The Gateway API is Paybond's public access layer. Use it to sign users in, exchange machine credentials for short-lived access, verify protocol artifacts, manage trusted agent keys, export compliance evidence, review disputes, configure settlement and guardrail settings, and retrieve tenant-scoped Signal data.
- Transport: HTTPS. Protected routes require authenticated Paybond credentials; public verification and discovery routes are called out below.
- Tenant scope: where a route accepts
x-tenant-id, it must match the authenticatedtidclaim. Request-body organization identifiers are treated only as hints. - Environment scope: live/sandbox environment is derived from the authenticated credential and tenant row, never from a client-selected header. Sandbox provider behavior is simulated and does not move live money or call live provider paths.
What Gateway covers
Identity and access
Gateway signs users in, refreshes sessions, supports SSO, and exchanges machine credentials for Harbor access.
| Method | Path | Auth | Description |
|---|---|---|---|
POST | /v1/public/auth/login/start | Public | Start the email challenge for password sign-in. |
POST | /v1/public/auth/challenges/verify | Public | Complete a sign-in or signup email challenge and return session tokens when successful. |
POST | /v1/auth/refresh | Session | Rotate the current session token. |
POST | /v1/auth/logout | Session | End the current session. |
GET | /v1/auth/principal | Session | Return the authenticated principal, including organization, roles, and entitlements. |
GET | /v1/auth/environments | Session | List the current user's live/sandbox tenant workspaces for the active organization. |
POST | /v1/auth/environment/switch | Session | Mint access and refresh tokens for another granted tenant environment in the same organization. |
POST | /v1/auth/harbor-access | Machine credential | Exchange machine credentials for a short-lived Harbor token. |
GET | /v1/auth/sso/initiate | Public | Start a tenant-configured OIDC or SAML sign-in flow. |
GET | /v1/auth/sso/metadata | Public | Publish Paybond SAML service-provider metadata for IdP setup. |
GET | /v1/auth/sso/callback | Public | Complete the OIDC callback and establish a session. |
POST | /v1/auth/sso/callback | Public | Complete the SAML callback and establish a session. |
POST | /v1/auth/support-session | Session | Issue a time-boxed support session with audited permissions. |
GET | /v1/admin/api-keys | Session | List tenant API keys with their credential-derived environment and optional expiry. |
POST | /v1/admin/api-keys | Session | Create a service-account API key; the one-time api_key value is environment-visible. |
DELETE | /v1/admin/api-keys/{api_key_id} | Session | Revoke one tenant API key. |
POST | /v1/admin/api-keys/{api_key_id}/rotate | Session | Rotate one tenant API key and return an environment-visible replacement once. |
API keys use visible prefixes such as paybond_sk_live_... and paybond_sk_sandbox_.... Gateway derives the authoritative environment from storage and rejects a prefix that does not match the tenant row. Environment-less paybond_sk_<key_id>_<secret> keys are not accepted.
Protocol verification and discovery
Gateway publishes discovery documents and verification routes for delegated agent workflows, and it lets tenant admins manage the trusted agent keys those checks rely on.
| Method | Path | Auth | Description |
|---|---|---|---|
GET | /.well-known/agent-card.json | Public | Publish the Paybond A2A discovery card. |
GET | /protocol/v2/a2a/agent-card | Public | Gateway-local alias for the same discovery card. |
GET | /protocol/v2/a2a/task-contracts | Public | Publish the task-contract catalog used for delegated workflows. |
GET | /protocol/v2/a2a/task-contracts/{contract_id} | Public | Return one published task contract by identifier. |
POST | /protocol/v2/mandates/verify | Public | Verify a signed AgentMandateV1 envelope and return its normalized digest and body. |
POST | /protocol/v2/recognition/verify | Public | Verify a replay-safe AgentRecognitionProofV1 against the expected purpose, verifier context, and request envelope. |
POST | /protocol/v2/receipts/verify | Public | Verify either a ProtocolAuthorizationReceiptV1 or a ProtocolSettlementReceiptV1. |
POST | /protocol/v2/mandates | Session or machine token | Import a signed AgentMandateV1, bind it to a Harbor intent exactly once, and return a signed ProtocolAuthorizationReceiptV1. |
GET | /protocol/v2/receipts/{receipt_id} | Session or machine token | Return the signed ProtocolSettlementReceiptV1 for a previously imported mandate once the related Harbor intent reaches a protocol-terminal state. |
GET | /v1/admin/protocol/agent-keys | Session | List trusted agent keys for the authenticated organization. |
POST | /v1/admin/protocol/agent-keys | Session | Register or update an active trusted agent key. |
POST | /v1/admin/protocol/agent-keys/{key_id}/revoke | Session | Revoke a trusted agent key. |
Settlement configuration
Use these routes to manage the settlement settings Paybond applies for an organization. Tenant admins can update them, while read-only principals can inspect the current configuration.
