Skip to main content

Authentication

All policy endpoints require admin authentication via the x-admin-key header. 
curl -H "x-admin-key: your-admin-key" https://api.example.com/admin/policy
Admin endpoints use a dedicated rate limiter: 30 requests per minute per IP.

Get All Agent Policies

curl -X GET https://api.example.com/admin/policy \
  -H "x-admin-key: your-admin-key"

{
  "success": true,
  "policies": [
    {
      "agentId": "oracle",
      "frozen": false,
      "dailyLimitUsd": 1.0,
      "perCallLimitUsd": 0.05,
      "allowedEndpoints": ["/api/x402/oracle/"],
      "allowedPayTo": ["0x1234..."],
      "updatedAt": "2026-03-03T10:30:00.000Z",
      "updatedBy": "[email protected]"
    }
  ]
}
Response Fields
success
boolean
required
Whether the request succeeded
policies
array
required
Array of agent policy objects

Get Single Agent Policy

curl -X GET https://api.example.com/admin/policy/oracle \
  -H "x-admin-key: your-admin-key"
Path Parameters
agentId
string
required
Agent ID (oracle, scout, news, yield, tokenomics, nft, perp)
{
  "success": true,
  "policy": {
    "agentId": "oracle",
    "frozen": false,
    "dailyLimitUsd": 1.0,
    "perCallLimitUsd": 0.05,
    "allowedEndpoints": ["/api/x402/oracle/"],
    "allowedPayTo": ["0x1234..."],
    "updatedAt": "2026-03-03T10:30:00.000Z",
    "updatedBy": "[email protected]"
  }
}

Freeze/Unfreeze Agent

curl -X POST https://api.example.com/admin/policy/oracle/freeze \
  -H "x-admin-key: your-admin-key" \
  -H "x-admin-user: [email protected]" \
  -H "Content-Type: application/json" \
  -d '{
    "frozen": true
  }'
Path Parameters
agentId
string
required
Agent ID to freeze/unfreeze
Headers
x-admin-key
string
required
Admin API key for authentication
x-admin-user
string
Optional admin user identifier for audit logging
Request Body
frozen
boolean
required
Set to true to freeze the agent, false to unfreeze
updatedBy
string
Optional admin identifier (alternative to x-admin-user header)
{
  "success": true,
  "policy": {
    "agentId": "oracle",
    "frozen": true,
    "dailyLimitUsd": 1.0,
    "perCallLimitUsd": 0.05,
    "allowedEndpoints": ["/api/x402/oracle/"],
    "allowedPayTo": ["0x1234..."],
    "updatedAt": "2026-03-03T10:35:00.000Z",
    "updatedBy": "[email protected]"
  }
}
When an agent is frozen, all incoming requests return HTTP 423 (Locked) with the message ” is frozen by policy”.

Update Agent Policy

curl -X PATCH https://api.example.com/admin/policy/oracle \
  -H "x-admin-key: your-admin-key" \
  -H "x-admin-user: [email protected]" \
  -H "Content-Type: application/json" \
  -d '{
    "dailyLimitUsd": 5.0,
    "perCallLimitUsd": 0.1,
    "allowedEndpoints": ["/api/x402/oracle/price", "/api/x402/oracle/prices"],
    "allowedPayTo": ["0x1234...", "0x5678..."]
  }'
Path Parameters
agentId
string
required
Agent ID to update
Headers
x-admin-key
string
required
Admin API key
x-admin-user
string
Optional admin user for audit trail
Request Body All fields are optional. Only include fields you want to update.
frozen
boolean
Freeze or unfreeze the agent
dailyLimitUsd
number
Maximum daily spend limit in USD. Must be >= 0.
perCallLimitUsd
number
Maximum per-call spend limit in USD. Must be >= 0.
allowedEndpoints
string[]
Array of allowed endpoint path prefixes. Empty array blocks all endpoints.
allowedPayTo
string[]
Array of allowed payment recipient addresses (case-insensitive).
updatedBy
string
Admin identifier for audit logging (alternative to header)
{
  "success": true,
  "policy": {
    "agentId": "oracle",
    "frozen": false,
    "dailyLimitUsd": 5.0,
    "perCallLimitUsd": 0.1,
    "allowedEndpoints": ["/api/x402/oracle/price", "/api/x402/oracle/prices"],
    "allowedPayTo": ["0x1234...", "0x5678..."],
    "updatedAt": "2026-03-03T10:40:00.000Z",
    "updatedBy": "[email protected]"
  }
}

Error Responses

{
  "success": false,
  "error": "Unauthorized"
}

{
  "success": false,
  "error": "Unsupported agentId: invalid-agent"
}

{
  "success": false,
  "error": "Database connection failed"
}

Policy Enforcement

Policies are enforced in the following order:
  1. Frozen check - If agent is frozen, return 423 immediately
  2. Endpoint allowlist - Request path must match an allowed prefix
  3. Per-call limit - Quoted price must not exceed perCallLimitUsd
  4. PayTo allowlist - Payment recipient must be in allowedPayTo array
  5. Daily limit - Total daily spend + reserved budget must not exceed dailyLimitUsd
Policy updates take effect immediately. Frozen agents will reject all in-flight requests.

Default Policies

When an agent is first initialized, it receives these default values:
  • frozen: false
  • dailyLimitUsd: 1.0 (from X402_POLICY_DAILY_LIMIT_USD env var)
  • perCallLimitUsd: 0.05 (from X402_POLICY_PER_CALL_LIMIT_USD env var)
  • allowedEndpoints: Agent-specific route prefixes (e.g., /api/x402/oracle/)
  • allowedPayTo: Agent’s seller address from configuration
  • updatedBy: "system-default"

Build docs developers (and LLMs) love

Get started for freeTalk to us