> ## Documentation Index
> Fetch the complete documentation index at: https://docs.truthlocks.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Register Tool

> Register a tool in the MAIP tool registry with scope requirements, risk classification, and rate limits

# Register Tool

`POST /v1/tools`

Registers a new tool in the tenant's MAIP tool registry. Tools represent external capabilities (APIs, functions, services) that machine agents can invoke. Each tool is associated with a required scope, risk level, and optional approval gate.

The platform automatically elevates the risk level to `"high"` if the tool name or required scope contains dangerous action verbs (write, delete, send, execute, deploy, destroy, drop, truncate).

<Note>
  Tool names must be unique per tenant. Attempting to register a tool with a
  name that already exists returns `409 Conflict`.
</Note>

### Authentication

Requires `X-API-Key` header or Bearer JWT token. Tenant-scoped via `X-Tenant-ID`.

### Request Body

<ParamField body="name" type="string" required>
  Unique machine-readable name for the tool. Used as the identifier in
  invocation URLs. Must contain only alphanumeric characters, hyphens,
  underscores, and dots. Examples: `"search.web"`, `"crm-contact-lookup"`,
  `"payment_process"`.
</ParamField>

<ParamField body="display_name" type="string" required>
  Human-readable name for the tool, shown in dashboards and approval workflows.
</ParamField>

<ParamField body="description" type="string">
  Detailed description of the tool's functionality, expected inputs, and
  outputs.
</ParamField>

<ParamField body="scope_required" type="string" required>
  The permission scope an agent must have to invoke this tool. Uses
  `resource:action` format (e.g., `"tool:search.web"`, `"data:write"`). The
  agent's scope set is checked against this value at invocation time.
</ParamField>

<ParamField body="risk_level" type="string">
  Risk classification for the tool. One of: `"low"`, `"medium"`, `"high"`,
  `"critical"`. Default: `"medium"`. Automatically elevated to `"high"` if the
  tool name or scope contains dangerous verbs.
</ParamField>

<ParamField body="requires_approval" type="boolean">
  Whether invocations require human approval before execution. Default: `false`.
  Automatically set to `true` for `"critical"` risk tools.
</ParamField>

<ParamField body="rate_limit_per_minute" type="integer">
  Maximum invocations per agent per minute. Default: `60`. Range: 1-10000.
</ParamField>

<ParamField body="category" type="string">
  Organizational category. Default: `"general"`. Examples: `"search"`,
  `"communication"`, `"database"`, `"payment"`, `"analytics"`.
</ParamField>

<ParamField body="metadata" type="object">
  Arbitrary key-value metadata for the tool. Useful for storing endpoint URLs,
  auth configuration, schema references, or integration details.
</ParamField>

### Response

<ResponseField name="id" type="string">
  UUID of the newly registered tool.
</ResponseField>

<ResponseField name="tenant_id" type="string">
  UUID of the owning tenant.
</ResponseField>

<ResponseField name="name" type="string">
  Machine-readable tool name.
</ResponseField>

<ResponseField name="display_name" type="string">
  Human-readable tool name.
</ResponseField>

<ResponseField name="description" type="string">
  Tool description.
</ResponseField>

<ResponseField name="scope_required" type="string">
  Required scope for invocation.
</ResponseField>

<ResponseField name="risk_level" type="string">
  Effective risk classification (may be auto-elevated).
</ResponseField>

<ResponseField name="requires_approval" type="boolean">
  Whether human approval is required.
</ResponseField>

<ResponseField name="rate_limit_per_minute" type="integer">
  Per-agent rate limit.
</ResponseField>

<ResponseField name="category" type="string">
  Tool category.
</ResponseField>

<ResponseField name="status" type="string">
  Tool status. Always `"active"` on creation.
</ResponseField>

<ResponseField name="metadata" type="object">
  Tool metadata.
</ResponseField>

<ResponseField name="created_at" type="string">
  ISO 8601 creation timestamp.
</ResponseField>

<ResponseField name="updated_at" type="string">
  ISO 8601 last-updated timestamp.
</ResponseField>

### Example

```bash theme={null}
curl -X POST https://api.truthlocks.com/v1/tools \
  -H "X-API-Key: tl_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "name": "search.web",
    "display_name": "Web Search",
    "description": "Performs web searches via SerpAPI and returns structured results",
    "scope_required": "tool:search.web",
    "risk_level": "low",
    "rate_limit_per_minute": 30,
    "category": "search",
    "metadata": {
      "endpoint_url": "https://serpapi.com/search",
      "auth_type": "api_key",
      "max_results": 10
    }
  }'
```

***

### Risk Level Auto-Elevation

The platform scans tool names and scope requirements for dangerous action verbs. If detected, the risk level is automatically elevated:

| Detected Verb                  | Auto-Elevation       |
| ------------------------------ | -------------------- |
| `write`, `delete`, `send`      | Elevated to `"high"` |
| `execute`, `deploy`, `destroy` | Elevated to `"high"` |
| `drop`, `truncate`             | Elevated to `"high"` |

Tools with `"critical"` risk level always require human approval regardless of the `requires_approval` setting.