Supported allowed_rails values are stripe_connect, stripe_ach_debit, and x402_usdc_base. Both Stripe rails require an active server-owned linked Stripe destination. stripe_ach_debit also requires that destination's ACH debit capability to be marked ready. x402_usdc_base requires the canonical Base receive address for the tenant environment.
Sandbox tenants use Paybond simulator destinations instead of live provider destinations. When an admin switches the console to the sandbox tenant, settlement routing can include stripe_ach_debit with the Paybond sandbox Stripe sentinel and no real Stripe test-mode key or Connect account. Live tenants remain gated on a linked Stripe destination whose ACH debit capability is marked ready.
| Method | Path | Description |
|---|---|---|
GET | /v1/admin/settlement/config | Return the active settlement configuration plus linked Stripe destination state. |
PUT | /v1/admin/settlement/config | Create a new immutable configuration version after rail and address validation. |
GET | /v1/admin/settlement/config/history | List recent configuration versions for audit and history views. |
Guardrails and audit trail
Tenant guardrail policy versions are immutable control-plane rows that configure Gateway-side policy governance. Read routes require Harbor read access; writes require tenant_admin or the tenant.admin entitlement and write a redacted audit event in the same database operation.
Gateway evaluates the active guardrail policy before forwarding Harbor policy lifecycle mutations (create draft, publish, deprecate, retire, rollback) and Harbor intent creation. In enforce mode, disallowed raw predicates, disallowed policy templates, and max intent amount violations are denied before Harbor receives the request. In observe mode, Gateway forwards the request but writes a redacted audit event with decision=observed_violation; if that audit write fails, the mutation fails closed with 503.
Rollback calls through /harbor/policy/v1/rollback require template_id, target_seq, expected_current_head_seq, expected_target_digest_hex, a human reason, and confirm: true. Gateway fetches Harbor’s current managed-policy versions before forwarding and returns 428 for missing confirmation preconditions, 400 for a missing/short reason, or 409 when the current head or target digest no longer matches. Rejected rollback attempts and confirmed rollback requests write redacted guardrail.policy_rollback audit events before any mutation is forwarded; if that pre-forward audit write is unavailable, Gateway returns 503. Gateway also writes a best-effort outcome event after Harbor responds without masking a completed upstream rollback response.
Tenant guardrail rate limits apply to guardrail_policy_mutation, policy_lifecycle_mutation, policy_sandbox_preview_test, and harbor_intent_mutation. Defaults are 20/hour for guardrail policy saves, 30/minute for policy lifecycle mutations, 120/minute for policy preview/test, and 120/minute for Harbor intent mutations. Tenants can override these groups with rate_limit_profile, keyed by route group with { "limit": <positive integer>, "window_seconds": <positive integer> }. Override values are bounded to limit <= 1000000 and window_seconds <= 86400. Existing auth, export, and webhook defaults stay route-specific, but authenticated scopes can be overridden with the existing limiter scope key such as auth_support_session, compliance_export_create, compliance_bundle_download, dispute_arbitration_export, admin_webhook_endpoint_mutation, or admin_webhook_endpoint_test; fraud-velocity limits keep their dedicated limiter.
A 429 response uses the standard Gateway JSON error envelope and includes Retry-After, RateLimit, and RateLimit-Policy headers. High-signal denials are written as redacted tenant audit events with hashed bucket keys; raw IPs, tokens, emails, DIDs, and request bodies are never stored in the abuse bucket or exported guardrail artifacts.
| Method | Path | Description |
|---|---|---|
GET | /v1/admin/guardrails/policy | Return the active guardrail policy for the authenticated tenant, or an unconfigured default envelope. |
GET | /v1/admin/guardrails/policy/history | List recent immutable guardrail policy versions for the authenticated tenant. |
PUT | /v1/admin/guardrails/policy | Insert a new guardrail policy version with mode, allowed templates, amount rules, lifecycle confirmations, and rate-limit profile JSON. |
GET | /v1/admin/audit-events | List redacted tenant audit events. Supports limit, event_type, resource, decision, request_id, idempotency_key_sha256_hex, created_after, and created_before. |
Sandbox simulator
Sandbox tenants can rehearse intent lifecycle and webhook flows without provider calls or live credentials. Simulator events require authenticated sandbox tenant context, derive tenant/environment/livemode fields server-side, compute a deterministic idempotency key, and write both simulated ledger and audit rows. The simulator accepts settlement_rail: "stripe_ach_debit" so tenants can exercise the ACH routing and delayed-funding UX in admin; that is separate from Paybond's optional engineering test target that calls Stripe test-mode ACH APIs with STRIPE_SECRET_KEY.
