@taplid/client
Advanced tools
Official Node.js SDK for the hosted Taplid audit API.
Send a payload and get a trust decision (ALLOW / REVIEW / BLOCK), a 0-100 trust score and an audit trail.
npm install @taplid/client
import { Taplid } from '@taplid/client';
const taplid = new Taplid({
apiKey: process.env.TAPLID_API_KEY ?? '',
});
const result = await taplid.audit({
context: 'The number is 1.',
prompt: 'What is the number?',
response: 'The number is 2.',
auditMode: 'standard'
});
console.log(result);
TypeScript autocomplete exposes the three SDK methods: taplid.audit(...), taplid.getAudit(...), and taplid.verifyAudit(...).
Every completed hosted audit returns an auditId. Anyone with the ID can retrieve the persisted public result. No API key is required for retrieval.
import { Taplid } from '@taplid/client';
const taplid = new Taplid();
const audit = await taplid.getAudit(
'AUD-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
);
console.log(audit);
Treat the audit ID like a share link. Retrieval is a public lookup. Hosted audit results include an attestation object, which is the cryptographic proof layer.
Verify a persisted audit ID or signed attestation token. No API key is required.
Verify by audit ID:
import { Taplid } from '@taplid/client';
const taplid = new Taplid();
const verification = await taplid.verifyAudit({
auditId: 'AUD-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx',
});
console.log(verification.status);
Verify by attestation token:
const verification = await taplid.verifyAudit({
token: 'eyJhbGciOiJFUzI1NiIsImtpZCI6InRhcGxpZC1lczI1Ni0yMDI2LTA2IiwidHlwIjoiSldUIn0...',
});
console.log(verification.status);
Audit ID verification checks the persisted public result, signed fields, issuer, signature, and result hash. Token-only verification checks the signature and issuer, but cannot check the result hash without the persisted audit result.
Hosted Taplid audit responses include an attestation object. It is an ES256-signed proof that Taplid issued the decision for the audited input and returned public result.
Public verification keys are available at:
https://api.taplid.com/.well-known/jwks.json
The attestation.token can be verified against the JWKS public key, by calling taplid.verifyAudit(...), or by posting an auditId or token to https://api.taplid.com/verify-audit. The signed payload includes the auditId, auditMode, decision, trustScore, inputHash, and resultHash.
You can call the API directly without the SDK using fetch or any HTTP client.
const payload = {
context: 'The number is 1.',
prompt: 'What is the number?',
response: 'The number is 2.',
auditMode: 'standard'
};
const response = await fetch('https://api.taplid.com/review', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Authorization': `Bearer ${process.env.TAPLID_API_KEY}`,
},
body: JSON.stringify(payload),
});
const result = await response.json();
console.log(result);
| Field | Type | Description |
|---|---|---|
context | string | Policy, rules, or background context for the audit. |
prompt | string | The user prompt that produced the response. |
response | string | The AI-generated output to audit. |
auditMode | string | Optional. 'artifact' (default) for code reviews, PRs, implementation plans, long answers, and structured outputs. 'standard' for factual, policy, refund, pricing, and entitlement issues. |
Only response is required; context, prompt, and auditMode are optional.
For file-based input, use @taplid/cli. The hosted SDK/API path accepts inline text only.
Taplid treats context, prompt, and response file inputs as raw UTF-8 text. Supported examples include .txt, .md, .json, .log, .ndjson, .yaml, and .yml. These files are not parsed by type. Taplid reads the file contents as plain text and uses the resolved text value. This behavior is consistent across the audit page, CLI file-location flags, environment file-location variables, and request-payload file-location fields.
@taplid/client does not resolve files directly. When using the SDK, pass resolved inline text values for context, prompt, and response.
{
"auditId": "AUD-XXX",
"auditMode": "standard",
"decision": "BLOCK",
"trustScore": 20,
"summary": "This answer conflicts with the provided context.",
"issues": [
{
"message": "Contradicts the provided context.",
"reason": "The context states one thing; the response says the opposite."
}
],
"nextStep": "Do not use this yet. Adjust the answer to match the provided context, then re-run the check.",
"repairActions": [
{
"action": "Rewrite the answer so it aligns with the provided context.",
"priority": "critical",
"target": "response"
}
],
"claims": [
{
"text": "The number is 2.",
"status": "contradicted",
"evidence": [
"Response value: 2",
"Context value: 1"
]
}
],
"diagnosis": {
"action": "revise_answer",
"confidence": "high",
"severity": "error",
"nextSteps": [
"Verify the answer is consistent with the provided context before re-running."
],
"explanation": "The answer contradicts the provided context. Revise the answer to align with the source material before re-running the audit."
},
"claimStats": {
"total": 1,
"supported": 0,
"unsupported": 0,
"contradicted": 1,
"evaluated": 1
},
"evidenceCoverage": 1,
"metadata": {
"auditDurationMs": 1,
"claimsDetected": 1,
"engine": "taplid",
"version": "1"
},
"meta": {
"policy": {
"profileId": "balanced",
"passThreshold": 80,
"reviewThreshold": 60
}
},
"requestId": "aud_XXX",
"attestation": {
"alg": "ES256",
"kid": "taplid-es256-2026-06",
"typ": "JWT",
"issuer": "https://api.taplid.com",
"issuedAt": "2026-06-12T21:28:52.000Z",
"inputHash": "91f5884c9a9be6152e6d75534df82dada5965e7905bc80eca95df02970c6f3b1",
"resultHash": "f95e77eb3224d987fa0baf35b5ee4c4e04029960cdcd6fd16c9171ffad929a7e",
"token": "eyJhbGciOiJFUzI1NiIsImtpZCI6InRhcGxpZC1lczI1Ni0yMDI2LTA2IiwidHlwIjoiSldUIn0..."
}
}
The response may include more fields than listed here. These are the primary fields.
'artifact' or 'standard')priority: critical / high / medium / low)status and evidenceaction, confidence, severity, nextSteps, explanation)claims array (total / supported / unsupported / contradicted / evaluated)auditDurationMs, claimsDetected, engine, version)profileId plus passThreshold / reviewThreshold actually applied to this runnpx @taplid/cli eval request.json --api-key tap_live_... --pass-threshold 80 (exits non-zero when below)ESM only -
@taplid/clientis ESM-only. If your project is CommonJS you may seeERR_PACKAGE_PATH_NOT_EXPORTED. Use ESM config:package.json=>"type": "module", andtsconfig.json=>"module": "NodeNext"with"moduleResolution": "NodeNext". If you need to stay on CommonJS, use the HTTP API example above instead of the SDK import.
FAQs
Official Node.js SDK for the hosted Taplid audit API.
We found that @taplid/client demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Product
Socket Firewall blocks malicious VS Code and Open VSX extensions before install, protecting developers from compromised editor marketplaces.
Research
More than 140 Mastra npm packages were compromised in a supply chain attack that used a typosquatted dependency to deliver a cross-platform infostealer during installation.
Research
/Security News
A new npm package tests AI malware scanners with prompt injection, safety-triggering comments, context flooding, and obfuscated JavaScript.