Reference

REST API.

All endpoints are HTTPS, JSON request/response, and authenticated with an API key in the X-API-Key header. The OpenAPI schema is served at /openapi.json on your backend.

Authentication

Every authenticated endpoint requires an API key in the X-API-Key header. Get your key at /welcome (issued at signup) or rotate it from /settings/api-keys.

X-API-Key: ak_live_...
Content-Type: application/json

Invalid or revoked keys return HTTP 401. Admin-only endpoints (under /admin/*) require the key's owning account to have is_admin = true.

Receipts

POST /v1/receipts

Submit an agent execution for evaluation. Deducts 3 credits, returns a signed Decision Receipt. Anchoring to Solana happens asynchronously via the background worker — the receipt is returned immediately with anchor_status: "pending" and the dashboard polls for the anchor.

Body

{
  "agent_id":          string,            // required, your stable identifier for the agent
  "platform":          string,            // "bedrock" | "copilot" | "langchain" | "crewai" | "custom"
  "user_intent":       string,            // what the user asked the agent
  "agent_output":      string,            // what the agent ultimately produced
  "tools_used":        string[],          // tool / function names the agent invoked
  "retrieval_summary": string?,           // summary of retrieved context (RAG)
  "policy_rules":      string[]?,         // ad-hoc rules to enforce on this call only
  "policy_id":         string?,           // OR reference a bound policy by id
  "model":             string?,           // optional — name of the agent's LLM
  "metadata":          object?            // free-form, becomes part of execution_hash
}

Response 200

{
  "receipt_id":              string,      // "rcpt_..."
  "trust_score":             0..100,
  "risk_level":              "low" | "medium" | "high",
  "policy_compliant":        boolean,
  "prompt_injection_detected": boolean,
  "sensitive_data_risk":     "low" | "medium" | "high",
  "summary":                 string,
  "evaluator_model":         string,
  "policy_version":          string,
  "execution_hash":          "sha256:...",
  "evaluation_hash":         "sha256:...",
  "signature":               "ed25519:...",
  "anchor_status":           "pending" | "anchored" | "failed",
  "verify_url":              string,      // public verify URL
  "credits_remaining":       integer,
  "created_at":              iso8601
}

Errors

400 — invalid request body
401 — missing / invalid API key
402 — insufficient credits (top up via the CERT bridge)
422 — schema validation failure

GET /v1/receipts/{receipt_id}

Fetch a single receipt by ID. Returns the same shape as POST.

GET /v1/receipts

List receipts for the authenticated account. Admins see all receipts. Query params: limit (default 25, max 100), offset (default 0), agent_id (filter).

GET /v1/receipts/{receipt_id}/verify

Re-verify a receipt: recomputes execution + evaluation hashes, validates the Ed25519 signature, returns:

{
  "verified":              boolean,
  "signature_valid":       boolean,
  "execution_hash_match":  boolean,
  "evaluation_hash_match": boolean,
  "checked_at":            iso8601
}

GET /v1/receipts/{receipt_id}/anchor

Read the on-chain anchor proof. Returns status, Solana tx signature, explorer URL, network, hash-match result.

Credits

GET /v1/credits/balance

Returns your current credit balance and recent ledger entries.

{
  "balance":  integer,
  "recent": [
    { "type": "grant" | "charge" | "refund" | "bridge", "amount": int, "at": iso8601, "memo": string }
  ]
}

Authentication endpoints

GET /v1/auth/me

Returns the authenticated principal (user ID, email, role).

POST /v1/auth/bootstrap

Called once after first signup. Provisions the account, grants 30 free trial credits, issues the initial API key. Idempotent — returning users get is_new: false and no new key.

POST /v1/auth/api-keys/rotate

Issues a new API key for the authenticated account. The previous key is revoked immediately — update your integrations before calling this.

Agents & Policies

See the dashboard pages for the full set: GET /v1/agents, PUT /v1/agents/{id}/policy, GET /v1/policies, POST /v1/policies, DELETE /v1/policies/{id}. Full schemas in /openapi.json.

Rate limits

No hard limits enforced today on the public devnet. Receipts are rate-limited only by your credit balance (3 per call). For high-volume integrations on mainnet, contact us.

Status codes summary

Code	Meaning
`200`	Success
`201`	Resource created (receipt issued)
`400`	Bad request — malformed body
`401`	Missing or invalid API key
`402`	Insufficient credits
`403`	Forbidden — admin endpoint, non-admin caller
`404`	Receipt / agent / policy not found (or not yours)
`422`	Schema validation failed
`500`	Internal error — check status page