Skip to main content
Full OpenAPI spec at GET /v1/openapi.json. This page is a human-readable overview.

Discovery and health

GET /.well-known/sint.json

Protocol discovery endpoint.

GET /v1/health

Returns 200 when the gateway can answer requests. Returns 503 during startup or if a critical dependency is unavailable.

GET /v1/ready

Returns 200 only when the gateway has fully initialized (ledger connected, revocation store warm, bridges registered).

Tokens

POST /v1/tokens

Issue a new capability token.

POST /v1/tokens/delegate

Attenuate an existing token. Child scope must be a subset of parent.

POST /v1/tokens/revoke

Revoke a token. Takes effect within configured propagation window (default 5 seconds).

Intercept

POST /v1/intercept

The primary policy evaluation endpoint.
Alternative decisions: BLOCK, ESCALATE (returns approvalId), DEFER.

POST /v1/intercept/batch

Multi-request intercept. Returns 207 Multi-Status with per-request decisions.

Approvals

GET /v1/approvals/pending

List pending approval requests for the caller’s sponsor role.

POST /v1/approvals/{approvalId}/resolve

Approve or deny a pending escalation.

GET /v1/approvals/events

Server-Sent Events stream for real-time approval events.

GET /v1/approvals/ws

WebSocket equivalent for lower-latency operator UIs.

Ledger

GET /v1/ledger

Query evidence ledger events.

POST /v1/ledger/verify

Verify hash-chain integrity over a range.

Metrics and compliance

GET /v1/metrics

Prometheus metrics for the gateway.

GET /v1/compliance/tier-crosswalk

Machine-readable compliance mapping (IEC 62443 / EU AI Act / NIST AI RMF / ISO 42001).

Authentication

All endpoints require Ed25519-signed requests. Clients sign the canonicalized request body plus a timestamp nonce with their private key; the gateway verifies against the DID-resolved public key. The SDKs handle signing transparently. See SDKs.

Rate limiting

  • Per-agentDID: 1,000 intercepts/minute default; configurable per deployment.
  • Per-sponsorDID: 60 approval resolves/minute.
  • Per-operatorDID: 100 Console writes/minute.
Exceeding limits returns 429 Too Many Requests with a Retry-After header.

Versioning

All endpoints are versioned at /v1/. Breaking changes increment the major version. See changelog for version history.