> ## Documentation Index
> Fetch the complete documentation index at: https://docs.tinfoil.sh/llms.txt
> Use this file to discover all available pages before exploring further.

# Using Tinfoil with LangChain

> Use LangChain with Tinfoil.

## LangChain integration

Tinfoil's SDKs expose verified, attested HTTP clients that can be injected into LangChain.
This lets you build chains, agents, and RAG pipelines while using Tinfoil as the backend.

The integration works by passing Tinfoil's secure transport layer into LangChain's OpenAI provider.
All LangChain features work as before.

<Info>
  **Supported languages:** Python, JavaScript/TypeScript, and Go.
</Info>

### Installation

<CodeGroup>
  ```bash Python theme={"dark"}
  pip install tinfoil langchain-openai
  ```

  ```bash JavaScript theme={"dark"}
  npm install tinfoil @langchain/openai
  ```

  ```bash Go theme={"dark"}
  go get github.com/tinfoilsh/tinfoil-go
  go get github.com/tmc/langchaingo
  ```
</CodeGroup>

### Quick start

Create a Tinfoil-verified LangChain client in a few lines:

<CodeGroup>
  ```python Python theme={"dark"}
  import os
  from tinfoil import SecureClient
  from langchain_openai import ChatOpenAI

  # Create a SecureClient for Tinfoil's inference router
  sc = SecureClient(
      enclave="inference.tinfoil.sh",
      repo="tinfoilsh/confidential-model-router",
  )

  # Inject the TLS-pinned httpx clients into LangChain
  llm = ChatOpenAI(
      model="<MODEL_NAME>",
      api_key=os.getenv("TINFOIL_API_KEY"),
      base_url="https://inference.tinfoil.sh/v1/",
      http_client=sc.make_secure_http_client(),
      http_async_client=sc.make_secure_async_http_client(),
  )

  response = llm.invoke("What is confidential computing?")
  print(response.content)
  ```

  ```typescript JavaScript theme={"dark"}
  import { ChatOpenAI } from "@langchain/openai";
  import { SecureClient } from "tinfoil";

  // Create and verify the secure client
  const secureClient = new SecureClient();
  await secureClient.ready();

  // Inject the verified fetch into LangChain
  const llm = new ChatOpenAI({
    model: "<MODEL_NAME>",
    apiKey: process.env.TINFOIL_API_KEY,
    configuration: {
      baseURL: secureClient.getBaseURL(),
      fetch: secureClient.fetch,
    },
  });

  const response = await llm.invoke("What is confidential computing?");
  console.log(response.content);
  ```

  ```go Go theme={"dark"}
  package main

  import (
      "context"
      "fmt"
      "log"
      "os"

      "github.com/openai/openai-go/v3/option"
      "github.com/tmc/langchaingo/llms"
      langchainOpenAI "github.com/tmc/langchaingo/llms/openai"
      "github.com/tinfoilsh/tinfoil-go"
  )

  func main() {
      // Create a Tinfoil client (verifies the enclave on creation)
      tfClient, err := tinfoil.NewClient(
          option.WithAPIKey(os.Getenv("TINFOIL_API_KEY")),
      )
      if err != nil {
          log.Fatal(err)
      }

      // Inject the TLS-pinned HTTP client into langchaingo
      llm, err := langchainOpenAI.New(
          langchainOpenAI.WithToken(os.Getenv("TINFOIL_API_KEY")),
          langchainOpenAI.WithModel("<MODEL_NAME>"),
          langchainOpenAI.WithBaseURL(fmt.Sprintf("https://%s/v1", tfClient.Enclave())),
          langchainOpenAI.WithHTTPClient(tfClient.HTTPClient()),
      )
      if err != nil {
          log.Fatal(err)
      }

      response, err := llms.GenerateFromSinglePrompt(context.Background(), llm, "What is confidential computing?")
      if err != nil {
          log.Fatal(err)
      }

      fmt.Println(response)
  }
  ```
</CodeGroup>

