REST API ยท v1

AgentGate API Reference

Register AI agents, evaluate authorization requests through a 5-gate pipeline, inspect a tamper-evident audit trail, and programmatically revoke access โ€” all from your own code.

Base URLhttps://agent-gate-theta.vercel.app

Authorization Pipeline

Identityโ†’
Intentโ†’
Policyโ†’
Consentโ†’
Token
JSON responsesBearer token authHTTPS onlySHA-256 audit chainSPIFFE IDs
๐Ÿ“ฆ

TypeScript SDK

The official SDK wraps the REST API โ€” one import, one call. Full TypeScript types included, zero runtime dependencies.

npm install @damitha-perera/agentgate
Quick StartTypeScript
import { AgentGate } from '@damitha-perera/agentgate';

const gate = new AgentGate({
  baseUrl: 'https://agent-gate-theta.vercel.app',
  apiKey: process.env.AGENTGATE_API_KEY!,
});

// 1. Register your agent once โ€” store the token
const agent = await gate.register({
  name: 'my-crewai-agent',
  framework: 'crewai',
  capabilities: ['gmail.read', 'github.write'],
  trustLevel: 1,
});

// 2. Authorize before every action
const result = await gate.authorize({
  agentToken: agent.token,
  action: { type: 'read', operation: 'list_emails', service: 'gmail' },
  resource: { type: 'email' },
  context: { recipientExternal: false },
});

if (!result.allowed) throw new Error(result.reason);
console.log(result.decision); // 'ALLOWED' | 'DENIED' | 'ESCALATED'
SDK Methods
gate.register(opts)Register a new agent, get identity token
gate.authorize(opts)Run the 5-gate pipeline, get decision + scoped token
gate.revokeAgent(id)Revoke a specific agent by ID
gate.revokeService(svc)Revoke all agents for a service
gate.panic()Emergency โ€” revoke all agents immediately
๐Ÿ“ฆ
npm: @damitha-perera/agentgate โ€” TypeScript types included, zero runtime dependencies, ESM + CJS.
๐Ÿ”

Authentication

Most endpoints require authentication. AgentGate supports two methods:

API KEYFor agents & automation

Generate an API key from the dashboard and include it in every request:

Authorization: Bearer ag_live_...
SESSIONFor the dashboard

Log in via Auth0. The session cookie is automatically sent by the browser from the dashboard UI.

Cookie: appSession=...
โš ๏ธ
Important: API keys are shown exactly once at creation. Store them securely โ€” they cannot be recovered. Revoke compromised keys immediately from the dashboard.
๐Ÿค–

Agents

5 endpoints
POST/api/agents/register
๐Ÿ”’ Bearer ag_live_...

Register a new agent. Returns the agent record and a signed JWT for the agent to use in subsequent authorization requests.

{
  "name": "My Research Agent",
  "framework": "crewai",
  "capabilities": ["github.read", "gmail.send"],
  "trustLevel": 2
}
GET/api/agents
๐Ÿ”’ Bearer ag_live_...

List all registered agents including their status, trust level, and last activity.

{
  "agents": [
    {
      "id": "agt_7x3k...",
      "name": "My Research Agent",
      "framework": "crewai",
      "status": "active",
      "trustLevel": 2,
      "lastActivity": "2025-04-01T12:05:00Z"
    }
  ]
}
POST/api/revoke/agent
๐Ÿ”’ Bearer ag_live_...

Revoke a specific agent. Triggers cascade revocation โ€” all downstream tokens for this agent are destroyed.

{ "agentId": "agt_7x3k..." }
POST/api/revoke/service
๐Ÿ”’ Bearer ag_live_...

Revoke all agents that have capabilities for a given service (e.g. "github", "gmail").

{ "service": "github" }
POST/api/revoke/panic
๐Ÿ”’ Bearer ag_live_...

Emergency: revoke ALL active agents immediately. Use with caution โ€” this destroys every active agent token.

