SDKs

The Sonny Labs SDKs are thin clients over the Sonny Labs firewall API. They handle authentication, idempotency, retries, RFC 9457 application/problem+json errors, and webhook signature verification so your integration code stays focused on the prompts you are scanning.

The SDKs work identically against the SaaS endpoint (https://api.sonnylabs.ai) and against a self-hosted Sonny Labs deployment in your own VPC (configured via base_url / baseUrl).

Languages

Both SDKs are generated from and pinned to the same OpenAPI spec, so the request and response shapes match across languages. Method names follow each language's idiomatic convention — create_scan in Python, createScan in TypeScript.

MCP server (agentic clients)

If your integration runs inside an agentic AI host (Claude Desktop, Cursor, Claude Code) rather than your own application code, install @sonnylabs/mcp instead. It wraps the TypeScript SDK and exposes a sonny_* tool surface the host's agent can call — no application code required. Same API key, same self-hosted parity, same OpenAPI spec underneath.

Webhooks

Outbound webhooks (scan.allowed, scan.flagged, scan.warned, scan.blocked) are signed with HMAC-SHA256 and verified using the helpers shipped in each SDK. The signing scheme, replay-window defaults, and language-specific verification snippets are documented in Webhooks.

OpenAPI spec

The canonical contract for every endpoint the SDKs wrap lives at REST API reference. Both SDKs regenerate their internal types from this file — if you need a request or response field that the SDK has not yet exposed, the shape in the spec is authoritative.

License

Both SDKs are released under the Apache License 2.0. The repository is mirrored on GitHub at PyPI (sonnylabs-sdk) and npm (@sonnylabs/sdk); issues and PRs against either SDK are welcome there.