API Reference

Seven compliance and AI infrastructure products. One API key. Base URL: https://agengate.com

1

Get an API key

Sign up for free at agengate.com/signup — no credit card required. Your key is generated instantly with the prefix ag_live_. Pass it on every authenticated request as the X-API-Key header.

Free plan includes 100 validations/month with all 8 quality gates. Upgrade anytime from the dashboard.

2

Make your first API call

Pass your key as the X-API-Key header on every request.

curl -X POST https://agengate.com/v1/validate \
  -H "X-API-Key: ag_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "agent_output": "Approve $50,000 wire transfer to account 4521...",
    "context": { "domain": "banking", "task_type": "payment",
                 "tier": "T2", "regulatory": true, "ai_touching": true }
  }'

3

Read the response

Every validation returns a status, gate results, and an evidence package.

{
  "id": "val_a1b2c3...",
  "status": "passed",           // "passed" | "failed" | "warning"
  "gates": [
    { "id": "G1", "name": "Code Quality", "passed": true },
    { "id": "G2", "name": "Security",     "passed": true },
    // ... G3–G8
  ],
  "violations": [],
  "recommendations": [],
  "evidence": {
    "packageHash": "sha256:9f86d0...",
    "gateHashes": ["sha256:..."]
  },
  "durationMs": 142
}

4

Explore all 7 products

AgentGate GA · PII Shield GA · AuditTrail GA · BiasGuard Beta · RouteIQ Beta · LearnLoop Preview · VectorVault Preview

// REST API — use directly with any HTTP client
const res = await fetch('https://agengate.com/v1/validate', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'X-API-Key': 'ag_live_...'
  },
  body: JSON.stringify({
    content: 'Transfer $50,000 to account 4521...',
    domain: 'banking', tier: 'T2', regulatory: true
  })
});
const result = await res.json();
console.log(result.status); // 'passed' | 'failed' | 'warning'

Auth

Sign up

Create a free account and receive an API key. No credit card required. Returns HTTP 201 with your key on the free (starter) plan.

POST /v1/auth/signup

Create an account. Free plan: 100 validations/month with all quality gates. The API key is returned in the response body — store it securely.

REQUEST BODY ▼

Field	Type	Required	Description
email	string	required	Valid email address. Used as customer identifier.
password	string	required	Minimum 8 characters.
company	string	optional	Company or organisation name.

cURL EXAMPLE ▼

RESPONSE — 201 Created ▼

TRY IT OUT ▼

POST /v1/auth/login

Log in with email and password. Returns the API key for the account. This is a convenience endpoint — the API key itself is the bearer credential.

REQUEST BODY ▼

Field	Type	Required	Description
email	string	required	Registered email address.
password	string	required	Account password.

AgentGate

Validate agent output

Run an agent output through all 8 quality gates and receive a cryptographic SHA-256 evidence chain regardless of outcome.

POST /v1/validate API Key

Validates agent output against compliance gates. Runs G1–G8 based on domain, tier, and regulatory flags. Returns findings, violations, recommendations, and a tamper-evident evidence package.

REQUEST BODY ▼

Field	Type	Required	Description
agent_output	string	required	The raw text output from the agent to validate.
context	object	required	Execution context for the agent.
context.domain	string	required	One of: banking, finance, accounting, legal, compliance, engineering, security, ai, data, brands, suppliers, product.
context.task_type	string	required	Short verb describing the task (e.g. build, analyze, report).
context.tier	string	required	Complexity tier: T1, T2, T3, or T4.
context.regulatory	boolean	required	true if this output touches regulated data or processes.
context.ai_touching	boolean	required	true if the output was produced or processed by an AI model.
gates	string[]	optional	Subset of gate IDs to run (G1–G8). Omit to run all applicable.
evidence	boolean	optional	Include cryptographic evidence chain in response. Default true.
mode	string	optional	Validation mode. One of: `output_validation` (default — validate agent text output), `workflow_validation` (validate a multi-step workflow trace), `policy_review` (check against policy documents), `fairness_audit` (run algorithmic fairness checks).