{ "success": true, "revokedAgents": 7, "revokedTokens": 24 }
โšก

Authorization

1 endpoint
POST/api/authorize
Public

Request authorization for an agent action. The agent presents its JWT (from /api/agents/register), and AgentGate evaluates through all 5 gates: Identity โ†’ Intent โ†’ Policy โ†’ Consent โ†’ Token.

{
  "agentToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
  "action": {
    "type": "write",
    "operation": "send_email",
    "service": "gmail"
  },
  "resource": { "type": "email" },
  "context": { "recipientExternal": false }
}
๐Ÿ”—

Audit

3 endpoints
GET/api/audit
๐Ÿ”’ Bearer ag_live_...

Retrieve audit log entries with pagination. Each entry includes a SHA-256 hash linking to the previous entry โ€” forming a tamper-evident chain.

{
  "entries": [
    {
      "id": "aud_x9k...",
      "timestamp": "2025-04-01T12:05:00Z",
      "sequenceNumber": 42,
      "type": "TOKEN_ISSUED",
      "agentId": "agt_7x3k...",
      "action": "gmail.write:send_email",
      "resource": "email",
      "decision": "ALLOWED",
      "hash": "a3f9c2...",
      "previousHash": "7b2d14..."
    }
  ]
}
POST/api/audit/verify
๐Ÿ”’ Bearer ag_live_...

Verify the integrity of the audit hash chain. Checks every entry's hash against the previous entry to detect tampering.

{
  "valid": true,
  "entriesChecked": 42,
  "firstEntry": "aud_001...",
  "lastEntry": "aud_042..."
}
GET/api/audit/export
๐Ÿ”’ Bearer ag_live_...

Export the full audit log as a JSON file download.

// Returns: application/json file download
// Content-Disposition: attachment; filename="audit-export-2025-04-01.json"
[{ "id": "aud_x9k...", "timestamp": "...", ... }]
โš™๏ธ

Policy

2 endpoints
GET/api/policy/rules
Public

Get all policy rules. Rules are evaluated in priority order: DENY โ†’ ESCALATE โ†’ ALLOW. First matching rule wins.

{
  "rules": [
    {
      "id": "allow-read-trusted",
      "name": "Allow reads by trusted agents",
      "condition": { "actionTypes": ["read"], "minTrustLevel": 2 },
      "decision": "ALLOW",
      "enabled": true
    }
  ]
}
POST/api/policy/rules
๐Ÿ”’ Bearer ag_live_...

Save (replace) all policy rules. Sends the complete array.

{
  "rules": [
    {
      "id": "my-rule",
      "name": "Block all deletes",
      "description": "Deny all delete operations",
      "condition": { "actionTypes": ["delete"] },
      "decision": "DENY",
      "enabled": true
    }
  ]
}
๐Ÿ”‘

API Keys

3 endpoints
GET/api/keys
๐Ÿ”’ Session cookie required.

List your API keys. Returns display-safe fields only โ€” the raw key is never returned after creation.

{
  "keys": [
    {
      "id": "key_abc123...",
      "name": "Production Agent",
      "keyPrefix": "ag_live_ABCD...",
      "createdAt": "2025-04-01T10:00:00Z",
      "lastUsedAt": "2025-04-01T12:05:00Z",
      "isActive": true
    }
  ]
}
POST/api/keys
๐Ÿ”’ Session cookie required.

Generate a new API key. The raw key is returned exactly once โ€” store it securely.

{ "name": "Production Agent" }
DELETE/api/keys/[id]
๐Ÿ”’ Session required. You can only revoke your own keys.

Revoke an API key immediately. Future requests using it return 401.

{ "success": true }
AG
Try it live
Run the built-in demo to see agents authorize and get revoked in real-time.
Open Dashboard โ†’
๐Ÿ“ฆ
TypeScript SDK
Zero dependencies. Full types. Works with CrewAI, LangGraph, AutoGen, and any HTTP client.
View on npm โ†’