@gavai/sdk-typescript targets the signed /api/v1/* admin surface — a different base path and a different auth scheme from the bearer-token public API. By the end of this page you will know how to install it, sign every request with HMAC-SHA256, verify response signatures before reading the payload, and map every error class to the failure mode that produced it.
Install
Runtime support
The package has no native dependencies. It uses Web Crypto andglobalThis.fetch, so it runs anywhere both are available.
Minimal example
Read your workspace identity, invite a member with an auto-minted idempotency key, then invite a second member with a caller-supplied key so the call is safe to retry.admin.ts
How signing works
Every request is HMAC-SHA256 signed and sent with theX-Gavai-Signature header. Every response carries an X-Gavai-Response-Signature header, and the SDK verifies it before the promise resolves to the caller. If the signature is missing or fails to verify, the SDK throws GavaiSignatureError and the response payload is never returned. There is no opt-out.
The practical effect: by the time you have a result in hand, the server is cryptographically attested. Code downstream of an awaited call can treat the payload as trusted without re-checking.
API key format
Keys for this SDK are distinct from the bearer-token keys used by@gavai/sdk.
format
Constructor options
options.ts
Errors
Every error extendsGavaiError. Pattern-match with instanceof to handle a specific failure without swallowing the rest.
retry.ts
GavaiSignatureError is never safe to retry without investigation — the response could not be authenticated, and a second attempt against the same compromised path will produce the same outcome.
Status
Surfaces are stable, but response types areunknown until the companion @gavai/schema/api/responses.ts ships typed schemas. The originating route handler is referenced in JSDoc on each method — check it when you need a concrete shape.