Platform Service Client
Some SDK functionality — including policy management, authorization decisions, and KAS registry operations — is provided through a platform service client rather than through the core SDK.
Core SDK vs. Platform Service Client
| Core SDK | Platform Service Client | |
|---|---|---|
| What it does | Wraps and unwraps TDF-protected data | Manages platform resources (policy, keys, authorization) |
| Calls platform | Some operations (e.g. key unwrap, service discovery) | Always — all methods are remote gRPC calls |
| Examples | CreateTdf, LoadTdf | GetNamespace, GetDecision, ListKeyAccessServers |
This is the same pattern used by cloud provider SDKs — you instantiate a typed client once (analogous to new S3Client() in AWS), then call methods on it to manage remote resources.
gRPC is a high-performance open-source remote procedure call framework. It uses HTTP/2 for transport and Protocol Buffers for serialization, enabling strongly-typed service contracts across languages.
Setup
- Go
- Java
- JavaScript
import (
"github.com/opentdf/platform/sdk"
// Plus the service-specific package for each call, e.g.:
"github.com/opentdf/platform/protocol/go/policy/namespaces"
"github.com/opentdf/platform/protocol/go/authorization"
)
client, err := sdk.New("http://localhost:8080",
sdk.WithClientCredentials("client-id", "client-secret", nil),
)
if err != nil {
log.Fatal(err)
}
defer client.Close()
import io.opentdf.platform.sdk.SDK;
import io.opentdf.platform.sdk.SDKBuilder;
SDK sdk = SDKBuilder.newBuilder()
.platformEndpoint("http://localhost:8080")
.clientSecret("client-id", "client-secret")
.useInsecurePlaintextConnection(true) // dev only — remove in production
.build();
import { PlatformClient } from '@opentdf/sdk/platform';
// See the Auth Providers guide for authProvider setup.
const platform = new PlatformClient({
authProvider,
platformUrl: 'http://localhost:8080',
});
For credential configuration, see the Auth Providers guide.