Standard docs

Gate Agent API Reference

All core agent endpoints, request schemas, response objects, webhooks, signed approval tokens, tool rules, and error handling in one place.

Use your own Gate URL and agent key

The Gate URL shown in examples is a placeholder. Each customer supplies their own STACKSONA_GATE_URL, usually shaped like https://{gate-id}.stacksona.cloud, and their own agent key. Agent keys are Bearer tokens, are created when an agent is registered, and start with sg_.

Base URL and authentication

Every agent API request uses the same base URL and authorization pattern.

ValueWhat it meansExample placeholder
STACKSONA_GATE_URLYour Stacksona Gate endpoint. Hosted Gate domains use your assigned Gate ID.https://{gate-id}.stacksona.cloud
STACKSONA_API_KEYYour agent key. It is sent as a Bearer token and starts with sg_.sg_your_agent_key
bash
export STACKSONA_GATE_URL="https://{gate-id}.stacksona.cloud"
export STACKSONA_API_KEY="sg_your_agent_key"
http
Authorization: Bearer sg_your_agent_key
Content-Type: application/json

API keys are shown only once at creation and are hashed before storage. If a key is lost, regenerate it from Admin → Agents → Regenerate key.

Endpoint overview

MethodPathPurpose
POST/api/agent/tasks/{taskID}/eventsLog a task event into the reviewer timeline. Also used for revision events.
POST/api/agent/tasks/{taskID}/requestsAsk Gate whether the agent may proceed with a proposed action.
GET/api/agent/decisionsPoll for a decision by thread_id or task_id.
POST/api/agent/approvals/validateValidate a one-time signed approval token before executing a gated tool.
POSTYour webhook URLReceive outbound decision notifications from Gate when a reviewer decides.

First successful call

Start here when building a direct API, HTTP node, webhook, sidecar, or platform recipe. Send the proposed action to Gate before the workflow executes the risky step.

bash
curl -X POST "$STACKSONA_GATE_URL/api/agent/tasks/task-abc-123/requests" \
  -H "Authorization: Bearer $STACKSONA_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "workflow_name": "Customer Support",
    "task_label": "Refund request - Order #8821",
    "tool_name": "issue_refund",
    "subject": "Issue refund of $500 to customer cus_99",
    "preview": "Item never arrived per carrier.",
    "risk_level": "high",
    "summary": [
      "Order placed 14 days ago via web",
      "No tracking movement after day 2",
      "1 prior refund in past 12 months"
    ],
    "payload": {
      "amount": 500,
      "currency": "usd",
      "order_id": "ord_8821",
      "customer_id": "cus_99"
    }
  }'

1. Log an event

Use events to give reviewers context throughout the task lifecycle.

FieldRequiredDescription
event_typeYesDot-separated event type, such as task.started or step.completed. For revisions, use revision.{taskID}.{threadID}.
event_summaryYesHuman-readable summary shown in the reviewer timeline.
payloadNoAny JSON object with extra context.
imagesNoArray of base64-encoded images. Images auto-attach to the event.
bash
curl -X POST "$STACKSONA_GATE_URL/api/agent/tasks/task-abc-123/events" \
  -H "Authorization: Bearer $STACKSONA_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "event_type": "task.started",
    "event_summary": "Customer requested refund for order #8821",
    "payload": {
      "customer_id": "cus_99",
      "order_id": "ord_8821"
    },
    "images": ["data:image/png;base64,iVBORw0KG..."]
  }'
Response

201 Created with an empty body.

Revision events

Use revision events when a reviewer asks the agent to change a pending request before approval. The agent sends another event to the same pending review thread with the updated request payload.

Revision scope

Revision events only apply while the target thread is still awaiting a reviewer decision, such as needs_review or escalated. Once a thread is approved or denied, that decision is final for the thread.

json
{
  "event_type": "revision.task-abc-123.THR-XXXXXXXX",
  "event_summary": "Agent revised the request after reviewer feedback.",
  "payload": {
    "revision": {
      "revision_id": "rev-002",
      "workflow_name": "Customer Support",
      "task_label": "Refund request - Order #8821",
      "tool_name": "issue_refund",
      "subject": "Approve conditional refund for customer cus_99",
      "preview": "Refund releases only after the prepaid return label is scanned.",
      "risk_level": "high",
      "summary": [
        "Reviewer requested a conditional refund",
        "Agent revised the proposal to wait for return-label scan"
      ],
      "request_payload": {
        "amount": 500,
        "currency": "usd",
        "release_condition": "return_label_scanned"
      }
    }
  }
}

The revision payload should include a stable revision_id, the updated request fields, and the revised tool payload that Gate should evaluate through the standard decision rules. Each new revision supersedes the earlier pending revision on that thread.

2. Request a decision

Use this endpoint at the action point. Gate evaluates the request against tool rules and either auto-decides or creates a review thread.

FieldRequiredDescription
workflow_nameYesName of the workflow running the task.
task_labelYesShort label shown to reviewers.
tool_nameYesExact name of the registered tool.
subjectYesOne-line description shown as the thread title.
previewNoShort text shown in the thread list.
risk_levelNolow, medium, high, or critical.
summaryNoArray of context bullet points shown to the reviewer before logs.
payloadNoTool parameters. Matched against rules and shown to the reviewer.
imagesNoArray of base64-encoded images. Images auto-attach to the request.

