Skip to main content

API Reference

Common Response Structure:

{
"code": 0, // 0 for success, non-zero for failure
"message": "ok",
"data": { ... } // Business data, see each API for details
}

Authentication Methods:

CallerAuthenticationRequest Header
Agent ClientNo api_key, Ed25519 self-signingNone
Business Backendapi_key (product_code='agent' app)Authorization: Bearer <api_key>

API List

GroupAPIMethodPathCaller
RegistrationInitiate RegistrationPOST/palm/openai/x/agent/register/initAgent Client
RegistrationPoll Registration StatusPOST/palm/openai/x/agent/register/statusAgent Client
AuthorizationExchange Code for open_idPOST/palm/openai/x/agent/code/exchangeBusiness Backend
VerificationFetch Public Key / Check DevicePOST/palm/openai/x/agent/verify/deviceBusiness Backend
VerificationOnline Signature VerificationPOST/palm/openai/x/agent/verify/signatureBusiness Backend
VerificationInitiate Step-upPOST/palm/openai/x/agent/stepup/createBusiness Backend
VerificationQuery Step-upPOST/palm/openai/x/agent/stepup/queryBusiness Backend

1. Initiate Registration

POST /palm/openai/x/agent/register/init · Agent Client (Ed25519 self-signing)

The Agent generates an Ed25519 key pair locally and signs the message with the private key to prove it holds the key, returning the real person authorization page URL. Message to sign: message = "clawkey-register-" + timestamp_ms.

Request Parameters:

FieldTypeRequiredDescription
AppIdstringYesPublic app_id from the console
DeviceIdstringYesAgent external identity, ^[A-Za-z0-9_-]{1,64}$, immutable after registration
PubkeyDerstringYesbase64(Ed25519 SPKI DER)
MessagestringYesclawkey-register-<timestamp>, must match Timestamp exactly
SignaturestringYesbase64(Ed25519(message)), 64-byte raw signature
Timestampint64YesUnix milliseconds, must be within ±5min of server time

Response data:

FieldTypeDescription
SessionIdstringRegistration session ID, used for subsequent polling
RegistrationUrlstringReal person authorization page URL, pass to the real person
ExpiresAtint64Session expiration timestamp (seconds), TTL 10min

Common Error Codes:

codeDescription
2030140Signature verification failed
2030141Message format error
2030142Timestamp exceeds ±5min
2030143Replay detected (same pubkey + ts already used)
2030144device_id already taken
2030145Public key fingerprint already exists

2. Poll Registration Status

POST /palm/openai/x/agent/register/status · Agent Client

After the real person scans their palm to confirm, the Agent polls with SessionId to obtain the one-time Code (recommended 2s interval).

Request Parameters:

FieldTypeRequiredDescription
SessionIdstringYesSession ID returned by register/init

Response data:

FieldTypeDescription
Statusstringpending / completed / expired / failed
DeviceIdstringEchoed when completed
CodestringOne-time authorization code returned when completed, TTL 5min; open_id is NOT returned

3. Exchange Code for open_id

POST /palm/openai/x/agent/code/exchange · Business Backend (api_key)

The business exchanges the one-time Code for (device_id, open_id), then binds it to the local account. Authorization is truly completed at this point.

Request Parameters:

FieldTypeRequiredDescription
CodestringYesOne-time authorization code passed from the Agent

Response data:

FieldTypeDescription
DeviceIdstringAgent external identity
OpenIdstringReal person owner's per-app identifier
RegisteredboolWhether registration is complete

Code is one-time use. Expired or duplicate redemption returns an error. code.app_id must match the oc_appid corresponding to your api_key, otherwise ErrAgentForbidden.


4. Fetch Public Key / Check Device

POST /palm/openai/x/agent/verify/device · Business Backend (api_key)

Fetch the public key by (device_id, open_id) for local caching (TTL ≤15min) and signature verification. Recommended method.

Request Parameters:

FieldTypeRequiredDescription
DeviceIdstringYesAgent external identity
OpenIdstringNoOptional but strongly recommended: verify the device is bound to this person

Response data:

FieldTypeDescription
RegisteredboolWhether still bound to a real person (false if deactivated/revoked)
DeviceIdstringEchoed
OwnerOpenIdstringReal person owner, provided when Registered=true
PubkeyDerstringbase64(SPKI DER), cache for local signature verification
CreatedAtint64Agent registration timestamp (seconds)

Revocation delay = cache TTL. For faster revocation detection, shorten the TTL, or use online signature verification for critical requests.


5. Online Signature Verification

POST /palm/openai/x/agent/verify/signature · Business Backend (api_key)

Submit the entire Agent signature to Palm for online verification. Agent canonical signing string:

"palmauth-agent-req-v1" + "\n" + device_id + "\n" + method + "\n"
+ path + "\n" + sha256_hex(body_bytes) + "\n" + timestamp_ms + "\n" + nonce

Request Parameters:

FieldTypeRequiredDescription
DeviceIdstringYesAgent external identity
PubkeyDerstringYesbase64(SPKI DER)
MessagestringYesPlaintext to verify (canonical string)
SignaturestringYesbase64(64-byte raw signature)
Timestampint64YesUnix milliseconds, ±5min
NoncestringNoAnti-replay random string

Response data:

FieldTypeDescription
VerifiedboolWhether the signature is valid (cryptographic verification)
RegisteredboolWhether still bound to a real person (DB status, independent of Verified)
DeviceIdstringEchoed
OwnerOpenIdstringReal person owner, provided when Registered=true

6. Initiate Step-up

POST /palm/openai/x/agent/stepup/create · Business Backend (api_key)

Request Parameters:

FieldTypeRequiredDescription
DeviceIdstringYesAgent external identity
ChallengeIdstringYesBusiness-generated UUID v4, idempotency key
ActionstringYesBusiness action identifier, e.g., transfer_money
ActionDetailstringYesPassthrough JSON, ≤512B, displayed to the real person
Levelint32Yes1=async notification only, immediate approval; 2/3=real person must scan palm
NonBlockingboolNoOften true for Level 1

Response data:

FieldTypeDescription
ChallengeIdstringEchoed
ExpiresAtint64Verification expiration timestamp (seconds)
Statusstringpending (Level 2/3) / approved (Level 1)
AssertionJwtstringReturned immediately when approved (Level 1)

Idempotent: submitting the same ChallengeId again returns the existing status, no new verification is created.


7. Query Step-up

POST /palm/openai/x/agent/stepup/query · Business Backend (api_key)

Short-poll for verification results. Returns Assertion JWT once when approved.

Request Parameters:

FieldTypeRequiredDescription
ChallengeIdstringYeschallenge_id from initiation

Response data:

FieldTypeDescription
Statusstringpending / approved / denied / expired
AssertionJwtstringOne-time return when approved