-
Notifications
You must be signed in to change notification settings - Fork 0
Gateway API
The A1 gateway exposes a REST/JSON API on http://localhost:8080 (default). All endpoints accept and return application/json. Admin endpoints require an Authorization: Bearer <A1_ADMIN_SECRET> header when A1_ADMIN_SECRET is set.
git clone https://github.com/dyologician/A1
cd A1
./setup.shAuthorize a single agent intent against a delegation chain.
Request
{
"chain": { /* SignedChain wire format */ },
"intent_name": "trade.equity",
"intent_params": { "symbol": "AAPL" },
"executor_pk_hex": "4a1b2c..."
}Response 200
{
"authorized": true,
"chain_depth": 2,
"chain_fingerprint": "a3b2c1...",
"namespace": "trading-bot",
"capability_mask": "00ff..."
}Response 403
{
"error_code": "PASSPORT_NARROWING_VIOLATION",
"message": "agent does not hold capability trade.equity"
}Authorize up to 256 intents in a single request. Returns one result per intent.
Request
{
"chain": { /* SignedChain */ },
"executor_pk_hex": "4a1b2c...",
"intents": [
{ "intent_name": "trade.equity", "intent_params": { "symbol": "AAPL" } },
{ "intent_name": "portfolio.read" }
]
}Response 200
{
"results": [
{ "authorized": true, "intent_name": "trade.equity", "chain_depth": 2 },
{ "authorized": true, "intent_name": "portfolio.read", "chain_depth": 2 }
]
}Passport-level authorization. Metrics are tracked separately from chain authorization.
Same request/response shape as /v1/authorize. Use this endpoint when you want to separate passport-specific metrics from raw chain metrics in your observability stack.
Issue a delegation certificate.
Request
{
"delegate_pk_hex": "4a1b2c...",
"capabilities": ["trade.equity", "portfolio.read"],
"ttl_seconds": 3600,
"namespace": "trading-bot",
"idempotency_key": "optional-dedup-key"
}Response 200
{
"cert": { /* DelegationCert wire format */ },
"fingerprint": "a3b2c1..."
}Issue multiple delegation certs atomically.
{
"certs": [
{ "delegate_pk_hex": "...", "capabilities": ["trade.equity"], "ttl_seconds": 3600 },
{ "delegate_pk_hex": "...", "capabilities": ["portfolio.read"], "ttl_seconds": 1800 }
],
"namespace": "trading-bot"
}Revoke a certificate by fingerprint. Immediate effect.
{ "fingerprint": "a3b2c1..." }Bulk revocation.
{ "fingerprints": ["a3b2c1...", "d4e5f6..."] }Check revocation status.
Response 200
{
"fingerprint": "a3b2c1...",
"revoked": false,
"revoked_at": null
}List all passport files known to the gateway.
Issue a new root passport.
{
"namespace": "trading-bot",
"capabilities": ["trade.equity", "portfolio.read"],
"ttl_seconds": 2592000
}Re-issue a passport with a new TTL.
{ "namespace": "trading-bot", "ttl_seconds": 2592000 }Read a passport by namespace.
GET /v1/passports/read?namespace=trading-bot
Revoke all certs under a namespace.
{ "namespace": "trading-bot" }Verify a VerifiedToken HMAC receipt produced by the gateway.
{ "token": "a1.v1.base64encodedhmac..." }The gateway's own W3C DID Document.
Resolve any Ed25519 public key to a W3C DID Document.
GET /v1/did/4a1b2c3d...
Issue a W3C Verifiable Credential.
{
"subject_pk_hex": "4a1b2c...",
"claims": { "role": "trader", "clearance": "level-2" }
}Verify a W3C VC and extract claims.
{ "vc": { /* VerifiableCredential JSON-LD */ } }Create a new agent swarm.
{
"name": "trading-swarm",
"capabilities": ["trade.equity"],
"ttl_days": 30
}Add an agent to a swarm.
{
"swarm_id": "swarm-abc123",
"agent_pk_hex": "4a1b2c...",
"role": "worker",
"capabilities": ["trade.equity"],
"ttl_seconds": 3600
}Remove an agent from a swarm.
List active swarm members.
Return the active delegation policy.
Verify a governance approval record against its on-chain hash.
Generate a structured audit report.
| Method | Path | Description |
|---|---|---|
POST |
/v1/negotiate |
Agent-to-agent capability negotiation handshake |
POST |
/v1/jwt/exchange |
Exchange a JWKS-verified JWT for a scoped DelegationCert |
POST |
/v1/anchor |
Anchor a ZkChainCommitment to a transparency log |
POST |
/v1/debug/explain-error |
Translate an A1 error code to plain English |
GET |
/v1/tenant/info |
Active tenant context |
GET |
/v1/tenant/config |
Per-tenant capability allowlist |
GET |
/v1/webhook/status |
Webhook delivery status |
POST |
/v1/webhook/test |
Send a test webhook event |
GET |
/healthz |
Health check — returns {"status":"ok"}
|
GET |
/.well-known/a1-configuration |
Service discovery document |
GET |
/.well-known/schema.json |
Wire format JSON Schema |
GET |
/studio |
A1 Studio web dashboard |
| Code | HTTP | Meaning |
|---|---|---|
PASSPORT_NARROWING_VIOLATION |
403 | Agent requests a capability not in its cert |
CERT_EXPIRED |
403 | Delegation cert has passed its expires_at
|
CERT_REVOKED |
403 | Cert fingerprint found in RevocationStore |
NONCE_REPLAY |
403 | Intent nonce already consumed |
NAMESPACE_MISMATCH |
403 | Chain namespace does not match request |
SIGNATURE_INVALID |
403 | Ed25519 signature verification failed |
CHAIN_DEPTH_EXCEEDED |
403 | Chain exceeds configured max depth |
POLICY_VIOLATION |
403 | Policy rule (TTL, depth, namespace) violated |
UNAUTHORIZED |
401 | Missing or invalid A1_ADMIN_SECRET
|
INTERNAL_ERROR |
500 | Gateway internal error |
| Variable | Default | Description |
|---|---|---|
A1_SIGNING_KEY_HEX |
auto | 32-byte hex Ed25519 seed |
A1_MAC_KEY_HEX |
auto | 32-byte hex HMAC key |
A1_ADMIN_SECRET |
none | Bearer token for admin endpoints |
A1_REDIS_URL |
none | Redis URL for persistent nonce/revocation store |
A1_PG_URL |
none | Postgres URL for persistent store |
A1_RATE_LIMIT_RPS |
500 | Per-IP requests per second |
A1_CORS_ALLOWED_ORIGIN |
none | CORS origin header |
GATEWAY_ADDR |
0.0.0.0:8080 | Bind address |
A1_PUBLIC_BASE_URL |
http://localhost:8080 | Used in service discovery doc |
RUST_LOG |
a1_gateway=info | Log filter |
Source: a1-gateway/src/routes/ · Back to wiki home