### Streaming

<CodeGroup>
  ```python Python theme={"dark"}
  import os
  from tinfoil import SecureClient
  from langchain_openai import ChatOpenAI

  sc = SecureClient(
      enclave="inference.tinfoil.sh",
      repo="tinfoilsh/confidential-model-router",
  )

  llm = ChatOpenAI(
      model="<MODEL_NAME>",
      api_key=os.getenv("TINFOIL_API_KEY"),
      base_url="https://inference.tinfoil.sh/v1/",
      http_client=sc.make_secure_http_client(),
      http_async_client=sc.make_secure_async_http_client(),
      streaming=True,
  )

  for chunk in llm.stream("Explain hardware attestation step by step."):
      print(chunk.content, end="", flush=True)
  ```

  ```typescript JavaScript theme={"dark"}
  import { ChatOpenAI } from "@langchain/openai";
  import { SecureClient } from "tinfoil";

  const secureClient = new SecureClient();
  await secureClient.ready();

  const llm = new ChatOpenAI({
    model: "<MODEL_NAME>",
    apiKey: process.env.TINFOIL_API_KEY,
    streaming: true,
    configuration: {
      baseURL: secureClient.getBaseURL(),
      fetch: secureClient.fetch,
    },
  });

  const stream = await llm.stream("Explain hardware attestation step by step.");
  for await (const chunk of stream) {
    process.stdout.write(chunk.content as string);
  }
  ```

  ```go Go theme={"dark"}
  package main

  import (
      "context"
      "fmt"
      "log"
      "os"

      "github.com/openai/openai-go/v3/option"
      "github.com/tmc/langchaingo/llms"
      langchainOpenAI "github.com/tmc/langchaingo/llms/openai"
      "github.com/tinfoilsh/tinfoil-go"
  )

  func main() {
      tfClient, err := tinfoil.NewClient(
          option.WithAPIKey(os.Getenv("TINFOIL_API_KEY")),
      )
      if err != nil {
          log.Fatal(err)
      }

      llm, err := langchainOpenAI.New(
          langchainOpenAI.WithToken(os.Getenv("TINFOIL_API_KEY")),
          langchainOpenAI.WithModel("<MODEL_NAME>"),
          langchainOpenAI.WithBaseURL(fmt.Sprintf("https://%s/v1", tfClient.Enclave())),
          langchainOpenAI.WithHTTPClient(tfClient.HTTPClient()),
      )
      if err != nil {
          log.Fatal(err)
      }

      _, err = llms.GenerateFromSinglePrompt(
          context.Background(),
          llm,
          "Explain hardware attestation step by step.",
          llms.WithStreamingFunc(func(ctx context.Context, chunk []byte) error {
              fmt.Print(string(chunk))
              return nil
          }),
      )
      if err != nil {
          log.Fatal(err)
      }
  }
  ```
</CodeGroup>

### How it works

Each Tinfoil SDK verifies the remote enclave's hardware attestation and pins TLS certificates before any data is sent.
The integration injects this verified transport into LangChain's OpenAI provider:

| Language   | Tinfoil transport                      | Injected via                               |
| ---------- | -------------------------------------- | ------------------------------------------ |
| Python     | `httpx.Client` with pinned SSL context | `ChatOpenAI(http_client=...)`              |
| JavaScript | Fetch function with EHBP encryption    | `ChatOpenAI({ configuration: { fetch } })` |
| Go         | `*http.Client` with pinned TLS         | `openai.WithHTTPClient(...)`               |

Once injected, every HTTP request LangChain makes -- chat completions, embeddings, tool calls -- goes through the
verified connection. No application code changes are needed beyond the initial setup.

<CardGroup cols={2}>
  <Card title="Python SDK" icon="python" href="/sdk/python-sdk">
    Full Python SDK reference and examples.
  </Card>

  <Card title="JavaScript SDK" icon="js" href="/sdk/javascript-sdk">
    Full JavaScript SDK reference and examples.
  </Card>

  <Card title="Go SDK" icon="golang" href="/sdk/go-sdk">
    Full Go SDK reference and examples.
  </Card>

  <Card title="Tool Calling" icon="wrench" href="/guides/tool-calling">
    Use function calling with LangChain agents and Tinfoil.
  </Card>
</CardGroup>
