Skip to main content
POST
http://localhost:8001
/
tokens
/
agent
curl -X POST http://localhost:8001/tokens/agent \
  -H "Content-Type: application/json" \
  -d '{
    "customer_id": "550e8400-e29b-41d4-a716-446655440000",
    "bearer_jti": "8a3b9c4d-e5f6-7890-abcd-1234567890ab",
    "agent_id": "code-review-agent",
    "agent_name": "Code Review Agent",
    "rbac": {
      "allowed_actions": ["data:read:*", "code:review:*"],
      "denied_actions": ["data:write:*"],
      "allowed_resources": ["repo:*"],
      "denied_resources": [],
      "max_sensitivity_level": 3
    },
    "ttl_hours": 24
  }'

{
  "token": "qt_agent_eyJhbGciOiJFUzI1NiIs...",
  "jti": "c1d2e3f4-a5b6-7890-cdef-1234567890ab",
  "agent_id": "code-review-agent",
  "expires_at": "2026-03-02T00:00:00Z"
}
The auth service is deployed on a private network. All endpoints except /health are internal management-plane operations.

Request Body

customer_id
string
required
UUID of the customer.
bearer_jti
string
required
JTI of the parent bearer token. The bearer token must be valid and not revoked.
agent_id
string
required
Unique identifier for the agent instance (e.g., code-review-agent, data-pipeline-v2).
agent_name
string
Human-readable name for the agent.
rbac
object
RBAC policy defining the agent’s permissions. Uses fnmatch glob patterns for action and resource matching.
ttl_hours
integer
Time-to-live in hours. Defaults to 24.

Response

token
string
The agent token string, prefixed with qt_agent_. This is an ES256-signed JWT.
jti
string
Unique token identifier. Used as the parent_agent_jti parameter when creating subagent tokens, or as parent_jti for session tokens.
agent_id
string
The agent identifier echoed back.
expires_at
datetime
ISO 8601 expiration timestamp.
curl -X POST http://localhost:8001/tokens/agent \
  -H "Content-Type: application/json" \
  -d '{
    "customer_id": "550e8400-e29b-41d4-a716-446655440000",
    "bearer_jti": "8a3b9c4d-e5f6-7890-abcd-1234567890ab",
    "agent_id": "code-review-agent",
    "agent_name": "Code Review Agent",
    "rbac": {
      "allowed_actions": ["data:read:*", "code:review:*"],
      "denied_actions": ["data:write:*"],
      "allowed_resources": ["repo:*"],
      "denied_resources": [],
      "max_sensitivity_level": 3
    },
    "ttl_hours": 24
  }'

{
  "token": "qt_agent_eyJhbGciOiJFUzI1NiIs...",
  "jti": "c1d2e3f4-a5b6-7890-cdef-1234567890ab",
  "agent_id": "code-review-agent",
  "expires_at": "2026-03-02T00:00:00Z"
}