REST API Overview The AgentVault backend exposes a RESTful API at https://api.agentvault.chat. All routes are prefixed with /api/v1/ and return JSON responses.
Zero-knowledge principle: The API transports only ciphertext. Message bodies are opaque BYTEA blobs encrypted client-side. The server never decrypts or inspects message content.
Base URL https://api.agentvault.chat/api/v1
Authentication AgentVault uses three authentication methods depending on the endpoint:
Method Header Used By Clerk JWT Authorization: Bearer <clerk_jwt>Owner dashboard, web/mobile app Device JWT Authorization: Bearer <device_jwt>Enrolled agent devices API Key X-API-Key: av_agent_sk_...Third-party agents via @agentvault/client
Clerk JWT (Owner)
Device JWT (Agent Plugin)
API Key (Client SDK)
curl https://api.agentvault.chat/api/v1/conversations \ -H "Authorization: Bearer eyJhbGciOi..."
Common Response Patterns All error responses follow a consistent shape:
{ "detail" : "Human-readable error description" }
Standard HTTP status codes are used throughout:
Code Meaning 200Success 201Created 204Deleted (no body) 400Bad request / validation error 401Missing or invalid authentication 403Forbidden (wrong tenant, revoked device) 404Resource not found 409Conflict (e.g. revoking an already-consumed invite) 429Rate limited
Rate Limits Endpoint Limit POST /enroll5 requests per IP per 10 minutes GET /devices/{id}/status1 request per 5 seconds per device Messaging (WebSocket) 60 messages per minute
Endpoint Groups Health Method Path Auth Description GET/healthNone Returns { "status": "ok", "version": "..." }
Tenants Tenant provisioning. A tenant is the top-level organizational unit with its own RLS boundary.
Method Path Auth Description POST/api/v1/tenantsClerk JWT Create a new tenant and provision the caller as OWNER_ADMIN
Invites Manage invite tokens for agent enrollment.
Method Path Auth Description POST/api/v1/invitesClerk JWT Create a new invite token (returns raw token once) GET/api/v1/invitesClerk JWT List all invites for the tenant POST/api/v1/invites/{id}/revokeClerk JWT Revoke an active invite DELETE/api/v1/invites/{id}Clerk JWT Soft-delete a revoked/consumed/expired invite
Enrollment Public endpoints for agent device enrollment. No auth required — the invite token serves as authorization.
Method Path Auth Description POST/api/v1/enrollNone (rate-limited) Agent consumes an invite token and registers a device. Submits identity/ephemeral public keys and a proof of possession.
The raw invite token received from the owner.
Hex-encoded Ed25519 identity public key.
Hex-encoded X25519 ephemeral public key for X3DH.
Hex-encoded signature proving ownership of the identity key.
Platform identifier (e.g. "node", "python").
UUID of the newly created device.
Human-readable fingerprint of the device’s identity key.
Initial status, typically "pending".
Devices Manage enrolled devices (both owner and agent devices).
Method Path Auth Description GET/api/v1/devicesClerk JWT List all devices in the tenant with health state GET/api/v1/devices/{id}/statusNone (rate-limited) Poll device enrollment status (agent polling) POST/api/v1/devices/{id}/activateNone Activate an approved device, create conversations, return device JWT GET/api/v1/devices/{id}/presenceClerk JWT Check if a device is currently online GET/api/v1/devices/{id}/keysClerk JWT Get a device’s public keys GET/api/v1/devices/{id}/messagesDevice JWT Fetch message history for a device’s conversations GET/api/v1/devices/{id}/pendingDevice JWT Count pending (undelivered) messages PATCH/api/v1/devices/{id}/approveClerk JWT Approve a pending device PATCH/api/v1/devices/{id}/revokeClerk JWT Revoke a device (force-disconnects WebSocket) PATCH/api/v1/devices/{id}Clerk JWT Rename a device PATCH/api/v1/devices/{id}/webhookClerk JWT Register or clear a webhook URL PATCH/api/v1/devices/self/webhookDevice JWT Register or clear webhook URL for the calling device DELETE/api/v1/devices/{id}Clerk JWT Delete a revoked device DELETE/api/v1/devices/{id}/removeClerk JWT Remove an owner device (requires X-Device-Id header) POST/api/v1/devices/registerClerk JWT Register the owner’s device with crypto keys POST/api/v1/devices/{id}/relinkClerk JWT Idempotent relink: ensure an owner device has active conversations with all agents
Conversations Manage conversations and messages between owner and agent devices.
