> ## Documentation Index
> Fetch the complete documentation index at: https://docs.truthlocks.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Register Agent

> Register a new machine agent identity with cryptographic key pair and scoped permissions

# Register Agent

`POST /v1/agents`

Registers a new machine agent identity for the authenticated tenant. The platform generates an Ed25519 key pair for the agent, assigns a MAIP-compliant agent ID, and records the initial key in the key history ledger. Newly registered agents start with `active` status and an initial trust score of `0.500`.

<Note>
  The number of agents you can register depends on your billing plan. If you
  exceed your plan limit, the API returns `402 Payment Required`. Contact sales
  for enterprise-tier agent limits.
</Note>

### Authentication

Requires `X-API-Key` header or Bearer JWT token. Tenant-scoped via `X-Tenant-ID`.

### Request Body

<ParamField body="agent_type" type="string" required>
  The type of machine agent being registered. Determines default behavior and
  audit categorization. One of: `"orchestrator"`, `"worker"`, `"inference"`,
  `"pipeline"`, `"service"`, `"bot"`, `"llm"`. Defaults to `"worker"` if
  omitted.
</ParamField>

<ParamField body="display_name" type="string" required>
  Human-readable name for the agent. Used in dashboards, audit logs, and alert
  notifications. Maximum 256 characters.
</ParamField>

<ParamField body="description" type="string">
  Detailed description of the agent's purpose, capabilities, or operational
  context. Maximum 2048 characters.
</ParamField>

<ParamField body="scopes" type="string[]">
  List of permission scopes granted to the agent. Uses `resource:action` format
  (e.g., `"data:read"`, `"tool:execute"`, `"model:train"`). Use `resource:*` for
  wildcard access. Prefix with `!` to explicitly deny (e.g., `"!data:delete"`).
  Defaults to an empty array if omitted.
</ParamField>

<ParamField body="metadata" type="object">
  Arbitrary key-value metadata attached to the agent. Useful for tagging, cost
  allocation, or integration-specific context. Maximum 16 KB serialized.
</ParamField>

<ParamField body="expires_at" type="string">
  ISO 8601 timestamp for automatic agent expiration. When reached, the agent
  transitions to `revoked` status. Omit for non-expiring agents.
</ParamField>

### Response

<ResponseField name="id" type="string">
  Internal UUID primary key.
</ResponseField>

<ResponseField name="agent_id" type="string">
  MAIP-compliant agent identifier in format `maip:<tenant8>:<ulid>`. Use this value
  in all subsequent API calls referencing this agent.
</ResponseField>

<ResponseField name="tenant_id" type="string">
  UUID of the owning tenant.
</ResponseField>

<ResponseField name="agent_type" type="string">
  The registered agent type.
</ResponseField>

<ResponseField name="display_name" type="string">
  Human-readable agent name.
</ResponseField>

<ResponseField name="description" type="string">
  Agent description, if provided.
</ResponseField>

<ResponseField name="trust_level" type="string">
  Initial trust level. Newly registered agents start at `"authenticated"`.
</ResponseField>

<ResponseField name="trust_score" type="number">
  Numeric trust score (0.0 to 1.0). Newly registered agents start at `0.500`.
</ResponseField>

<ResponseField name="status" type="string">
  Agent lifecycle status. Always `"active"` on creation.
</ResponseField>

<ResponseField name="public_key" type="string">
  Base64url-encoded Ed25519 public key generated for this agent. Store this
  securely for signature verification.
</ResponseField>

<ResponseField name="key_id" type="string">
  Unique identifier for the agent's signing key. Referenced in receipts and
  attestations.
</ResponseField>

<ResponseField name="scopes" type="string[]">
  The effective scopes assigned to the agent.
</ResponseField>

<ResponseField name="metadata" type="object">
  The metadata object, if provided.
</ResponseField>

<ResponseField name="delegation_depth" type="number">
  Current delegation chain depth. Always `0` for directly registered agents.
  Maximum depth is `8` per MAIP protocol.
</ResponseField>

<ResponseField name="created_by_user_id" type="string">
  UUID of the user who registered the agent, if authenticated via user token.
</ResponseField>

<ResponseField name="expires_at" type="string">
  Expiration timestamp, if set.
</ResponseField>

<ResponseField name="created_at" type="string">
  ISO 8601 creation timestamp.
</ResponseField>

<ResponseField name="updated_at" type="string">
  ISO 8601 last-updated timestamp.
</ResponseField>

### Example

```bash theme={null}
curl -X POST https://api.truthlocks.com/v1/agents \
  -H "X-API-Key: tl_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "agent_type": "llm",
    "display_name": "Customer Support Bot",
    "description": "Handles Tier-1 customer support inquiries via chat",
    "scopes": ["data:read", "tool:search.web", "!data:delete"],
    "metadata": {
      "team": "support",
      "model": "claude-3.5-sonnet",
      "environment": "production"
    }
  }'
```


