Veriproof.Sdk
Veriproof.Sdk plugs a VeriProof exporter into your existing .NET OpenTelemetry pipeline. It provides the governance attribute vocabulary, transport reliability controls, and optional content capture needed to send AI traces to VeriProof from any .NET 10+ application or Azure Function.
Prerequisites
- .NET 10.0+
- A VeriProof API key (
VERIPROOF_API_KEY) from the Customer Portal - An OpenTelemetry service name (
OTEL_SERVICE_NAME) — this becomes your application name in VeriProof
Installation
dotnet add package Veriproof.Sdk.CoreFor framework adapters:
dotnet add package Veriproof.Sdk.Instrumentation.SemanticKernel
dotnet add package Veriproof.Sdk.Instrumentation.AutoGenSetup
Add VeriProof to your OpenTelemetry pipeline in Program.cs:
using OpenTelemetry.Trace;
using OpenTelemetry.Resources;
using Veriproof.Sdk;
builder.Services.AddOpenTelemetry()
.ConfigureResource(resource => resource
.AddService(
serviceName: Environment.GetEnvironmentVariable("OTEL_SERVICE_NAME") ?? "my-ai-app",
serviceVersion: Assembly.GetEntryAssembly()?.GetName().Version?.ToString()
)
.AddEnvironmentVariableDetector()
)
.WithTraces(traces => traces
.AddSource("*")
.AddVeriproofTracing(options =>
{
options.ApiKey = Environment.GetEnvironmentVariable("VERIPROOF_API_KEY")!;
options.Endpoint = "https://veriproof-api.rjrlabs.com"; // SaaS default
})
);Once configured, any Activity created in your application is automatically exported to VeriProof.
Azure Functions
For Azure Functions apps, apply the same configuration in Program.cs using the worker services DI container:
var host = new HostBuilder()
.ConfigureFunctionsWorkerDefaults()
.ConfigureServices((ctx, services) =>
{
services.AddOpenTelemetry()
.WithTraces(traces => traces
.AddSource("*")
.AddVeriproofTracing(options =>
{
options.ApiKey = ctx.Configuration["VeriproofApiKey"]!;
})
);
})
.Build();Configuration reference
VeriproofExporterOptions:
| Property | Required | Default | Description |
|---|---|---|---|
ApiKey | Yes* | — | Your VeriProof API key. Use ApiKeyProvider instead for production. |
ApiKeyProvider | Yes* | — | Async delegate that returns the key; preferred for dynamic rotation. |
Endpoint | Yes | https://veriproof-api.rjrlabs.com | Ingest API URL. Enterprise: override with your provisioned endpoint. |
TenantId | No | — | Customer UUID. Resolved server-side from the API key when omitted. |
ApplicationId | No | — | Pin to a specific application. Omit to use service.name auto-routing. |
AllowInsecureEndpoint | No | false | Allow plain HTTP endpoints. Only for private VNET enterprise deployments. |
EnableContentCapture | No | false | Export prompt/completion content (encrypted at rest with AES-256-GCM). |
RedactedAttributes | No | [] | Attribute keys whose values are replaced with [REDACTED] before export. |
ContentCaptureConventions | No | Both | OtelGenAi, OpenInference, or Both. |
DefaultTransactionType | No | null | Applied to all sessions unless overridden per-span. |
*One of ApiKey or ApiKeyProvider is required.
Dynamic key rotation with ApiKeyProvider
options.ApiKeyProvider = async (cancellationToken) =>
{
var secret = await secretClient.GetSecretAsync(
"veriproof-api-key",
cancellationToken: cancellationToken
);
return secret.Value.Value;
};The SDK caches the returned key for 5 minutes (configurable via ApiKeyProviderTtl) so key rotation does not require an application restart.