| Method | Path | Description |
|---|---|---|
POST | /v1/sandbox/simulator/events | Record a sandbox simulator event for funding, release, refund, void, dispute open/resolve, or webhook rehearsal. Live tenant credentials and live provider material are rejected. |
Sandbox guardrails
Sandbox guardrail routes are the Gateway-backed first-integration path documented in One-command guardrails. They require an authenticated sandbox service-account API key, derive tenant scope from the bearer credential, reject caller-supplied tenant fields (including x-tenant-id), and never accept live provider material. Gateway signs a Harbor intent, forwards create/evidence to Harbor with the derived tenant header, records matching simulator ledger/audit rows, and returns the fields Kit scaffolds expect (tenant_id, intent_id, capability_token, operation, requested_spend_cents, sandbox_lifecycle_status).
| Method | Path | Description |
|---|---|---|
POST | /v1/sandbox/guardrails/bootstrap | Create and fund a sandbox guardrail intent for one paid-tool operation. Returns a capability token for spendGuard / spend_guard authorization before tool work runs. |
POST | /v1/sandbox/guardrails/{intent_id}/evidence | Submit sandbox evidence for a bootstrap intent. Returns updated sandbox_lifecycle_status and predicate evaluation metadata. |
Compliance exports and ledger verification
Compliance exports package signed evidence for audits, partner reviews, and dispute handoffs. Exports can include Signal provenance, disputes, settlement records, Harbor snapshots, guardrail policy/audit JSONL artifacts, and verification artifacts. Gateway also forwards tenant-scoped Harbor continuity checks and verifier-pack workflows; it does not expose Harbor's raw paginated ledger event stream.
| Method | Path | Description |
|---|---|---|
POST | /v1/compliance/audit-exports | Create an export job and return metadata plus a short-lived download token. |
GET | /v1/compliance/audit-exports | List export jobs for the authenticated organization. |
GET | /v1/compliance/audit-exports/{job_id} | Job status; pass ?issue_download=1 to mint a fresh download JWT. |
POST | /v1/compliance/audit-exports/{job_id}/verify | Re-verify the stored ZIP, signed manifest, and listed artifact digests for one export job. |
DELETE | /v1/compliance/audit-exports/{job_id} | Revoke the job and remove the stored bundle. |
GET | /v1/compliance/audit-exports/{job_id}/bundle?token=… | Download the ZIP stream with the export download token. |
GET | /v1/compliance/ledger/verify | Run a Harbor ledger continuity check and return explicit pass/fail guidance. |
GET | /v1/compliance/ledger/verifier-pack | Download the current Harbor verifier pack for offline validation. |
POST | /v1/compliance/ledger/verifier-pack/verify | Re-verify an exported ledger verifier pack without direct Harbor sled access. |
Dispute cases
Gateway adds organization-scoped case management around Harbor's dispute lifecycle.
| Method | Path | Description |
|---|---|---|
POST | /v1/disputes/cases | Create a dispute case. |
POST | /v1/disputes/cases/link-disputed-intent | Link an already-open Harbor dispute to a case row. |
GET | /v1/disputes/cases | List cases (status, intent_id, limit, offset). |
GET | /v1/disputes/cases/{case_id} | Case detail with evidence refs and notes. |
POST | /v1/disputes/cases/{case_id}/resolve | Resolve with outcome and rationale. |
POST | /v1/disputes/cases/{case_id}/assign | Assign ownership within the tenant. |
POST | /v1/disputes/cases/{case_id}/evidence | Attach evidence reference. |
POST | /v1/disputes/cases/{case_id}/notes | Append a dispute note. |
GET | /v1/disputes/cases/{case_id}/export/arbitration | Rate-limited signed arbitration package. |
Signal proxies
Gateway is also the public access layer for Signal scoring, reputation receipts, and portfolio artifacts. For the full Signal route map, see Signal API.