RESPONSE — 200 OK ▼

cURL EXAMPLE ▼

REST API EXAMPLE ▼

TRY IT OUT ▼

GET /v1/validations/:id API Key

Retrieve a past validation result by its UUID. Returns the full result including gate outcomes and evidence chain.

cURL EXAMPLE ▼

GET /v1/validations API Key

List recent validations. Paginated and filterable by status.

QUERY PARAMETERS ▼

Param	Type	Default	Description
status	string	—	Filter by: passed, failed, warning.
limit	integer	50	Max results per page (max 200).
offset	integer	0	Number of records to skip.

POST /v1/audit-package API Key

Generate a full compliance audit package for a regulation. Packages all evidence with a top-level SHA-256 attestation hash designed for auditability.

REQUEST BODY ▼

Field	Type	Required	Description
regulation	string	required	One of: gdpr, pci-dss, sox, aml, iso27001, eu-ai-act, dora, ccpa, basel, ifrs.
format	string	optional	Export format: `json` (default) or `csv`.

EVIDENCE PACKAGE SCHEMA ▼

Field	Type	Description
packageId	string	Unique identifier for this evidence package (UUID v4).
regulation	string	Regulation assessed (e.g., `gdpr`, `eu-ai-act`).
controlsAssessed	number	Total controls evaluated against this regulation.
controlsPassed	number	Controls that passed validation.
attestationHash	string	Top-level SHA-256 hash computed over all evidence entries. Use this to verify package integrity.
generatedAt	string	ISO 8601 timestamp of package generation.
evidence[]	array	Array of evidence entries, one per control.
evidence[].controlId	string	Control identifier (e.g., `GDPR-A32-ENC`).
evidence[].description	string	Human-readable description of the control.
evidence[].status	string	`pass` \| `fail` \| `not_applicable`
evidence[].hash	string	SHA-256 hash of this evidence entry. Chained: `SHA256(prevHash + entryData)`.
evidence[].checkedAt	string	ISO 8601 timestamp of this check.

GET /v1/regulations API Key

List all supported regulations with jurisdiction, effective date, and control counts.

GET /v1/gates API Key

List all 8 quality gates (G1–G8) with descriptions, check IDs, and applicability rules.

GET /v1/stats API Key

Global and per-key usage statistics: total validations, pass rate, average duration, and per-gate breakdowns.

GET /v1/health

Liveness probe. No authentication required. Use for uptime monitoring and pre-flight checks.

RESPONSE — 200 OK ▼

Billing

Create subscription

Subscribe to any product and plan. Payment is processed immediately via Multicard Mesh (UZS) or Stripe (USD).

POST /v1/billing/subscribe API Key

REQUEST BODY ▼

Field	Type	Required	Description
customer_id	string	required	Customer identifier (email or UUID).
product	string	required	agentgate \| pii-shield \| audittrail \| routeiq \| learnloop \| vectorvault \| biasguard.
plan	string	required	starter \| pro \| enterprise.
billing_cycle	string	required	monthly \| annual.

GET /v1/billing/status API Key

Check whether the authenticated API key has an active subscription and which plan it is on.

GET /v1/billing/usage API Key

Current-period usage and projected cost for the authenticated key.

GET /v1/billing/history API Key

Full payment history for the authenticated API key with invoice IDs, amounts, and statuses.

POST /v1/billing/cancel API Key

Cancel the active subscription for the authenticated key. The subscription remains active until the end of the current billing period. Idempotent.

cURL EXAMPLE ▼

RESPONSE — 200 OK ▼

PII Shield

Scan text for PII

Detect and redact personally identifiable information using composable regex patterns. Supports email, SSN, IBAN, credit cards, passport, phone, IP address, DOB, and custom patterns.

POST /v1/scan API Key

REQUEST BODY ▼

Field	Type	Required	Description
text	string	required	Text to scan. Max 1,000,000 characters.
redact	boolean	optional	Return redacted text alongside findings. Default false.
mode	string	optional	Redaction mode: mask (***) \| hash (sha256) \| type ([EMAIL]) \| remove. Default mask.

cURL EXAMPLE ▼

TRY IT OUT ▼

POST /v1/batch API Key

Scan up to 100 texts in a single request. Accepts the same redact and mode options as /v1/scan.

