> ## Documentation Index
> Fetch the complete documentation index at: https://docs.truthlocks.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Invoke Tool

> Request tool invocation with scope validation, rate limiting, and audit receipt generation

# Invoke Tool

`POST /v1/tools/{toolName}/invoke`

Requests invocation of a registered tool on behalf of a machine agent. The platform performs a multi-layer access control check before granting access:

1. **Agent status** -- agent must be `"active"`
2. **Scope check** -- agent must hold the tool's required scope
3. **Rate limit** -- agent must not exceed the tool's per-minute rate limit
4. **Approval gate** -- if the tool requires approval, invocation is deferred to the approval queue

If all checks pass, the invocation is recorded with a cryptographic receipt linking the agent, tool, and session for full audit traceability.

<Info>
  This endpoint performs the **access control decision** and generates an audit
  receipt. It does not proxy the actual tool execution. Your application is
  responsible for calling the tool's underlying endpoint after receiving an
  `"allowed"` response.
</Info>

### Authentication

Requires `X-API-Key` header or Bearer JWT token. Tenant-scoped via `X-Tenant-ID`.

### Path Parameters

<ParamField path="toolName" type="string" required>
  The registered tool name (e.g., `"search.web"`, `"crm-contact-lookup"`).
</ParamField>

### Request Body

<ParamField body="agent_id" type="string" required>
  The MAIP agent identifier requesting the tool invocation (e.g.,
  `maip:t1234567:01HYX3KPZQ7RJGBN0WFMV8SDEH`).
</ParamField>

<ParamField body="session_id" type="string">
  The active session ID, if the invocation is scoped to a session. Optional but
  recommended for full audit trail linkage.
</ParamField>

### Response

<ResponseField name="allowed" type="boolean">
  Whether the invocation was authorized. `true` if all access control checks
  passed.
</ResponseField>

<ResponseField name="status" type="string">
  Invocation status. One of: `"allowed"`, `"denied"`, `"pending_approval"`.
</ResponseField>

<ResponseField name="reason" type="string">
  Human-readable explanation when the invocation is denied or pending. Not
  present when allowed.
</ResponseField>

<ResponseField name="receipt_id" type="string">
  Unique receipt identifier for the invocation, linking to the audit trail. Only
  present when `status` is `"allowed"`.
</ResponseField>

<ResponseField name="requires_approval" type="boolean">
  `true` when the tool requires human approval and the invocation is queued.
  Only present when `status` is `"pending_approval"`.
</ResponseField>

<ResponseField name="approval_id" type="string">
  Identifier for the pending approval request. Use this to check approval status
  or to approve/reject via the approvals API. Only present when `status` is
  `"pending_approval"`.
</ResponseField>

### Example: Allowed Invocation

```bash theme={null}
curl -X POST https://api.truthlocks.com/v1/tools/search.web/invoke \
  -H "X-API-Key: tl_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "agent_id": "maip:t1234567:01HYX3KPZQ7RJGBN0WFMV8SDEH",
    "session_id": "maip-sess:a1b2c3d4:9f8e7d6c5b4a3210"
  }'
```

***

### Access Control Flow

```
POST /v1/tools/{name}/invoke
  |
  +-- Is agent active?
  |     No  --> { allowed: false, status: "denied", reason: "agent is not active" }
  |
  +-- Does agent have required scope?
  |     No  --> { allowed: false, status: "denied", reason: "agent lacks required scope: ..." }
  |
  +-- Is rate limit exceeded?
  |     Yes --> { allowed: false, status: "denied", reason: "rate limit exceeded" }
  |
  +-- Does tool require approval?
  |     Yes --> { allowed: false, status: "pending_approval", requires_approval: true }
  |
  +-- Create receipt + record invocation
        --> { allowed: true, status: "allowed", receipt_id: "..." }
```

### Integration Pattern

After receiving an `"allowed"` response, execute the tool and optionally record the outcome:

```bash theme={null}
# 1. Request invocation authorization
RESPONSE=$(curl -s -X POST https://api.truthlocks.com/v1/tools/search.web/invoke \
  -H "X-API-Key: tl_live_..." \
  -H "Content-Type: application/json" \
  -d '{"agent_id": "maip:t1234567:01HYX3KPZQ7RJGBN0WFMV8SDEH"}')

ALLOWED=$(echo "$RESPONSE" | jq -r '.allowed')
RECEIPT_ID=$(echo "$RESPONSE" | jq -r '.receipt_id')

# 2. Execute the tool if authorized
if [ "$ALLOWED" = "true" ]; then
  RESULT=$(curl -s "https://serpapi.com/search?q=example&api_key=...")
  echo "Tool executed. Receipt: $RECEIPT_ID"
fi
```