| Method | Path | Description |
|---|---|---|
GET | /reputation/{operator_did} | Signed operator receipt (optionally ?score_version=). |
GET | /signal/v1/overview | Portfolio rollups and current scores. |
GET | /signal/v1/review-queue | Tenant-scoped review queue with fraud severity filter/sort support. |
GET | /signal/v1/operators/{operator_did}/trend | Append-only score snapshots. |
GET | /signal/v1/operators/{operator_did}/explanation | Signed “why did this move?” delta plus confidence metadata. |
GET | /signal/v1/operators/{operator_did}/review-status | Explicit review state, maturity tier, annotations, friction metadata, and fraud assessment. |
POST | /signal/v1/operators/{operator_did}/review-events | Authenticated review workflow or outcome feedback request, with optional signal-level context. |
GET | /signal/v1/operators/{operator_did}/score-model-versions | Historical score_version rows preserved per operator. |
GET | /signal/v1/fraud-signals | Score-neutral fraud signals plus per-operator release-gate decisions. |
GET | /signal/v1/fraud/metrics | Tenant-scoped fraud backtesting and monitoring metrics (?window=24h|7d|30d). |
GET | /signal/v1/fraud/release-gate | Tenant release-gate config and metrics reliability. |
PUT | /signal/v1/fraud/release-gate | Tenant-admin release-gate mode update (review_only or critical_hold with tenant and signal-family reliability). |
GET | /signal/v1/fairness | Tenant-scoped processing and fairness posture for the current Signal assignment slice. |
GET | /signal/v1/shadow-readiness | Advanced shadow-readiness evidence for operational review, not partner-facing sharing. |
GET | /signal/v1/portfolio/summary | Tenant-wide aggregates. |
GET | /signal/v1/portfolio/signed-export | Signed portfolio artifact. |
GET | /audit | Tenant-scoped Signal provenance events (?operator_did=&limit=&offset=). |
Harbor proxies
Gateway exposes selected Harbor routes under the /harbor prefix for teams that want one authenticated API surface for both access control and intent operations. See Harbor API for the Harbor route map and private upstream-only ledger endpoints.
Selected Harbor write routes are recognition-gated:
| Method | Path | Description |
|---|---|---|
POST | /harbor/intents | Create a Harbor intent after recognition verification succeeds. |
POST | /harbor/intents/{intent_id}/fund | Fund an existing Harbor intent after recognition verification succeeds. |
POST | /harbor/intents/{intent_id}/evidence | Submit evidence after recognition verification succeeds. |
POST | /harbor/intents/{intent_id}/settlement/confirm | Confirm a Harbor settlement after recognition verification succeeds. |
POST | /harbor/operator/v1/intents/{intent_id}/dispute/open | Open a Harbor dispute after recognition verification succeeds. |
POST | /harbor/operator/v1/intents/{intent_id}/dispute/resolve | Resolve a Harbor dispute after recognition verification succeeds. |
For /harbor/intents and /harbor/policy/v1/* lifecycle mutations, Gateway also applies the authenticated tenant's active guardrail policy before forwarding upstream. Guardrail denials return 403 guardrail_violation; audit persistence failures return 503 guardrail_audit_unavailable.
Administrative settlement operations
These routes support settlement status refreshes and webhook triage for admins and audited support users.
| Method | Path | Description |
|---|---|---|
POST | /v1/stripe/reconcile | Refresh Stripe settlement status for the authenticated tenant. |
GET | /v1/stripe/webhook-health | Return recent webhook delivery and replay health. |
GET | /v1/stripe/webhook-failures | List failed webhook rows for triage. |
GET | /v1/admin/webhook-endpoints | List tenant/environment-scoped Paybond webhook endpoints. |
POST | /v1/admin/webhook-endpoints | Create a webhook endpoint and return its signing secret once. |
GET | /v1/admin/webhook-endpoints/{endpoint_id}/deliveries | List recent delivery attempts for an endpoint. |
POST | /v1/admin/webhook-endpoints/{endpoint_id}/test | Send a signed test event; sandbox lifecycle rehearsals also write simulator ledger/audit rows. Test payload tenant/environment fields are derived from the authenticated credential. |
Tenant header validation
Routes that accept a tenant body or query parameter also accept the x-tenant-id header. When the JWT claim tid is present, the Gateway validates the header against the claim and rejects mismatches with 401 Unauthorized before any handler runs. Unauthenticated tenant identifiers in request bodies are never authoritative. Live/sandbox environment is never selected with a client-controlled header; Gateway sessions, API keys, Harbor access JWTs, Signal reads, webhooks, and settlement config derive it from the authenticated tenant credential.
Settlement routing is still resolved server-side even when clients call Harbor directly through Kit-issued tokens. Tenant admins manage the canonical config here; public Harbor calls may only request an allowed rail.