Getting Started with Traceprompt

This quickstart requires an AWS account for encryption. You’ll create a KMS key and IAM user in your AWS account to ensure only you can decrypt your data.
This guide takes you from zero to your first tamper-proof LLM interaction in about 15 minutes.

Overview

Traceprompt uses your AWS KMS key to encrypt prompts and responses. Only you can decrypt your data - Traceprompt stores encrypted blobs and can only access them when you explicitly grant permission through AWS roles.

Part 1: Basic Setup (Required)

1. Create Organization & Get API Key

  1. Sign in to the Traceprompt Dashboard
  2. Go to Settings → Organizations → Create organization
  3. Go to Settings → API Keys → Generate key
  4. Copy and save your API key (tp_live_***) - you won’t see it again

2. Set Up AWS Credentials

The SDK needs AWS credentials to encrypt data with your KMS key. Create an IAM user in your AWS account:

Create IAM User

  1. Go to AWS Console → IAM → Users → Create user
  2. User name: traceprompt-sdk-user (or your preferred name)
  3. Don’t attach policies yet - we’ll do this after creating the KMS key

Create Access Key

  1. Select your new user → Security credentials tab
  2. Create access key → “Application running outside AWS”
  3. Save the Access Key ID and Secret Access Key

Add to Local AWS Config

Add your credentials to ~/.aws/credentials: 
[traceprompt]
aws_access_key_id = YOUR_ACCESS_KEY_ID
aws_secret_access_key = YOUR_SECRET_ACCESS_KEY
Add region to ~/.aws/config: 
[profile traceprompt]
region = us-east-1

3. Create KMS Key

  1. Go to AWS KMS → Keys → Create key
  2. Key type: Symmetric
  3. Alias: alias/traceprompt-encryption-key
  4. Skip administrative and usage permissions for now
  5. Copy the Key ARN (looks like arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012)

4. Configure KMS Key Policy

After creating your KMS key, you need to set up the key policy to allow Traceprompt to encrypt data and your viewer role to decrypt it.
  1. Go to AWS KMS → Keys → your key → Key policy
  2. Replace the default policy with this template:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "RootAdminAllActions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::YOUR-ACCOUNT-ID:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "TracePromptIngestEncrypt",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::639994153374:role/TracepromptIngestRole"
      },
      "Action": [
        "kms:Encrypt",
        "kms:GenerateDataKey",
        "kms:GenerateDataKeyWithoutPlaintext"
      ],
      "Resource": "*"
    },
    {
      "Sid": "TracePromptViewerDecrypt",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::YOUR-ACCOUNT-ID:role/TracepromptViewer"
      },
      "Action": [
        "kms:Decrypt",
        "kms:Encrypt",
        "kms:GenerateDataKey"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "kms:EncryptionContext:org_id": "YOUR-ORG-ID"
        }
      }
    },
    {
      "Sid": "AllowTracePromptBackendDescribe",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::639994153374:role/TracepromptViewerCallerRole"
      },
      "Action": [
        "kms:DescribeKey",
        "kms:GetKeyPolicy"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AllowEcsTaskRoleKmsAccess",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::639994153374:role/TracepromptStagingTaskRole"
      },
      "Action": [
        "kms:DescribeKey",
        "kms:GenerateDataKey",
        "kms:Encrypt",
        "kms:Decrypt"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AllowS3ServerSideEncryptionFromTraceprompt",
      "Effect": "Allow",
      "Principal": {
        "Service": "s3.amazonaws.com"
      },
      "Action": [
        "kms:GenerateDataKey*",
        "kms:GenerateDataKeyWithoutPlaintext",
        "kms:Encrypt"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": "639994153374",
          "kms:ViaService": [
            "s3.us-east-1.amazonaws.com",
            "s3.eu-west-2.amazonaws.com"
          ]
        }
      }
    }
  ]
}
Replace these placeholders:
  • YOUR-ACCOUNT-ID: Your AWS account ID
  • YOUR-ORG-ID: Your organization ID from Traceprompt dashboard
This key policy allows Traceprompt to encrypt your data and enables the dashboard to decrypt it when you grant permission through the viewer role.