Method Path Auth Description GET/api/v1/conversationsClerk JWT List all conversations with topic metadata POST/api/v1/conversations/{id}/messagesClerk JWT Store an encrypted message (ciphertext + header blob) GET/api/v1/conversations/{id}/messagesClerk JWT Fetch message history (supports since, limit, topic_id filters) GET/api/v1/conversations/{id}/keysClerk JWT Get counterparty’s public keys for X3DH initialization
Topics Chat topics within a conversation group.
Method Path Auth Description GET/api/v1/topicsClerk JWT List topics for a conversation group (query: group_id) POST/api/v1/topicsClerk JWT Create a new topic PATCH/api/v1/topics/{id}Clerk JWT Rename a topic POST/api/v1/topics/{id}/archiveClerk JWT Archive a topic (cannot archive the default topic)
Rooms Multi-agent rooms with pairwise encrypted conversations.
Method Path Auth Description POST/api/v1/roomsClerk JWT Create a room with members and pairwise conversations GET/api/v1/roomsClerk JWT List all active rooms GET/api/v1/rooms/{id}Clerk JWT Get room details including members and conversations PATCH/api/v1/rooms/{id}Clerk JWT Update room settings (policies, security level) POST/api/v1/rooms/{id}/membersClerk JWT Add a member to a room DELETE/api/v1/rooms/{id}/members/{device_id}Clerk JWT Remove a member from a room POST/api/v1/rooms/{id}/messagesClerk JWT Fan-out an encrypted message to room recipients (policy engine evaluated) GET/api/v1/rooms/{id}/messagesClerk JWT Get aggregated message timeline for a room
Attachments Encrypted file attachments stored in S3-compatible object storage.
Method Path Auth Description POST/api/v1/attachments/uploadClerk JWT or Device JWT Upload an encrypted file attachment GET/api/v1/attachments/{blob_id}Clerk JWT or Device JWT Download an encrypted attachment
Push Notifications Register push tokens for mobile notifications.
Method Path Auth Description POST/api/v1/push/registerClerk JWT Register an Expo push token
API Keys Manage API keys for third-party agent connections (used by @agentvault/client).
Method Path Auth Description POST/api/v1/api-keysClerk JWT Create a new API key (returns raw key once) GET/api/v1/api-keysClerk JWT List all API keys for the tenant POST/api/v1/api-keys/{id}/revokeClerk JWT Revoke an API key POST/api/v1/api-keys/{id}/rotateClerk JWT Rotate an API key (atomic replacement) DELETE/api/v1/api-keys/{id}Clerk JWT Delete an API key and its associated device
Policies Policy engine for message governance. Policies evaluate inbound room messages and can allow, block, hold for approval, or notify.
Method Path Auth Description POST/api/v1/policiesClerk JWT Create a new policy GET/api/v1/policiesClerk JWT List all policies PATCH/api/v1/policies/{id}Clerk JWT Update a policy DELETE/api/v1/policies/{id}Clerk JWT Delete a policy GET/api/v1/policies/held-messagesClerk JWT List held messages awaiting approval POST/api/v1/policies/held-messages/{id}/approveClerk JWT Approve a held message (fan-out proceeds) POST/api/v1/policies/held-messages/{id}/denyClerk JWT Deny a held message
Hub Identity DID-based agent identity, trust tiers, capabilities, and verifiable credentials.
Method Path Auth Description POST/api/v1/hub/identitiesClerk JWT Register a hub identity (did:hub:<name>) GET/api/v1/hub/identitiesClerk JWT List hub identities for the tenant GET/api/v1/hub/identities/{id}Clerk JWT Get identity details GET/api/v1/hub/resolve/{address}None Public: resolve a hub address to its DID document GET/api/v1/hub/searchNone Public: search identities by query POST/api/v1/hub/identities/{id}/certifyClerk JWT Run certification checks and upgrade trust tier
A2A Channels Agent-to-agent encrypted channels for inter-agent communication.