## OpenAPI

````yaml mint-openapi.yaml POST /v1/tools/{toolName}/invoke
openapi: 3.0.3
info:
  title: Truthlocks API
  description: >
    Truthlocks is a universal verification infrastructure for documents,
    credentials, and digital assets.

    This specification defines the canonical API for interacting with Truthlocks
    services.


    ## Base URLs

    - **Production**: `https://api.truthlocks.com`

    - **Sandbox**: `https://sandbox-api.truthlocks.com`


    ## Authentication

    - **API Keys**: Use `X-API-Key` header for machine-to-machine operations

    - **Bearer Tokens**: Use `Authorization: Bearer <jwt>` for user-initiated
    operations


    ## Tenant Identity

    In production, tenant identity is derived from the authenticated context
    (API key or JWT).

    The `X-Tenant-ID` header is ignored in production to prevent spoofing.
  version: 1.0.0
  contact:
    name: Truthlocks Support
    url: https://truthlocks.com/support
    email: support@truthlocks.com
servers:
  - url: https://api.truthlocks.com
    description: Production API
  - url: https://sandbox-api.truthlocks.com
    description: Sandbox Environment
security:
  - APIKey: []
tags:
  - name: Authentication
    description: API key and token management
  - name: Issuers
    description: Issuer registration and trust management
  - name: Keys
    description: Cryptographic key management for issuers
  - name: Attestations
    description: Attestation lifecycle (mint, revoke, supersede)
  - name: Verification
    description: Attestation verification and proof bundles
  - name: Governance
    description: Issuer governance workflows (admin only)
  - name: Identity
    description: Organization, user, and role management
  - name: Audit
    description: Audit event queries
  - name: Platform
    description: Platform administration (super admin only)
  - name: Platform Review
    description: Staff review workflows for issuer applications
  - name: Tenant Console
    description: Tenant profile and lifecycle endpoints
  - name: Health
    description: Service health and readiness endpoints
  - name: Risk
    description: Risk signal ingestion and fraud detection
  - name: Risk Enforcement
    description: Risk enforcement actions — block, challenge, quarantine, and configuration
  - name: Billing
    description: Billing, subscription, and addon management
  - name: Machine Identity
    description: >-
      Machine Agent Identity Protocol (MAIP) — agent registration, sessions,
      trust, witness, compliance, orchestration, and observability
externalDocs:
  description: Transparency read-only API (separate service spec)
  url: >-
    https://github.com/truthlocks/truthlock/blob/main/docs/transparency/openapi.yaml
paths:
  /v1/tools/{toolName}/invoke:
    post:
      tags:
        - Machine Identity
      summary: Invoke Tool
      description: |
        Invokes a registered tool within a session context. Returns the result
        along with a receipt ID for auditability and execution timing.
      operationId: maip.tools.invoke
      parameters:
        - name: toolId
          in: path
          required: true
          schema:
            type: string
            format: uuid
          description: Tool identifier
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required:
                - session_id
                - arguments
              properties:
                session_id:
                  type: string
                  format: uuid
                  description: Active session to invoke under
                arguments:
                  type: object
                  additionalProperties: true
                  description: Tool input arguments matching the tool schema
      responses:
        '200':
          description: Tool invocation result
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/MaipToolInvocationResult'
        '400':
          description: Validation error or schema mismatch
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorEnvelope'
        '401':
          description: Authentication required
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorEnvelope'
        '404':
          description: Tool or session not found
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorEnvelope'
        '429':
          description: Rate limit exceeded
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorEnvelope'
      security:
        - APIKey: []
components:
  schemas:
    MaipToolInvocationResult:
      type: object
      properties:
        result:
          type: object
          additionalProperties: true
        receipt_id:
          type: string
          format: uuid
        execution_ms:
          type: integer
    ErrorEnvelope:
      type: object
      required:
        - code
        - message
        - http_status
      properties:
        code:
          type: string
          description: Machine-readable error code
          enum:
            - AUTH_REQUIRED
            - AUTH_INVALID
            - PERMISSION_DENIED
            - TENANT_IDENTITY_UNVERIFIED
            - NOT_FOUND
            - VALIDATION_ERROR
            - CONFLICT
            - PAYLOAD_TOO_LARGE
            - RATE_LIMIT_EXCEEDED
            - QUOTA_EXCEEDED
            - SERVICE_UNAVAILABLE
            - INTERNAL_ERROR
        message:
          type: string
          description: Human-readable error message
        http_status:
          type: integer
          description: HTTP status code
        retry_after_ms:
          type: integer
          description: Milliseconds to wait before retrying (for rate limits)
        details:
          type: object
          description: Additional error context
      example:
        code: AUTH_REQUIRED
        message: Authentication required
        http_status: 401
  securitySchemes:
    APIKey:
      type: apiKey
      in: header
      name: X-API-Key
      description: API key for machine-to-machine authentication

````