REQUEST BODY ▼

Field	Type	Required	Description
texts	string[]	required	Array of strings to scan. Max 100 items.
redact	boolean	optional	Redact all matches. Default false.
mode	string	optional	mask \| hash \| type \| remove. Default mask.

POST /v1/patterns API Key

Register a custom PII detection pattern for your workspace. Returns 409 if the pattern ID already exists.

REQUEST BODY ▼

Field	Type	Required	Description
id	string	required	Unique slug (lowercase, hyphens/underscores only).
type	string	required	PII type label (e.g. employee_id).
label	string	required	Display label for [TYPE] redaction mode.
pattern	string	required	JavaScript-compatible regex string.
flags	string	optional	Regex flags (default: gi).

AuditTrail

Tamper-evident audit logging

Every entry is SHA-256 hashed into an append-only chain. Verification walks the chain forward, recomputing each hash. Genesis entry uses previousHash = "0"×64.

POST /v1/log API Key

Append an entry to the tamper-evident audit chain. Returns the entry ID, hash, and chain position.

REQUEST BODY ▼

Field	Type	Required	Description
entity	string	required	Resource type (e.g. payment, user, contract).
action	string	required	Verb (e.g. created, approved, deleted).
actor	string	required	Identity of the actor (user ID, agent name, service account).
data	any	optional	Arbitrary structured payload. Callers are responsible for not including PII.
tags	string[]	optional	Free-form tags for grouping and filtering.

TRY IT OUT ▼

GET /v1/log/:id API Key

Retrieve a specific audit log entry by its UUID, including hash and chain position.

GET /v1/log API Key

List audit entries, newest first. Filterable by entity, action, actor, tags, and time range.

QUERY PARAMETERS ▼

Param	Type	Description
entity	string	Filter by entity type.
action	string	Filter by action verb.
actor	string	Filter by actor identity.
tags	string	Comma-separated tags (all must match).
from	string	ISO 8601 start timestamp.
to	string	ISO 8601 end timestamp.
limit	integer	Max results (default 50, max 200).
offset	integer	Pagination offset (default 0).

POST /v1/verify API Key

Verify hash chain integrity over the full chain or a specific range. Returns the first broken entry ID if tampering is detected.

REQUEST BODY ▼

Field	Type	Required	Description
fromId	string	optional	Start entry UUID. Omit to start from genesis.
toId	string	optional	End entry UUID. Omit to verify to latest.

POST /v1/export API Key

Export audit entries as JSON or CSV with a top-level SHA-256 attestation hash for tamper-evident packaging.

REQUEST BODY ▼

Field	Type	Required	Description
format	string	optional	json \| csv. Default json.
from	string	optional	ISO 8601 start timestamp.
to	string	optional	ISO 8601 end timestamp.
entity	string	optional	Filter by entity type.

RouteIQ

AI task classification & routing

Classify free-text tasks into domains, complexity tiers, and recommended agent chains. Uses keyword-weighted scoring across 12 domains.

POST /v1/classify API Key

Classify a single task. Returns domain assignment, tier (T1–T4), regulatory flag, AI flag, confidence score, and recommended agent routing chain.

REQUEST BODY ▼

Field	Type	Required	Description
task	string	required	Task description in natural language. Max 4,000 characters.
domains	string[]	optional	Hint domains to consider (overrides auto-detection).
context	object	optional	Additional context metadata.

TRY IT OUT ▼

POST /v1/batch-classify API Key

Classify up to 50 tasks in one request. Returns an array of classification results plus batch-level timing statistics.

REQUEST BODY ▼

Field	Type	Required	Description
tasks	string[]	required	Array of task descriptions. Max 50.

GET /v1/domains

List all 12 supported domains with descriptions and applicable regulations. No authentication required.

GET /v1/agents

List all agents grouped by hierarchy level (orchestrator → chief → VP → director → manager → team-lead → specialist → analyst → junior). No authentication required.

