEN is an equivalent spelling and wins when both are set) |
KNOXCALL_TENANT | tenant slug (optional — auto-discovered when unset) |
KNOXCALL_ENVIRONMENT | default environment for data-plane calls |
KNOXCALL_BASE_URL | management API base override |
KNOXCALL_PROXY_BASE_URL | data-plane base override |
Pick your language
Node.js / TypeScript
@knoxcall/sdk — fully typed, DPoP, workload identity, token storesPython
knoxcall — one import, sync or async, thread- and fork-safeGo
knoxcall-go — stdlib only, context-first, goroutine-safePHP
knoxcall/knoxcall-php — PHP-FPM aware token handlingRuby
knoxcall gem — Mutex-safe for Puma and SidekiqTerraform
Routes, secrets, clients, and webhooks as code
Browser Elements
Seal PANs and PII in the page; reveal with single-use capability tokens