Overview
Authorization requests (internally called “claims” for compatibility) represent an agent’s request to access a service within a namespace. The lifecycle:- Submit - Service submits authorization request on behalf of agent
- Pending - Namespace owner reviews request
- Approve/Reject - Owner makes decision
- Revoke - Owner can revoke previously approved authorization
Submit Authorization Request
Submit an authorization request on behalf of an agent.
Authentication
Service API key as Bearer token.
content-digest.
Request Body
Target namespace identifier (3-64 characters).Example:
acme-corpAgent’s Ed25519 public key (format:
ed25519:<base64>).Example: ed25519:LS0tLS1CRUdJTi...Service slug (must match authenticated service).Example:
my-serviceIP address of the agent making the request.Example:
203.0.113.45Unique nonce for replay protection (8-256 characters).Example:
abc123xyz789Subject identifier for user-scoped policies (1-256 characters).Example:
[email protected]Agent identifier (1-128 characters).Example:
agent-001Human-readable agent name (1-128 characters).Example:
Production AgentResponse
Unique claim identifier.
Current claim status:
pending, approved, rejected.- Returns 200 with
approvedorpendingif claim already exists - Returns 201 if new claim created
Service slug.
Human-readable status message.
Example Request
Error Responses
| Status | Code | Description |
|---|---|---|
| 400 | INVALID_REQUEST | Invalid request body or parameters |
| 401 | SIGNATURE_INVALID | Invalid signature or API key |
| 403 | FORBIDDEN | Service slug mismatch |
| 404 | NOT_FOUND | Namespace or service not found |
| 409 | CONFLICT | Conflicting claim state |
| 503 | SERVICE_UNAVAILABLE | Database unavailable |
Get Authorization Request
Retrieve details for a specific authorization request.
Path Parameters
Claim identifier.
Response
Returns full claim details (see response schema in Namespaces).Example Request
Error Responses
| Status | Description |
|---|---|
| 401 | Not authenticated |
| 403 | Not authorized for this namespace |
| 404 | Claim not found |
Approve Authorization Request
Approve a pending authorization request.
Path Parameters
Claim identifier to approve.
Response
Claim identifier.
Will be
approved.Number of approved agents in this namespace.
Maximum number of agents allowed in this namespace.
Blockchain transaction status:
queued (if blockchain enabled).Example Request
Error Responses
| Status | Description |
|---|---|
| 401 | Not authenticated |
| 403 | Not authorized for this namespace |
| 404 | Claim not found |
| 409 | Claim already approved or in invalid state |
Reject Authorization Request
Reject a pending authorization request.
Path Parameters
Claim identifier to reject.
Response
Claim identifier.
Will be
rejected.Example Request
Error Responses
| Status | Description |
|---|---|
| 401 | Not authenticated |
| 403 | Not authorized for this namespace |
| 404 | Claim not found |
Revoke Authorization
Revoke an approved authorization.
Path Parameters
Claim identifier to revoke.
Response
Claim identifier.
Will be
revoked.Blockchain transaction status:
queued (if blockchain enabled).Example Request
Error Responses
| Status | Description |
|---|---|
| 401 | Not authenticated |
| 403 | Not authorized for this namespace |
| 404 | Claim not found |
| 409 | Claim not in approved state |
Webhook Events
When configured, services receive webhook notifications for authorization lifecycle events:request.submitted- New authorization request createdrequest.approved- Authorization request approvedrequest.rejected- Authorization request rejectedrequest.revoked- Authorization revokedrequest.expired- Authorization expired