Documentation

Agents API

PATCH /api/v1/agents/

Updates an agent's properties.

Token revocation on deactivation (Wave 1.5)

When active is set to false, the server now immediately revokes all existing OAuth tokens issued to that agent's client_id in addition to blocking new token issuance.

This ensures the UI promise is kept: "Deactivating will prevent new tokens and revoke all active tokens."

Audit event: agent.deactivated_with_revocation is written with metadata:

json
{ "revoked_token_count": <number> }

Previously issued tokens will return active: false on introspection and 401 on protected resource requests as soon as the PATCH completes.

Request body

FieldTypeDescription
namestringAgent display name
descriptionstringAgent description
activebooleanfalse deactivates + revokes tokens
scopesstring[]Allowed OAuth scopes
token_lifetimeintegerToken TTL in seconds
metadataobjectArbitrary key/value metadata

Response

Returns the updated agent object (200 OK) or 404 if not found.

POST /api/v1/agents//rotate-dpop-key

Rotates the DPoP keypair binding for an agent. The caller supplies the new public key JWK; the server records it as the new cnf.jkt for future token issuance and revokes all tokens bound to the old key.

Auth: Admin API key required (Authorization: Bearer sk_live_...).

Request body

json
{
  "new_public_jwk": {
    "kty": "EC",
    "crv": "P-256",
    "x": "<base64url>",
    "y": "<base64url>"
  },
  "reason": "scheduled rotation 2026-04-26"
}
FieldTypeRequiredDescription
new_public_jwkobjectyesNew public key in JWK format (EC P-256, RSA, or OKP)
reasonstringnoAudit-log reason string

Response (200 OK)

json
{
  "old_jkt": "aB3kQ...",
  "new_jkt":  "xZ9mR...",
  "revoked_token_count": 3,
  "audit_event_id": "audit_abc123"
}
FieldTypeDescription
old_jktstringRFC 7638 SHA-256 thumbprint of the replaced key (empty if none was stored)
new_jktstringRFC 7638 SHA-256 thumbprint of the new key
revoked_token_countintegerNumber of tokens revoked (bound to the old key)
audit_event_idstringID of the emitted agent.dpop_key_rotated audit event

Error responses

StatusError codeMeaning
400invalid_requestMissing or malformed JSON body
400invalid_jwknew_public_jwk is not a valid JWK
401Missing or invalid admin API key
404not_foundAgent not found

Audit event

Emits agent.dpop_key_rotated with metadata:

json
{
  "old_jkt": "...",
  "new_jkt":  "...",
  "revoked_token_count": 3,
  "reason": "..."
}
Previousadmin_oauthNextcascade-revoke