LearnLoop

Self-learning reinforcement API

Record state-action-reward learning events. Each API key gets a fully isolated tenant namespace — Thompson Sampling + Q-Learning. Training signal never leaks between tenants.

POST /v1/events API Key

Record a single learning event (state, action, reward) into your tenant's learning namespace.

REQUEST BODY ▼

Field	Type	Required	Description
state	string	required	State identifier (task context, domain, conditions).
action	string	required	Action taken (agent ID, tool, decision).
reward	number	required	Outcome signal. Range -1.0 to 1.0 recommended.
metadata	object	optional	Optional: domain, taskType, agentId for richer Q-state.

POST /v1/batch-events API Key

Record up to 100 learning events in a single call for bulk offline training scenarios.

REQUEST BODY ▼

Field	Type	Required	Description
events	object[]	required	Array of event objects (same schema as /v1/events). Max 100.

POST /v1/recommend API Key

Get the best action for a given state using Thompson Sampling with Q-Table fallback from your tenant's learned model.

REQUEST BODY ▼

Field	Type	Required	Description
state	string	required	Current state for which to recommend an action.
candidates	string[]	required	Available actions to choose from.
context	object	optional	Optional domain and taskType hints.

GET /v1/performance/:id API Key

Retrieve per-agent performance statistics from your tenant's learning namespace. Returns reward history, win rates, and confidence intervals.

VectorVault

Vector memory API

Hybrid semantic search using HNSW ANN + BM25 + recency scoring. Full Ebbinghaus-inspired memory decay. Each tenant gets a fully isolated HNSW index.

POST /v1/memories API Key

Store a memory with content, tier, domain, tags, and importance score. Returns a UUID and the initial strength value.

REQUEST BODY ▼

Field	Type	Required	Description
content	string	required	Memory content to embed and store.
tier	string	optional	core \| working \| episodic \| semantic \| procedural. Default working.
domain	string	optional	Domain tag for filtering.
tags	string[]	optional	Free-form tags.
importance	number	optional	Importance score 0–1. Affects decay rate. Default 0.5.
metadata	object	optional	Arbitrary key-value metadata.

POST /v1/search API Key

Hybrid search combining semantic similarity (HNSW cosine), BM25 keyword matching, and recency scoring. Returns ranked results with relevance scores.

REQUEST BODY ▼

Field	Type	Required	Description
query	string	required	Natural language search query.
topK	integer	optional	Number of results to return. Default 10, max 100.
tier	string	optional	Filter by memory tier.
domain	string	optional	Filter by domain.
minStrength	number	optional	Minimum memory strength (0–1). Filters decayed memories.

TRY IT OUT ▼

GET /v1/memories/:id API Key

Retrieve a memory by ID. Also updates its last-accessed timestamp and decay state.

DELETE /v1/memories/:id API Key

Permanently delete a memory from the tenant's vector store. Returns 204 No Content on success.

POST /v1/consolidate API Key

Run Ebbinghaus memory decay consolidation. Decays low-importance memories not accessed recently. Returns counts of strengthened and decayed memories.

BiasGuard

Algorithmic fairness testing

Computes four regulatory fairness metrics: Disparate Impact Ratio (DIR ≥ 0.80 required), Statistical Parity Difference, Equal Opportunity Difference (EOD ≤ 0.10), and Demographic Parity per group.

POST /v1/bias/audit API Key Coming soon

Run a full bias audit on a prediction dataset. Computes DIR, SPD, EOD, and demographic parity. Returns violations and remediation recommendations. This endpoint is in development and not yet available in production. Use /v1/validate with product: "biasguard" for current bias validation.

REQUEST BODY ▼

Field	Type	Required	Description
predictions	object[]	required	Array of prediction records with id, predicted, actual (optional), and protected_attributes.
protected_attribute	string	required	Attribute to analyse (e.g. gender, race, age_group).
privileged_group	string	required	Value of the privileged group (e.g. male, white).
favorable_outcome	string\|number	optional	Value considered favorable (default 1 / "approved" / "positive").
threshold	number	optional	DIR pass threshold. Default 0.80 (EEOC four-fifths rule).

cURL EXAMPLE ▼

POST /v1/report API Key

Generate a formatted fairness report from a prior audit result. Includes executive summary, metric breakdowns, regulatory citations, and remediation recommendations.

