Quickstart
Get your first enforced tool call running in 5 minutes.
1. Install
2. Set environment variables
Your enforcement plane URL and API key are in your credentials file.
export SCOPEBOUND_BASE_URL=https://your-partner.api.scopebound.ai
export SCOPEBOUND_API_KEY=sb-your-api-key
3. Add enforcement to a tool
from scopebound import ScopeboundSDK, enforce
from langchain_core.tools import BaseTool
sb = ScopeboundSDK()
@enforce(sb, role="invoice-processor")
class ReadInvoicesTool(BaseTool):
name: str = "read_invoices"
description: str = "Read pending invoices"
def _run(self, status: str = "pending") -> str:
return "INV-001, INV-002"
from scopebound import ScopeboundSDK
from scopebound.adapters.autogen import enforce_autogen
sb = ScopeboundSDK()
@enforce_autogen(sb, role="invoice-processor")
def read_invoices(status: str = "pending") -> str:
return "INV-001, INV-002"
from scopebound import ScopeboundSDK
from scopebound.adapters.mcp import mcp_hook
sb = ScopeboundSDK()
hook = mcp_hook(sb, role="invoice-processor")
# Wire into your MCP server's pre-call hook
hook("read_invoices", {"status": "pending"})
4. Call the tool
The first call provisions a session JWT automatically. You don't need to manage tokens.
5. See a denial
Try calling a tool that isn't in your role's allowed list:
from scopebound.exceptions import ScopeboundDenyError
from langchain_core.tools import BaseTool
@enforce(sb, role="invoice-processor")
class DeleteInvoiceTool(BaseTool):
name: str = "delete_invoice"
description: str = "Delete an invoice"
def _run(self, invoice_id: str) -> str:
return f"Invoice {invoice_id} deleted."
try:
tool = DeleteInvoiceTool()
tool._run(invoice_id="INV-003")
except ScopeboundDenyError as e:
print(f"Denied: {e.deny_code} — {e.reason}")
# → Denied: SCOPE_VIOLATION — tool not in allowed_tools
The _run() body never executes. The denial is recorded in your audit log.
Next steps
- Framework guides — full integration for your framework
- API reference — all endpoints documented
- Troubleshooting — common errors and fixes