Response fields

FieldDescription
statusallow, reject, or pending_review.
thread_idGate thread ID. Present when a review thread was created.
task_idYour original task ID.
messageHuman-readable reason or decision message.
recommended_poll_after_secondsSuggested interval before polling again.
Decision handling

If the response is allow, proceed immediately. If it is reject, do not execute. If it is pending_review, poll or wait for a webhook before continuing.

3. Poll for a decision

Use polling for short review loops or as a fallback when webhooks fail.

Query parameterDescription
thread_idPreferred. Returned by the decision request.
task_idAlternative to thread_id.
bash
curl "$STACKSONA_GATE_URL/api/agent/decisions?thread_id=THR-4F2A9C1B" \
  -H "Authorization: Bearer $STACKSONA_API_KEY"

Polling response

FieldTypeDescription
statusstringapproved or rejected for completed reviews. Pending states may continue while the reviewer has not decided.
thread_idstringGate thread ID.
task_idstringYour original task ID.
messagestringReviewer or system message.
approval_tokenstringReturned only for approved decisions when signed tokens are enabled.
token_expires_atRFC3339 stringUTC expiry timestamp for the approval token.

4. Validate a signed approval token

Use this endpoint when signed approval tokens are enabled for an agent. Do not execute the gated tool until server-side validation succeeds.

FieldRequiredDescription
task_idYesThe task ID bound to the approved decision.
signatureYesThe one-time approval token returned by Gate.
bash
curl -X POST "$STACKSONA_GATE_URL/api/agent/approvals/validate" \
  -H "Authorization: Bearer $STACKSONA_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "task_id": "task-abc-123",
    "signature": "APPROVAL_TOKEN"
  }'
Fail closed

If validation fails, returns invalid, times out, or the token is missing, do not execute the gated tool. Log the failure and request a fresh decision.

Signed approval tokens

When signed approval tokens are enabled in Admin → Agents, every approved decision includes a single-use token. Your agent sends that token back to Gate for validation before executing the gated tool.

RuleMeaning
Enabled per agentOnly agents with signed tokens enabled receive approval tokens.
Approved onlyTokens are returned only for approved outcomes, not rejected outcomes.
One-time useTokens are tied to the specific approval decision and protected against replay.
Server-side validationDo not validate or consume approval tokens locally.

Decision flow and statuses

Status/actionMeaningWorkflow behavior
allowAuto-allowed by rule. No thread is created.Proceed immediately.
reviewHuman reviewer must decide in the inbox.Wait for polling or webhook result.
escalateReview with elevated priority flag.Wait for elevated review.
rejectAuto-rejected by rule. No thread is created.Do not proceed.
pending_reviewA review thread was created.Poll or use webhook callback.
approvedReviewer approved.Execute, and validate token first if signed tokens are enabled.
rejectedReviewer rejected.Do not execute.

Decision action priority is allow < review < escalate < reject. Configure higher-risk rules above broad allow rules so sensitive actions do not pass unintentionally.

Tool rules

Rules auto-decide based on parameters in the request payload. If no rule matches, the tool's default action applies.

Rule typeComparesExample
upper_limitNumeric value exceeds threshold{"parameter":"amount","value":250,"action":"review"}
lower_limitNumeric value is below threshold{"parameter":"confidence","value":0.8,"action":"allow"}
betweenValue falls between two numbers, inclusive{"parameter":"amount","min":250,"max":1000,"action":"review"}
containsString contains substring, case-insensitive{"parameter":"reason","value":"fraud","action":"reject"}
regexString matches regex pattern{"parameter":"email","pattern":".*@competitor\\.com$","action":"review"}
  1. 1
    Create or open a tool.

    Go to Admin → Tools, then select the tool that maps to the agent action.

  2. 2
    Add a rule.

    Select the rule type, parameter, threshold or pattern, and action.

  3. 3
    Match payload keys exactly.

    The rule parameter must match a key in the request payload, such as amount, email, or reason.

Webhooks

Configure a webhook URL per agent in Admin → Agents → Update transport. Gate posts to that URL when a reviewer decides.

json
{
  "thread_id": "THR-4F2A9C1B",
  "task_id": "task-abc-123",
  "decision": "approved",
  "message": "Approved. Verified with customer history.",
  "tenant_id": "<your-tenant-uuid>",
  "workflow_name": "Customer Support",
  "task_label": "Refund request - Order #8821"
}
Retry behavior

Gate retries up to 3 times on non-2xx responses. For critical workflows, implement polling as a fallback.

Response object fields

FieldTypeDescription
statusstringallow, reject, pending_review, approved, or rejected.
thread_idstringGate thread ID. Present when a review thread was created.
task_idstringYour task ID.
messagestringHuman-readable explanation.
recommended_poll_after_secondsintegerSuggested polling interval.
approval_tokenstringOne-time token returned only on approved decisions when signed tokens are enabled.
token_expires_atRFC3339 stringUTC expiry timestamp for approval_token.

Errors

StatusMeaning
400Missing required fields or invalid parameter.
401Missing or invalid API key.
403API or polling disabled, or the agent is paused or revoked.
404Thread or task ID not found for this agent.
500Server-side error. Contact your Gate administrator.

Most errors are returned as plain text. Token validation errors from POST /api/agent/approvals/validate are returned as JSON, for example {"valid": false, "reason": "invalid"}. Always check the HTTP status code first.