REQUEST BODY ▼

Field	Type	Required	Description
audit_id	string	required	ID returned by a prior /v1/bias/audit call.
format	string	optional	json \| markdown. Default json.

GET /v1/regulations

List all fairness regulations supported by BiasGuard with thresholds, jurisdictions, and applicability rules. No authentication required.

Overrides

Request an override

When a validation fails a gate, authorized users can request an exception with a documented justification. Overrides create an immutable audit trail with SHA-256 hash chaining.

POST /v1/overrides API Key

Create a pending override for a failed gate. Requires review before taking effect. Overrides expire after 90 days.

REQUEST BODY ▼

Field	Type	Required	Description
validation_id	string	required	The validation ID that failed (e.g., `val_a1b2...`).
gate_id	string	required	The gate ID to override (e.g., `G2`, `G5`).
justification	string	required	Documented reason for the exception. Minimum 10 characters.

OVERRIDE LIFECYCLE ▼

GET /v1/overrides API Key

List overrides for your API key. Filter by ?status=pending, ?validation_id=val_..., or ?limit=50.

POST /v1/overrides/:id/review API Key

Approve or reject a pending override. Creates an immutable record in the hash chain.

REQUEST BODY ▼

Field	Type	Required	Description
decision	string	required	`"approved"` or `"rejected"`.
reviewer_email	string	required	Email of the person reviewing the override.
note	string	optional	Reviewer comment explaining the decision.

Webhooks

Register a webhook

POST /v1/webhooks API Key

Register an HTTPS endpoint to receive real-time event notifications. Returns a signing secret — store it securely for signature verification.

REQUEST BODY ▼

Field	Type	Required	Description
url	string	required	HTTPS endpoint URL. Private IPs are blocked (SSRF protection).
events	string[]	optional	Events to subscribe to. Default: all events. See event types below.

EVENT TYPES ▼

Event	Fired when
validation.completed	A validation passes all gates.
validation.failed	A validation fails one or more gates.
quota.warning	Monthly quota reaches 80%.
quota.exceeded	Monthly quota is exhausted.
key.created	A new API key is created.
key.revoked	An API key is revoked.
plan.changed	Plan is upgraded or downgraded.
override.requested	A gate override exception is submitted.
override.approved	A pending override is approved by a reviewer.
override.rejected	A pending override is rejected by a reviewer.

GET /v1/webhooks API Key

List all registered webhooks for your API key. Includes active status and last delivery timestamp.

DELETE /v1/webhooks/:id API Key

Remove a webhook. Only the owner (API key that created it) can delete it.

GET /v1/webhooks/:id/deliveries API Key

View delivery history for a webhook. Returns up to 100 recent deliveries with HTTP status codes and timestamps. Query: ?limit=20.

Signature Verification

Every webhook delivery includes an X-AgentGate-Signature header for authenticity verification.

HOW SIGNING WORKS ▼

1. When you register a webhook, you receive a secret in the response. Store it securely.
2. Each delivery includes the header: X-AgentGate-Signature: sha256=<hex>
3. The signature is HMAC-SHA256(secret, raw_body) — compute it on your end and compare.

VERIFICATION EXAMPLE (Node.js) ▼

DELIVERY HEADERS ▼

Header	Description
X-AgentGate-Signature	`sha256=<hex>` — HMAC-SHA256 of the raw JSON body.
X-AgentGate-Event	Event type (e.g., `validation.completed`).
X-AgentGate-Delivery	Unique delivery ID for deduplication.
Content-Type	`application/json`

RETRY POLICY ▼

Discovery

List products

GET /v1/products Public

List all AgentGate products with maturity status, supported regulations, and quality gate count. No authentication required.

