Skip to content

Reference

Install

The canonical install command for every supported language. This is the only page that lists install commands — every other doc, blog, and README links here.

Do not install bare evalguard

There are two unrelated third-party packages named evalguard on npm and PyPI. They are not affiliated with EvalGuard.

  • npm install evalguard resolves to an unrelated third-party package. Not us.
  • pip install evalguard resolves to an unrelated third-party package. Not us.

Always use the canonical names below @evalguard/sdk on npm, evalguardai on PyPI, @evalguard/cli for the CLI. These are the only packages published by EvalGuard. Until registry naming is fully resolved, this banner stays.

Other registries (NuGet, Maven, crates.io, RubyGems, Packagist): we do not yet publish SDKs there. If you find a package using the EvalGuard name on any of those registries, it is not from us — please report it to security@evalguard.ai.

Canonical install commands

One canonical package per language. Each ships with the same authoritative EvalGuard client — pick the row that matches your stack.

TypeScript / JavaScript

@evalguard/sdk

Registry page
terminal
npm install @evalguard/sdk

Import

typescript
import { EvalGuard } from "@evalguard/sdk";

Python

evalguardai

Registry page
terminal
pip install evalguardai

Import

python
from evalguard import EvalGuardClient

CLI (Node.js)

@evalguard/cli

Registry page
terminal
npm install -g @evalguard/cli

Import

terminal
evalguard --version

Go

github.com/EvalGuardAi/evalguard-go

Registry page
terminal
go get github.com/EvalGuardAi/evalguard-go@latest

Import

go
import evalguard "github.com/EvalGuardAi/evalguard-go"

Verify cryptographic provenance

Every @evalguard/*npm release ships with an OIDC-signed Sigstore provenance attestation. Verify after install — if a package isn't signed by github.com/EvalGuardAi/evalguardvia the canonical workflow, it isn't ours, regardless of what the registry name suggests.

terminal
npm install @evalguard/sdk
npm audit signatures
# Should report: "audited 1 package: @evalguard/sdk
#   verified registry signatures, 1 package signed by Sigstore (OIDC)"

Deprecated aliases

These names point at deprecation-shim packages we publish to keep old install commands working — they re-export the canonical and emit a deprecation warning. Migrate to the canonical name on the right; the shim slot may be sunsetted in a future release.

Deprecated nameRegistry→ Canonical
evalguardai-sdknpm@evalguard/sdk
evalguard-sdknpm (unscoped)@evalguard/sdk
@evalguardai/sdknpm@evalguard/sdk
@evalguardai/clinpm@evalguard/cli
evalguard-sdkPyPIevalguardai
evalguard-pythonPyPIevalguardai

Java SDK — source available, Maven Central pending

Full Java client + LangChain4j chat-model listener + LangChain4j content filter + Spring AI auto-configuration / interceptor / guardrail advisor are implemented and tested in packages/java-sdk. Group ID ai.evalguard, artifact evalguard-sdk. Maven Central publishing pipeline is wired and ready; gated on Sonatype OSSRH account verification (operator action). Enterprise customers can vendor the source today against v1.0.0 while we close the release credential setup. Email support@evalguard.ai for an artifact ahead of public release.

Covers parity with Arize AX's Java story (LangChain4j + Spring AI). Closes the JVM gap surfaced in our 2026-05-22 competitive audit.

Need another language?

C# / .NET, Ruby, Rust, and PHP SDKs are not published yet. The REST API works from any language — see the API reference. If you need a native SDK, email support@evalguard.ai and we'll publish on request — typical turnaround is under a week for languages where we already have an internal client.

Why these names

The product is called EvalGuard. The domain is evalguard.ai. Industry convention (e.g. openai, @anthropic-ai/sdk, stripe, @vercel/*) keeps package names brand-only — they don't repeat the TLD in the package handle. The canonical install paths above follow that convention. The Java ai.evalguard groupId is the standard Maven reverse-DNS pattern and is unrelated to the npm/PyPI brand handle.

Pin the canonical names in your lockfile and CI. If a build pulls a bare evalguard from npm or PyPI, it is not an EvalGuard package — fail the build and report it to security@evalguard.ai.