SDKs

Go SDK

Quickstart for the Lattix Go SDK — a thin typed wrapper over the Rust core, exposing the /v1/sdk/* control-plane surface with a Go-idiomatic API.

The Go SDK is a thin typed wrapper over the Rust SDK core. It exposes the same eight operations with Go-idiomatic types and is the right choice for sidecars, gateways, and service-mesh enforcement where a compiled binary needs to call into the Lattix control plane.

This page is a conceptual quickstart. Full API reference — every exported type, every field, every option — lives with the Go module itself at github.com/LATTIX-IO/sdk-go-public and via pkg.go.dev.

Install

The Go module path is github.com/LATTIX-IO/sdk-go-public. In addition to go get, the Go SDK requires a version-matched native Rust library installed alongside the Go binary.

One-command native bootstrap

A release of the Go module attaches two installer scripts. Run the one for your platform:

Linux / macOS

./install-native.sh
source ./activate-native.sh

Windows

./install-native.ps1

The installer downloads the matching sdk-rust native archive and exposes the environment variables needed for CGO builds or native loading.

Manual install

If you already manage native dependencies yourself, install the Rust core library alongside the Go binary:

  • Windows — place sdk_rust.dll next to your executable, or set LATTIX_SDK_RUST_LIB to its path.
  • Linux / macOS — install libsdk_rust.so or libsdk_rust.dylib, make lattix_sdk.h reachable, and set CGO_CFLAGS / CGO_LDFLAGS.

Build tags

The package compiles in two modes:

  • Without the rustbindings tag — the package builds but NewClient(...) returns a runtime error. This is useful for vendor and CI scenarios where the native library is not available.
  • With -tags rustbindings — the package links against the Rust native library.
go build -tags rustbindings ./...
go test -tags rustbindings ./...

Construct a client

package main

import (
    "fmt"

    sdk "github.com/LATTIX-IO/sdk-go-public"
)

func main() {
    client, err := sdk.NewClient(sdk.Options{
        BaseURL:     "https://api.lattix.io",
        BearerToken: "<your-token>",
        TenantID:    "<your-tenant>",
        UserID:      "<your-user>",
    })
    if err != nil {
        panic(err)
    }
    defer client.Close()

    bootstrap, err := client.Bootstrap()
    if err != nil {
        panic(err)
    }
    fmt.Println(bootstrap.EnforcementModel)
}

Options

The Options struct is the single configuration point.

FieldPurpose
BaseURLThe Lattix platform API base URL.
BearerTokenPre-issued bearer token attached to every request.
ClientID / ClientSecretSDK client credentials; the SDK exchanges them for a short-lived token on first use.
TenantIDTenant identity for this client instance. Required in client-credentials mode.
UserIDUser/principal identity (used in trusted-headers deployments).
TimeoutSecsHTTP request timeout in seconds.
TokenExchangePathOverride the default session-exchange endpoint path.
RequestedScopesRequested scopes during session exchange.
HeadersAdditional headers attached to every request.

Close() releases the underlying native client handle. Use defer client.Close() for safety.

Make a call

Every operation is a method on *Client returning a pointer to a typed response and a regular Go error.

import (
    sdk "github.com/LATTIX-IO/sdk-go-public"
)

plan, err := client.ProtectionPlan(sdk.SdkProtectionPlanRequest{
    Operation: sdk.ProtectionOperationProtect,
    Workload: sdk.WorkloadDescriptor{
        Application: "example-app",
        Environment: "prod",
        Component:   "ingest",
    },
    Resource: sdk.ResourceDescriptor{
        Kind:     "document",
        ID:       "doc-123",
        MimeType: "application/pdf",
    },
    PreferredArtifactProfile: sdk.ArtifactProfileTDF,
    ContentDigest:            "sha256:...",
    ContentSizeBytes:         1024,
    Purpose:                  "store",
    Labels:                   []string{"confidential"},
})
if err != nil {
    // handle error
}

if plan.Decision.Allow && plan.Execution.ProtectLocally {
    // ... perform local protection using the indicated artifact profile
}

The eight operations

Every method maps to a single /v1/sdk/* route.

client.Capabilities()                 // GET /v1/sdk/capabilities
client.WhoAmI()                       // GET /v1/sdk/whoami
client.Bootstrap()                    // GET /v1/sdk/bootstrap
client.ExchangeSession()              // POST /v1/sdk/session (client-credentials mode only)
client.ProtectionPlan(req)            // POST /v1/sdk/protection-plan
client.PolicyResolve(req)             // POST /v1/sdk/policy-resolve
client.KeyAccessPlan(req)             // POST /v1/sdk/key-access-plan
client.ArtifactRegister(req)          // POST /v1/sdk/artifact-register
client.Evidence(req)                  // POST /v1/sdk/evidence

See Platform API → Endpoints for the shape of each request and response. The Go struct names mirror the wire contract: SdkProtectionPlanRequest, SdkPolicyResolveResponse, KeyAccessDecision, etc.

Constants and enums

The package exports typed string constants for every enum in the contract:

sdk.ProtectionOperationProtect        // "protect"
sdk.ProtectionOperationAccess         // "access"
sdk.ProtectionOperationRewrap         // "rewrap"

sdk.KeyAccessOperationWrap            // "wrap"
sdk.KeyAccessOperationUnwrap          // "unwrap"
sdk.KeyAccessOperationRewrap          // "rewrap"

sdk.ArtifactProfileTDF                // "tdf"
sdk.ArtifactProfileEnvelope           // "envelope"
sdk.ArtifactProfileDetachedSignature  // "detached_signature"

sdk.EvidenceEventTypeProtect          // "protect"
sdk.EvidenceEventTypeAccess           // "access"
sdk.EvidenceEventTypeRewrap           // "rewrap"
sdk.EvidenceEventTypeDeny             // "deny"

sdk.AuthModeBearerToken
sdk.AuthModeTrustedHeaders
sdk.AuthModeBearerTokenOrTrustedHeader

Errors

All methods return a standard Go error. Errors either originate in the Go layer (serialization, invalid arguments) or are returned by the Rust core (connection, server response, or upstream failure) and surfaced as a single typed error value. Callers can use errors.As / errors.Is against the exported error types listed in the module's pkg.go.dev reference.

Testing without the native library

Default unit tests use a fake binding so they run without native linkage:

go test ./...

For native-linked tests:

go test -tags rustbindings ./...

Relationship to other pages

Rust SDK

Quickstart for the Lattix Rust SDK — the canonical core for embedded enforcement, exposing the full /v1/sdk/* control-plane surface.

Python SDK

Quickstart for the Lattix Python SDK — an async wrapper over the Rust core with Pydantic models, for data pipelines, notebooks, and orchestrated workloads.

On this page

InstallOne-command native bootstrapManual installBuild tagsConstruct a clientOptionsMake a callThe eight operationsConstants and enumsErrorsTesting without the native libraryRelationship to other pages