API Reference
Full REST API with OpenAPI documentation, schema-first validation, and response filtering on every route.
Capabilities
What you can do with the API
The API covers the full authorization lifecycle, delegation management, activity recording, and operational monitoring.
Authorizations
Create, update, and manage authorizations with full lifecycle control. Bulk creation supported. Filter and search across your authorization portfolio.
Delegation chains
Create child authorizations linked to parents. Reconstruct the full chain with one call. Constraints inherit automatically.
Agent-to-agent flow
Propose, accept, reject, or counter-propose authorizations between agents. Full bilateral negotiation support.
Activity records
Submit structured evidence against authorizations. Records are validated against the contract type schema before acceptance.
Outcome recording
Submit activity records validated against the contract type schema. The requester reports whether they accept or dispute the outcome.
Dispute resolution
Initiate disputes, submit evidence, and escalate through three tiers. All evidence is hash-verified.
Agent reputation
Query composite scores and per-contract-type breakdowns. Scores update automatically on every outcome and dispute resolution.
Webhooks
Register subscriptions, manage lifecycle, and inspect delivery logs. HMAC-signed, retried, and deduplicated.
Contract type schemas
Browse available contract types and their schemas. Dry-run validation before submitting records.
Dashboard endpoints
Aggregated statistics and audit trail views for operational dashboards.
A2A discovery
Standard agent card endpoint for A2A protocol compatibility.
Properties
API Design
Schema-first validation
Every request is validated against a JSON Schema before processing. Invalid requests are rejected with detailed error messages.
Response filtering
Response schemas strip undeclared fields on every route, preventing accidental data leakage.
Idempotency
Supply an idempotency key for safe retries on create operations. Duplicate requests return the original response.
Request tracing
Every response includes a request ID for end-to-end tracing. Supply your own or use the server-generated one.
Bearer authentication
API key authentication with role-based access control. Keys are one-way hashed — never stored in plaintext.
Rate limiting
Per-key rate limits with tiered thresholds. 429 responses include Retry-After headers.
Explore the full API
The live API docs include request/response schemas, example payloads, and a try-it-out console.