## OpenAPI

````yaml mint-openapi.yaml POST /v1/tools
openapi: 3.0.3
info:
  title: Truthlocks API
  description: >
    Truthlocks is a universal verification infrastructure for documents,
    credentials, and digital assets.

    This specification defines the canonical API for interacting with Truthlocks
    services.


    ## Base URLs

    - **Production**: `https://api.truthlocks.com`

    - **Sandbox**: `https://sandbox-api.truthlocks.com`


    ## Authentication

    - **API Keys**: Use `X-API-Key` header for machine-to-machine operations

    - **Bearer Tokens**: Use `Authorization: Bearer <jwt>` for user-initiated
    operations


    ## Tenant Identity

    In production, tenant identity is derived from the authenticated context
    (API key or JWT).

    The `X-Tenant-ID` header is ignored in production to prevent spoofing.
  version: 1.0.0
  contact:
    name: Truthlocks Support
    url: https://truthlocks.com/support
    email: support@truthlocks.com
servers:
  - url: https://api.truthlocks.com
    description: Production API
  - url: https://sandbox-api.truthlocks.com
    description: Sandbox Environment
security:
  - APIKey: []
tags:
  - name: Authentication
    description: API key and token management
  - name: Issuers
    description: Issuer registration and trust management
  - name: Keys
    description: Cryptographic key management for issuers
  - name: Attestations
    description: Attestation lifecycle (mint, revoke, supersede)
  - name: Verification
    description: Attestation verification and proof bundles
  - name: Governance
    description: Issuer governance workflows (admin only)
  - name: Identity
    description: Organization, user, and role management
  - name: Audit
    description: Audit event queries
  - name: Platform
    description: Platform administration (super admin only)
  - name: Platform Review
    description: Staff review workflows for issuer applications
  - name: Tenant Console
    description: Tenant profile and lifecycle endpoints
  - name: Health
    description: Service health and readiness endpoints
  - name: Risk
    description: Risk signal ingestion and fraud detection
  - name: Risk Enforcement
    description: Risk enforcement actions — block, challenge, quarantine, and configuration
  - name: Billing
    description: Billing, subscription, and addon management
  - name: Machine Identity
    description: >-
      Machine Agent Identity Protocol (MAIP) — agent registration, sessions,
      trust, witness, compliance, orchestration, and observability
externalDocs:
  description: Transparency read-only API (separate service spec)
  url: >-
    https://github.com/truthlocks/truthlock/blob/main/docs/transparency/openapi.yaml
paths:
  /v1/tools:
    post:
      tags:
        - Machine Identity
      summary: Register Tool
      description: >
        Registers a callable tool that agents can invoke. The tool schema
        defines

        the expected input arguments using JSON Schema.
      operationId: maip.tools.register
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required:
                - name
                - agent_id
              properties:
                name:
                  type: string
                  description: Unique tool name
                description:
                  type: string
                  description: Human-readable tool description
                schema:
                  type: object
                  additionalProperties: true
                  description: JSON Schema defining the tool input arguments
                agent_id:
                  type: string
                  format: uuid
                  description: Owning agent
            example:
              name: sentiment-analysis
              description: Analyzes text sentiment
              schema:
                type: object
                properties:
                  text:
                    type: string
                required:
                  - text
              agent_id: 550e8400-e29b-41d4-a716-446655440000
      responses:
        '201':
          description: Tool registered
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/MaipTool'
        '400':
          description: Validation error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorEnvelope'
        '401':
          description: Authentication required
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorEnvelope'
        '429':
          description: Rate limit exceeded
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorEnvelope'
      security:
        - APIKey: []
components:
  schemas:
    MaipTool:
      type: object
      properties:
        tool_id:
          type: string
          format: uuid
        name:
          type: string
        description:
          type: string
        schema:
          type: object
          additionalProperties: true
        agent_id:
          type: string
          format: uuid
        created_at:
          type: string
          format: date-time
    ErrorEnvelope:
      type: object
      required:
        - code
        - message
        - http_status
      properties:
        code:
          type: string
          description: Machine-readable error code
          enum:
            - AUTH_REQUIRED
            - AUTH_INVALID
            - PERMISSION_DENIED
            - TENANT_IDENTITY_UNVERIFIED
            - NOT_FOUND
            - VALIDATION_ERROR
            - CONFLICT
            - PAYLOAD_TOO_LARGE
            - RATE_LIMIT_EXCEEDED
            - QUOTA_EXCEEDED
            - SERVICE_UNAVAILABLE
            - INTERNAL_ERROR
        message:
          type: string
          description: Human-readable error message
        http_status:
          type: integer
          description: HTTP status code
        retry_after_ms:
          type: integer
          description: Milliseconds to wait before retrying (for rate limits)
        details:
          type: object
          description: Additional error context
      example:
        code: AUTH_REQUIRED
        message: Authentication required
        http_status: 401
  securitySchemes:
    APIKey:
      type: apiKey
      in: header
      name: X-API-Key
      description: API key for machine-to-machine authentication

````