OTel resource attributes
VeriProof uses standard OTel resource attributes to route and classify your sessions:
| Attribute | How to set | VeriProof behavior |
|---|---|---|
service.name | OTEL_SERVICE_NAME env var, or AddService(serviceName:) | Routes traces to the matching application; auto-creates a dev app on first trace |
service.version | AddService(serviceVersion:) | Indexed per session — enables per-version filtering |
deployment.environment | OTEL_RESOURCE_ATTRIBUTES=deployment.environment=staging | Normalized to Development / Staging; a production value requires explicit portal app registration |
service.namespace | AddService(serviceNamespace:) | Portal grouping by team or domain |
Semantic attribute constants
OtelAttributeNames provides typed constants so your telemetry is correctly interpreted by VeriProof:
using Veriproof.Sdk;
activity?.SetTag(OtelAttributeNames.GenAi.RequestModel, "gpt-4o");
activity?.SetTag(OtelAttributeNames.Veriproof.RiskLevel, "HIGH");
activity?.SetTag(OtelAttributeNames.Veriproof.DecisionText, "Approved with standard terms");
activity?.SetTag(OtelAttributeNames.OpenInference.SpanKind, "LLM");OtelAttributeNames.GenAi — Standard OTel Semantic Conventions for generative AI: gen_ai.system, gen_ai.request.model, gen_ai.usage.input_tokens, etc.
OtelAttributeNames.Veriproof — VeriProof governance attributes: veriproof.transaction.type, veriproof.decision.text, veriproof.risk.level, veriproof.data.sensitivity, etc.
OtelAttributeNames.OpenInference — Arize OpenInference conventions for RAG and multimodal: input.value, output.value, document.content, openinference.span.kind, etc.
Content capture
By default, VeriProof does not capture prompt or completion text. To enable it:
options.EnableContentCapture = true;When enabled, VeriProof exports opt-in OTel GenAI content attributes (gen_ai.input.messages, gen_ai.output.messages, gen_ai.system_instructions) to the ingest API. All captured content is encrypted at rest using AES-256-GCM.
Only enable content capture after reviewing your data handling obligations. Please be aware that prompt and output text may contain PII.
Control the accepted format conventions with ContentCaptureConventions:
OtelGenAi— OTel GenAI Semantic Conventions 1.39 onlyOpenInference— Arize OpenInference attributes onlyBoth(default) — accepts both formats
Transport reliability
The VeriProof exporter runs in a background thread and does not block the calling activity. It includes:
| Feature | Behavior |
|---|---|
| Non-blocking | Background BatchActivityExportProcessor; no synchronous wait |
| Circuit breaker | Opens after 3 consecutive failures (configurable); prevents cascading failures |
| Bounded buffer | Holds up to 500 batches while circuit is open; oldest dropped if full |
| Retry | Exponential backoff for transient HTTP failures |
Logging export
VeriProof can also receive structured log entries alongside traces. Add the log exporter to your logging pipeline:
builder.Logging.AddOpenTelemetry(logging =>
logging.AddVeriproofLogExporter(options =>
{
options.ApiKey = Environment.GetEnvironmentVariable("VERIPROOF_API_KEY")!;
})
);Or configure both traces and logs in one call:
builder.Services.AddOpenTelemetry()
.WithTraces(traces => traces.AddVeriproofTracing(options => { ... }))
.WithLogging(logging => logging.AddVeriproofLogging(options => { ... }));Adding a second OTel exporter
To export spans to both VeriProof and another backend (Datadog, Honeycomb, etc.), register both exporters on the same TracerProviderBuilder:
.WithTraces(traces => traces
.AddSource("*")
.AddVeriproofTracing(vpOptions => { ... })
.AddOtlpExporter(otlpOptions =>
{
otlpOptions.Endpoint = new Uri("https://api.honeycomb.io/v1/traces");
otlpOptions.Headers = "x-honeycomb-team=your-api-key";
})
)Do not call AddOpenTelemetry() twice — all exporters belong on the same builder.
FAQ
My spans aren’t appearing in the VeriProof portal.
Check that AddSource("*") (or the specific ActivitySource names you use) is registered on the TracerProviderBuilder. Without this, your activities are not sampled by the OTel pipeline at all.
deployment.environment=production blocks auto-app creation — why?
This is a safety gate to prevent accidental production data from landing in an unconfigured application. Register your production application in the Customer Portal first, then VeriProof will route production traces to it automatically.
Does this work with Azure Monitor (Application Insights)?
Yes. Add AddAzureMonitorTraceExporter() to the same TracerProviderBuilder as AddVeriproofTracing(). Both exporters will receive the same spans.
Next steps
- SDK Overview — adapter package selection guide
- Semantic Kernel + AutoGen guide — configure multiple .NET adapters together
- SDK Troubleshooting — diagnose missing spans and authentication errors