Skip to main content

Ruby SDK

The Ruby SDK provides helpers for the full pre-execution authorization flow: create a client, authorize an action, handle the three outcomes, and verify the permit before execution.

Install

gem install veritrellis

Or add it to your Gemfile:

Gemfile
gem "veritrellis"

Requires Ruby 3.0 or later.

require "veritrellis"

Quick reference

SymbolPurpose
Veritrellis::Client.new(...)Initialize a scoped client
client.authorize(...)Submit an action for authorization
client.verify_permit(permit)Verify a permit JWT
client.poll_permit(request_id)Poll for a pending permit

Create a client

client.rb
require "veritrellis"

client = Veritrellis::Client.new(
api_key: ENV.fetch("VERITRELLIS_API_KEY"),
workspace_id: ENV.fetch("VERITRELLIS_WORKSPACE_ID"),
environment: "sandbox", # "sandbox" | "production"
api_url: "https://api.veritrellis.ai"
)

Configuration

OptionTypeRequiredDescription
api_keyStringYesWorkspace API key (vt_sandbox_… or vt_prod_…)
workspace_idStringYesYour workspace ID (ws_…)
environmentStringYes"sandbox" or "production"; must match the API key
api_urlStringNoDefaults to https://api.veritrellis.ai

Authorize an action

Call this before any action that requires a permit. It contacts the Veritrellis API and returns one of three outcomes.

refund.rb
result = client.authorize(
action_type: "issue_refund",
resource_ref: "cus_123",
payload: {
customer_id: "cus_123",
amount: 75,
currency: "EUR",
reason: "customer request"
}
)

Handling the three outcomes

handle_outcomes.rb
case result[:decision]
when "allowed"
# Permit is ready — verify it before executing
claims = client.verify_permit(result[:permit])
# Proceed with the action using verified claims
issue_refund(claims)

when "pending_approval"
# Save result[:request_id] and poll GET /v1/permits/:request_id
save_for_polling(result[:request_id])

when "denied"
# Policy blocked this request — do not execute
raise "Action denied: #{result[:reason_code]}"
end
Always verify the permit

Receiving a permit from authorize is not sufficient. You must call verify_permit before executing the action. Permits that fail verification must not unlock execution.

Request parameters

ParameterTypeRequiredDescription
action_typeStringYesThe canonical action type (e.g. issue_refund)
resource_refStringYesIdentifier of the resource being acted on
payloadHashYesAction-specific fields; validated against shared schemas
actor_refStringNoID of the human or agent initiating the action
idempotency_keyStringNoStable key for safe retries

Response shape

The result is a hash:

KeyPresent whenTypeDescription
:decisionAlwaysString"allowed", "pending_approval", or "denied"
:request_idAlwaysStringUnique request identifier
:permitallowed onlyStringSigned ES256 permit JWT
:reason_codedenied onlyStringMachine-readable denial reason

Verify a permit

Verifies a permit JWT against the workspace JWKS. The client already holds the workspace ID and issuer. Raises if the signature, issuer, audience, or expiry check fails.

verify.rb
claims = client.verify_permit(result[:permit])

Pass expected_action_type: to also assert the permit authorizes a specific action:

claims = client.verify_permit(result[:permit], expected_action_type: "issue_refund")

The returned claims contains:

ClaimTypeDescription
:subStringRequest ID this permit is bound to
:workspace_idStringWorkspace the permit was issued for
:action_typeStringAction type the permit authorizes
:resource_refStringResource the permit is scoped to
:iatIntegerIssued-at timestamp (Unix)
:expIntegerExpiry timestamp (Unix)

Polling for a permit

When result[:decision] is pending_approval, poll until the request resolves:

poll.rb
permit = client.poll_permit(result[:request_id])
# Ready — verify before executing
claims = client.verify_permit(permit)

poll_permit returns the permit once approved, and raises if the request is denied or expires.


Environment variables

VariableRequiredDescription
VERITRELLIS_API_KEYYesAPI key from the admin app
VERITRELLIS_WORKSPACE_IDYesWorkspace ID from the admin app
Using .env files

Both the API key and workspace ID are available in the admin app under Settings > API keys. The sandbox and production environments have separate keys.


Source