Skip to main content
Pikarc sits between your agent code and the models/tools it calls. Every model call and tool call passes through Pikarc, which makes an ALLOW or DENY decision based on your configured guardrails.

Core Concepts

Workspace

Your tenant boundary. Owns runs, API keys, budgets, and the kill switch. One workspace per account.

Run

A single agent execution. Contains an ordered list of Steps. Status progresses from RUNNING to COMPLETED, FAILED, or BLOCKED.

Step

One action within a run. Types include MODEL_CALL, TOOL_CALL, INPUT, OUTPUT, REASONING, and SYSTEM. Each step gets a Decision.

Decision

ALLOW or DENY, evaluated at run start and before each step. Includes the deny reason and which rules were evaluated.

How It Works

Your Agent Code


┌─────────────┐
│  Pikarc   │  ← Budget checks, kill switch, concurrency limits
│  SDK        │
└──────┬──────┘
       │ ALLOW / DENY

  Model / Tool
  1. Your agent starts a run via the SDK
  2. Before each model call or tool call, Pikarc evaluates guardrails
  3. If all checks pass → ALLOW — the call proceeds
  4. If any check fails → DENYPikarcBlockedError is raised
  5. Token usage and costs are tracked automatically
  6. The run ends, and everything is visible in the dashboard

What Gets Checked

RuleDescription
Kill switchEmergency brake — blocks all runs instantly
User blockedIndividually blocked users
Workspace daily budgetTotal spend limit per day
User daily budgetPer-user spend limit per day
Monthly run limitRuns per month (based on plan tier)
Max concurrent runsSimultaneous active runs

Next Steps

Quickstart

Install the SDK and wrap your first model call in 5 minutes.

SDK Reference

Full SDK API: client, guarded runs, error handling.

API Reference

REST API endpoints for runs, workspace, usage, and more.

Guardrails Guide

How the decision engine evaluates rules and denies requests.