5. Grant Your User KMS Permissions

Create a policy for your IAM user to use the KMS key:

Create KMS Policy

  1. Go to IAM → Policies → Create policy
  2. Choose JSON tab and paste:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "KMSKeyAccess",
      "Effect": "Allow",
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:GenerateDataKey",
        "kms:DescribeKey"
      ],
      "Resource": "arn:aws:kms:YOUR-REGION:YOUR-ACCOUNT-ID:key/YOUR-KEY-ID"
    }
  ]
}
  1. Replace YOUR-REGION, YOUR-ACCOUNT-ID, and YOUR-KEY-ID with your actual values
  2. Name it: TracepromptKMSAccess
  3. Create policy

Attach Policy to User

  1. Go to IAM → Users → your-traceprompt-user
  2. Add permissions → Attach policies directly
  3. Select TracepromptKMSAccess
  4. Add permissions

6. Register KMS Key in Traceprompt

  1. In Traceprompt Dashboard, go to Settings → KMS Keys
  2. Paste your KMS Key ARN
  3. Click Verify and Save

7. Install & Configure SDK

npm install @traceprompt/node
Create .tracepromptrc.yml in your project root: 
apiKey: tp_live_your_api_key_here

# Optional: add metadata to all logs
staticMeta:
  app: "my-app"
  env: "production"

8. Test the SDK

import { initTracePrompt, wrapLLM } from "@traceprompt/node";
import OpenAI from "openai";

const openai = new OpenAI({ apiKey: process.env.OPENAI_API_KEY });

// Initialize Traceprompt
await initTracePrompt();

// Wrap your LLM calls
const chat = wrapLLM(
  async (prompt) => {
    return await openai.chat.completions.create({
      messages: [{ role: "user", content: prompt }],
      model: "gpt-4",
    });
  },
  {
    modelVendor: "openai",
    modelName: "gpt-4",
    userId: "test-user-123",
  }
);

// Your chat calls are now automatically encrypted and logged
const response = await chat("Hello, how are you?");
console.log(response.choices[0].message.content);
Run your code with: 
AWS_PROFILE=traceprompt node your-script.js
🎉 Success! Check your Traceprompt Dashboard → LLM Interactions - you should see your encrypted interaction.

Part 2: Advanced Features (Optional)

Viewing Encrypted Data in Dashboard

To decrypt and view your data in the Traceprompt UI, you need to set up a viewer role:

Create Viewer Role

  1. AWS Console → IAM → Roles → Create role
  2. Trusted entity type: AWS account
  3. Account ID: 639994153374 (Traceprompt’s account)
  4. Require external ID: Your organization ID from Traceprompt
  5. Role name: TracepromptViewer

Set Trust Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::639994153374:role/TracepromptViewerCallerRole"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "YOUR-ORG-ID"
        }
      }
    }
  ]
}

Add Permissions Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DescribeKey",
      "Effect": "Allow",
      "Action": ["kms:DescribeKey"],
      "Resource": "arn:aws:kms:YOUR-REGION:YOUR-ACCOUNT-ID:key/YOUR-KEY-ID"
    },
    {
      "Sid": "DecryptLogs",
      "Effect": "Allow",
      "Action": ["kms:Decrypt", "kms:GenerateDataKey"],
      "Resource": "arn:aws:kms:YOUR-REGION:YOUR-ACCOUNT-ID:key/YOUR-KEY-ID",
      "Condition": {
        "StringEquals": {
          "kms:EncryptionContext:org_id": "YOUR-ORG-ID"
        }
      }
    }
  ]
}
The policy is split into two statements: DescribeKey (needed for KMS key verification during onboarding) has no conditions, while Decrypt/GenerateDataKey operations require the correct organization ID in the encryption context for security.

Register Viewer Role

  1. Traceprompt Dashboard → Settings → Data Access
  2. Add Viewer Role
  3. Paste your viewer role ARN
  4. Save
Now you can decrypt individual interactions in the dashboard for debugging and compliance.

Environment Variables

You can also configure the SDK with environment variables: 
export TRACEPROMPT_API_KEY=tp_live_xxx
export AWS_PROFILE=traceprompt
export AWS_REGION=us-east-1

Next Steps

Troubleshooting

“Could not load credentials”: Make sure AWS_PROFILE=traceprompt is set and your credentials are in ~/.aws/credentials “AccessDeniedException”: Your IAM user needs KMS permissions on your key - check step 4 “KMS key verification failed”: If you see kms:DescribeKey permission errors, ensure your viewer role policy separates DescribeKey (no conditions) from Decrypt operations (with encryption context) “Invalid API key”: Verify your API key starts with tp_live_ and is correctly set “KMS key not found”: Ensure your KMS key ARN is registered in Traceprompt dashboard