## OpenAPI

````yaml mint-openapi.yaml POST /v1/agents
openapi: 3.0.3
info:
  title: Truthlocks API
  description: >
    Truthlocks is a universal verification infrastructure for documents,
    credentials, and digital assets.

    This specification defines the canonical API for interacting with Truthlocks
    services.


    ## Base URLs

    - **Production**: `https://api.truthlocks.com`

    - **Sandbox**: `https://sandbox-api.truthlocks.com`


    ## Authentication

    - **API Keys**: Use `X-API-Key` header for machine-to-machine operations

    - **Bearer Tokens**: Use `Authorization: Bearer <jwt>` for user-initiated
    operations


    ## Tenant Identity

    In production, tenant identity is derived from the authenticated context
    (API key or JWT).

    The `X-Tenant-ID` header is ignored in production to prevent spoofing.
  version: 1.0.0
  contact:
    name: Truthlocks Support
    url: https://truthlocks.com/support
    email: support@truthlocks.com
servers:
  - url: https://api.truthlocks.com
    description: Production API
  - url: https://sandbox-api.truthlocks.com
    description: Sandbox Environment
security:
  - APIKey: []
tags:
  - name: Authentication
    description: API key and token management
  - name: Issuers
    description: Issuer registration and trust management
  - name: Keys
    description: Cryptographic key management for issuers
  - name: Attestations
    description: Attestation lifecycle (mint, revoke, supersede)
  - name: Verification
    description: Attestation verification and proof bundles
  - name: Governance
    description: Issuer governance workflows (admin only)
  - name: Identity
    description: Organization, user, and role management
  - name: Audit
    description: Audit event queries
  - name: Platform
    description: Platform administration (super admin only)
  - name: Platform Review
    description: Staff review workflows for issuer applications
  - name: Tenant Console
    description: Tenant profile and lifecycle endpoints
  - name: Health
    description: Service health and readiness endpoints
  - name: Risk
    description: Risk signal ingestion and fraud detection
  - name: Risk Enforcement
    description: Risk enforcement actions — block, challenge, quarantine, and configuration
  - name: Billing
    description: Billing, subscription, and addon management
  - name: Machine Identity
    description: >-
      Machine Agent Identity Protocol (MAIP) — agent registration, sessions,
      trust, witness, compliance, orchestration, and observability
externalDocs:
  description: Transparency read-only API (separate service spec)
  url: >-
    https://github.com/truthlocks/truthlock/blob/main/docs/transparency/openapi.yaml
paths:
  /v1/agents:
    post:
      tags:
        - Machine Identity
      summary: Register Agent
      description: >
        Register a new machine agent identity. Returns the agent record
        including

        a generated public key and initial trust score.
      operationId: maip.agents.register
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required:
                - agent_type
                - display_name
              properties:
                agent_type:
                  type: string
                  enum:
                    - orchestrator
                    - worker
                    - inference
                    - pipeline
                    - service
                    - bot
                    - llm
                  description: Classification of the agent
                display_name:
                  type: string
                  maxLength: 256
                  description: Human-readable agent name
                description:
                  type: string
                  description: Free-text description of the agent purpose
                scopes:
                  type: array
                  items:
                    type: string
                  description: Permission scopes granted to the agent
                metadata:
                  type: object
                  additionalProperties: true
                  description: Arbitrary key-value metadata
            example:
              agent_type: orchestrator
              display_name: Data Pipeline Orchestrator
              description: Coordinates ETL pipeline agents
              scopes:
                - datasets:read
                - datasets:write
                - models:read
              metadata:
                team: data-engineering
      responses:
        '201':
          description: Agent registered
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/MaipAgent'
        '400':
          description: Validation error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorEnvelope'
        '401':
          description: Authentication required
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorEnvelope'
        '429':
          description: Rate limit exceeded
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorEnvelope'
      security:
        - APIKey: []
components:
  schemas:
    MaipAgent:
      type: object
      properties:
        id:
          type: string
          format: uuid
        agent_type:
          type: string
          enum:
            - orchestrator
            - worker
            - inference
            - pipeline
            - service
            - bot
            - llm
        display_name:
          type: string
          maxLength: 256
        description:
          type: string
        status:
          type: string
          enum:
            - active
            - suspended
            - revoked
        scopes:
          type: array
          items:
            type: string
        metadata:
          type: object
          additionalProperties: true
        trust_score:
          type: number
          format: float
          minimum: 0
          maximum: 1
        public_key:
          type: string
          description: Base64-encoded public key
        session_count:
          type: integer
        keys:
          type: array
          items:
            type: object
            properties:
              kid:
                type: string
              algorithm:
                type: string
              public_key:
                type: string
              status:
                type: string
                enum:
                  - active
                  - disabled
                  - expired
        created_at:
          type: string
          format: date-time
        updated_at:
          type: string
          format: date-time
    ErrorEnvelope:
      type: object
      required:
        - code
        - message
        - http_status
      properties:
        code:
          type: string
          description: Machine-readable error code
          enum:
            - AUTH_REQUIRED
            - AUTH_INVALID
            - PERMISSION_DENIED
            - TENANT_IDENTITY_UNVERIFIED
            - NOT_FOUND
            - VALIDATION_ERROR
            - CONFLICT
            - PAYLOAD_TOO_LARGE
            - RATE_LIMIT_EXCEEDED
            - QUOTA_EXCEEDED
            - SERVICE_UNAVAILABLE
            - INTERNAL_ERROR
        message:
          type: string
          description: Human-readable error message
        http_status:
          type: integer
          description: HTTP status code
        retry_after_ms:
          type: integer
          description: Milliseconds to wait before retrying (for rate limits)
        details:
          type: object
          description: Additional error context
      example:
        code: AUTH_REQUIRED
        message: Authentication required
        http_status: 401
  securitySchemes:
    APIKey:
      type: apiKey
      in: header
      name: X-API-Key
      description: API key for machine-to-machine authentication

````