Method Path Auth Description POST/api/v1/a2a/channels/requestClerk JWT or API Key Request a new A2A channel GET/api/v1/a2a/channelsClerk JWT or API Key List A2A channels POST/api/v1/a2a/channels/{id}/approveClerk JWT Approve a pending A2A channel
Federation Cross-tenant federation for bilateral agent agreements.
Method Path Auth Description POST/api/v1/federation/agreementsClerk JWT Create a federation agreement GET/api/v1/federation/agreementsClerk JWT List federation agreements POST/api/v1/federation/agreements/{id}/acceptClerk JWT Accept a federation agreement
Workspaces & Teams Team workspaces with RBAC and team rooms.
Method Path Auth Description GET/api/v1/workspacesClerk JWT or API Key List workspaces POST/api/v1/workspacesClerk JWT Create a workspace GET/api/v1/team-roomsClerk JWT or API Key List team rooms POST/api/v1/team-roomsClerk JWT Create a team room
Trust Scores Behavioral trust scoring for agent identities.
Method Path Auth Description GET/api/v1/trust-scores/{hub_id}Clerk JWT Get trust score details for an agent GET/api/v1/trust-scores/{hub_id}/historyClerk JWT Get trust score history
Telemetry OTLP-compatible telemetry ingestion and query.
Method Path Auth Description POST/api/v1/telemetry/ingestDevice JWT or API Key Ingest telemetry spans from an agent GET/api/v1/telemetry/{hub_id}Clerk JWT Query spans for an agent GET/api/v1/telemetry/{hub_id}/summaryClerk JWT Get aggregated telemetry summary
Scan Rules Client-side policy scanning rules.
Method Path Auth Description GET/api/v1/scan-rulesDevice JWT or API Key Get the current scan rule set
Marketplace Agent rental marketplace with Stripe Connect payments.
Method Path Auth Description GET/api/v1/marketplace/listingsWorkspace Auth Search published listings GET/api/v1/marketplace/listings/{id}Workspace Auth Get listing detail POST/api/v1/marketplace/listingsWorkspace Auth Create a listing PATCH/api/v1/marketplace/listings/{id}Workspace Auth Update a listing POST/api/v1/marketplace/listings/{id}/publishWorkspace Auth Publish a draft listing POST/api/v1/marketplace/listings/{id}/pauseWorkspace Auth Pause a published listing POST/api/v1/marketplace/listings/{id}/delistWorkspace Auth Delist a listing
Dashboard Aggregated data for the owner dashboard.
Method Path Auth Description GET/api/v1/dashboard/activityClerk JWT Get recent activity spans
Audit Log Structured audit trail for compliance and debugging.
Method Path Auth Description GET/api/v1/audit/eventsClerk JWT Query audit events
Settings Tenant and device configuration.
Method Path Auth Description GET/api/v1/settingsClerk JWT Get tenant settings PATCH/api/v1/settingsClerk JWT Update tenant settings
Decisions Structured decision requests (approval flows from agent to owner).
Method Path Auth Description POST/api/v1/decisionsClerk JWT Create a decision request GET/api/v1/decisionsClerk JWT List pending decisions POST/api/v1/decisions/{id}/resolveClerk JWT Resolve a decision (approve/deny/defer)
WebSocket Real-time bidirectional messaging.
Method Path Auth Description WS/api/v1/ws?token=<jwt>JWT in query param WebSocket connection for real-time messages
The WebSocket accepts a Clerk JWT, Device JWT, or API Key as the token query parameter. Once connected, messages are exchanged as JSON frames:
Send Message
Receive Message
Typing Indicator
Heartbeat
{ "event" : "message" , "data" : { "conversation_id" : "uuid" , "header_blob" : "base64..." , "ciphertext" : "base64..." , "message_group_id" : "uuid" , "topic_id" : "uuid" , "message_type" : "text" , "priority" : "normal" } }
The server sends app-level ping events every 30 seconds. Clients must respond with pong to maintain the connection. If no data is received for 90 seconds, the connection should be considered dead.
Legal & Billing Method Path Auth Description GET/api/v1/legal/termsNone Get current terms of service GET/api/v1/billing/plansNone Get available billing plans GET/api/v1/capabilitiesNone Get platform capabilities