RESPONSE ▼

Field	Type	Description
products[]	array	All products with `id`, `name`, `maturity` (ga/beta/preview), `description`, `apiPrefix`.
regulations[]	array	All supported regulations with `id`, `name`, `jurisdiction`.
qualityGates	number	Total quality gates (currently 8).

Versioning Policy

How we handle API changes, deprecation, and backwards compatibility.

CURRENT VERSION ▼

The current API version is v1. All endpoints are prefixed with /v1/.
We do not plan to release v2 until there is a compelling architectural reason. Instead, we evolve v1 using additive changes.

WHAT WE CONSIDER BREAKING ▼

Change type	Breaking?	How we handle it
Remove a field from response	Yes	Minimum 90-day deprecation notice.
Rename a field	Yes	Old name kept as alias during migration window.
Change field type	Yes	90-day notice + migration guide.
Remove an endpoint	Yes	Minimum 6-month deprecation with `Sunset` header.
Add a new field to response	No	Shipped immediately. Your client should ignore unknown fields.
Add a new endpoint	No	Shipped immediately with documentation.
Add optional request field	No	Shipped immediately. Existing requests unaffected.
Tighten rate limits	Maybe	30-day notice via changelog and webhook.

DEPRECATION PROCESS ▼

STABILITY GUARANTEE ▼

Error Codes

All errors follow RFC 7807 Problem Details. Every error response includes type, title, status, and detail.

AUTHENTICATION ERRORS (401) ▼

Code	HTTP	Description	Fix
MISSING_API_KEY	401	No X-API-Key header provided.	Add `X-API-Key: ag_live_...` header.
INVALID_API_KEY	401	Key is invalid or revoked.	Check key in dashboard. Rotate if compromised.
INVALID_CREDENTIALS	401	Wrong email or password.	Verify credentials. Use /auth/forgot if needed.
UNAUTHORIZED	401	Missing or invalid admin secret.	Admin-only endpoint. Check ADMIN_SECRET env var.

VALIDATION ERRORS (422) ▼

Code	HTTP	Description	Fix
INVALID_INPUT	422	Request body fails schema validation.	Check `detail` field for the specific field that failed.
UNKNOWN_REGULATION	422	Unrecognized regulation ID.	Use GET /v1/regulations to list valid IDs.

RATE LIMITING (429) ▼

Code	HTTP	Description	Fix
QUOTA_EXCEEDED	429	Monthly validation quota exhausted.	Upgrade plan or wait for quota reset on the 1st.
RATE_LIMIT_EXCEEDED	429	Too many requests per second.	Back off and retry with exponential delay.

RESOURCE ERRORS (400/402/403/404) ▼

Code	HTTP	Description	Fix
NOT_FOUND	404	Resource does not exist.	Verify the ID/path. Check for typos.
PLAN_REQUIRED	403	Feature requires a paid plan.	Upgrade at /pricing or /checkout.
PAYMENT_FAILED	402	Payment could not be processed.	Check payment method in Stripe dashboard.
MISSING_URL	400	Webhook URL not provided.	Include `url` in request body.
INVALID_URL	400	Webhook URL is malformed.	Provide a valid HTTPS URL.
INVALID_EMAIL	400	Email address is malformed.	Provide a valid email address.
INVALID_PLAN	400	Unknown plan identifier.	Use: free, starter, pro, enterprise.
INVALID_PRODUCT	400	Unknown product identifier.	Use: agentgate, pii-shield, audittrail, routeiq, learnloop, vectorvault, biasguard.

EXAMPLE ERROR RESPONSE ▼

Rate Limits

Rate limits are enforced per API key. Exceeding the limit returns 429 RATE_LIMIT_EXCEEDED with a Retry-After header.

Plan	Requests/minute	Monthly quota	Burst
Free	10 req/min	100 validations	—
Starter	60 req/min	1,000 validations	Up to 100 req/min burst
Pro	300 req/min	10,000 validations	Up to 500 req/min burst
Enterprise	Custom	Unlimited	Custom

Retry strategy: On 429, wait for the duration in the Retry-After header (seconds). Use exponential backoff with jitter: delay = min(base * 2^attempt + random(0, 1000)ms, 30s).