Skip to main content
POST
http://localhost:8001
/
tokens
/
subagent
curl -X POST http://localhost:8001/tokens/subagent \
  -H "Content-Type: application/json" \
  -d '{
    "customer_id": "550e8400-e29b-41d4-a716-446655440000",
    "parent_agent_jti": "c1d2e3f4-a5b6-7890-cdef-1234567890ab",
    "agent_id": "lint-subagent",
    "agent_name": "Lint Subagent",
    "rbac": {
      "allowed_actions": ["code:read:*"],
      "denied_actions": ["data:write:*", "code:deploy:*"],
      "allowed_resources": ["repo:frontend"],
      "denied_resources": [],
      "max_sensitivity_level": 2
    },
    "ttl_hours": 4
  }'

{
  "token": "qt_subagent_eyJhbGciOiJFUzI1NiIs...",
  "jti": "d2e3f4a5-b6c7-8901-def0-234567890abc",
  "agent_id": "lint-subagent",
  "delegation_depth": 1,
  "expires_at": "2026-03-01T04:00:00Z"
}
The auth service is deployed on a private network. All endpoints except /health are internal management-plane operations.

Request Body

customer_id
string
required
UUID of the customer.
parent_agent_jti
string
required
JTI of the parent agent token. The agent token must be valid and not revoked.
agent_id
string
required
Unique identifier for the sub-agent instance.
agent_name
string
Human-readable name for the sub-agent.
rbac
object
RBAC policy for the sub-agent. Must be a subset of the parent agent’s RBAC — permission escalation is rejected with a 400 error.
ttl_hours
integer
Time-to-live in hours. Defaults to 4. Maximum delegation depth is 3 (configurable via AUTH_MAX_DELEGATION_DEPTH).

Response

token
string
The subagent token string, prefixed with qt_subagent_. This is an ES256-signed JWT.
jti
string
Unique token identifier.
agent_id
string
The sub-agent identifier echoed back.
delegation_depth
integer
Current delegation depth in the token chain. Starts at 1 for direct sub-agents of an agent token.
expires_at
datetime
ISO 8601 expiration timestamp.
curl -X POST http://localhost:8001/tokens/subagent \
  -H "Content-Type: application/json" \
  -d '{
    "customer_id": "550e8400-e29b-41d4-a716-446655440000",
    "parent_agent_jti": "c1d2e3f4-a5b6-7890-cdef-1234567890ab",
    "agent_id": "lint-subagent",
    "agent_name": "Lint Subagent",
    "rbac": {
      "allowed_actions": ["code:read:*"],
      "denied_actions": ["data:write:*", "code:deploy:*"],
      "allowed_resources": ["repo:frontend"],
      "denied_resources": [],
      "max_sensitivity_level": 2
    },
    "ttl_hours": 4
  }'

{
  "token": "qt_subagent_eyJhbGciOiJFUzI1NiIs...",
  "jti": "d2e3f4a5-b6c7-8901-def0-234567890abc",
  "agent_id": "lint-subagent",
  "delegation_depth": 1,
  "expires_at": "2026-03-01T04:00:00Z"
}