Browse docs+

API Reference

This page is the quick endpoint index for the machine API.

It sits between the conceptual docs and the full HTTP reference:

Machine API Overview explains the model, auth setup, and policy rules
this page gives you the fastest route to the right endpoint or endpoint guide
Detailed Machine API Reference covers full request and response details
Machine Endpoint Inventory is the audited controller-level route list

Use the Node SDK unless you specifically need raw HTTP control. The CLI manages local account and agent profiles that the SDK can also load.

If you are using R4 as a password manager for an agent runtime, follow this sequence first:

Create the agent in the Platform wizard and import the one-time JSON with CLI or Node SDK
List Vaults
List Vault Environment Fields for project env export
List Vault Items for broader item discovery
Get Vault Field Value when you already know the fieldId
Get Vault Item Detail when you need the whole item's values

The Platform wizard registers the initial runtime public key. Use Register or Rotate Agent Public Key for explicit rotation or repair workflows, not as a required step for every environment read.

Recommended Agent Flow

Step	Endpoint	Method	Purpose
1	`/api/v1/machine/vault`	`GET`	List the vaults accessible to the API key
2	`/api/v1/machine/vault/:vaultId/wrapped-key`	`GET`	Fetch the wrapped vault DEK for the authenticated agent
3	`/api/v1/machine/vault/:vaultId/public-keys`	`GET`	Fetch the signer directory for wrapped-DEK and metadata verification
4	`/api/v1/machine/vault/:vaultId/environment-fields`	`GET`	Fetch only fields marked for environment-variable export
5	`/api/v1/machine/vault/:vaultId/items`	`GET`	List vault items with signed summary metadata
6	`/api/v1/machine/vault/:vaultId/fields/:fieldId`	`GET`	Fetch one field ciphertext plus the parent signed detail checkpoint
7	`/api/v1/machine/vault/:vaultId/items/:itemId`	`GET`	Fetch item ciphertext plus signed detail metadata
Optional	`/api/v1/machine/vault/public-key`	`POST`	Rotate or repair the runtime public key
Optional	`/api/v1/machine/vault/sync`	`GET`	Read the full or delta vault sync payload for continuous runtimes
Optional	`/api/v1/machine/search`	`POST`	Search machine-visible vault and license metadata

Rotating to a different runtime key still requires the current private key and, when the old key still has active vault access, a complete replacement wrapped-DEK batch.

Important Current Constraint

AGENT-scoped machine API keys are the supported runtime path for password retrieval, secret usage, and machine vault writes when their policy and asset access allow the operation.

Attachment parity, procurement flows, and outbound machine webhooks now live on the same machine API, but they still require the right endpoint permissions and any extra tenant or org roles. See Current Limitations.

Machine API keys can also be limited by policy. The simplest setup is machine.all, but least-privilege runtimes can choose grouped grants such as machine.vault.all or individual permissions such as machine.vault.read and machine.vault.secret.read.

If you are building a "master agent" that creates other agents, add machine.agent.all, machine.permissions.all, and the tenant role TENANT_AGENT_MANAGER.

Use Agent Orchestration and Permission Management when you are building delegated agent workflows instead of simple secret retrieval.

If you want machine-side metadata discovery without broad project/admin powers, add machine.search.read. Continuous runtimes that need full or delta sync should add machine.vault.sync.read or the grouped machine.vault.all.

If you are building a read-only observer or anomaly-detection runtime, add machine.monitoring.read. metric-stats, entity-counts, request-events, audit-events, and vault-activity-events are scoped to the authenticated machine session; system-stats and session-stats are reserved for global-admin-backed machine keys.

If the SDK, MCP server, or current raw machine API is missing a capability your AGENT runtime needs, submit product-gap feedback through POST /api/v1/machine/feedback.

Identity Endpoint

Inspect the current machine principal, scope, tenant binding, and write-path constraints.

Endpoint	Method	Description
`/api/v1/machine/me`	GET	Read the authenticated machine principal, auth method, org/tenant/agent context, and warnings
`/api/v1/machine/tenant-context`	GET	Compatibility helper for agent orchestration clients that need the active tenant and default `domainTenantId`

Search Endpoints

Search machine-visible metadata without decrypting secret values.

Endpoint	Method	Description
`/api/v1/machine/search`	POST	Search vaults, vault items, field labels, and eligible licenses

Project Endpoints

Manage projects and their associated resources programmatically.

Endpoint	Method	Description
`/api/v1/machine/project`	GET	List all projects
`/api/v1/machine/project`	POST	Create a new project
`/api/v1/machine/project/:id`	GET	Get project details

Agent Endpoints

Create and manage subordinate AGENT runtimes programmatically.

Endpoint	Method	Description
`/api/v1/machine/agent`	GET	List agents in the current tenant, including each agent's `domainTenantId`
`/api/v1/machine/agent`	POST	Create a new agent and receive its one-time API key
`/api/v1/machine/agent/me`	GET	Read the authenticated AGENT principal
`/api/v1/machine/agent/:id`	GET	Get one agent
`/api/v1/machine/agent/:id`	PATCH	Update agent metadata or security groups
`/api/v1/machine/agent/:id/archive`	PATCH	Archive an agent
`/api/v1/machine/agent/:id/regenerate-api-key`	POST	Rotate the agent's API key
`/api/v1/machine/agent/:id/vault-item`	PATCH	Link the agent API key to a vault item
`/api/v1/machine/agent/:id/tenant-roles`	GET	Read direct and inherited tenant roles
`/api/v1/machine/agent/:id/tenant-roles`	PATCH	Replace direct tenant roles

These routes require both the machine permission family (machine.agent.read / machine.agent.write) and the session tenant role TENANT_AGENT_MANAGER. See Agent Orchestration for the end-to-end lifecycle and delegation flow.

Feedback Endpoints

Report unsupported product capabilities from an AGENT runtime.

Endpoint	Method	Description
`/api/v1/machine/feedback`	POST	Store AGENT feedback about missing SDK, MCP, or machine-API features

This route is AGENT-only and requires machine.feedback.write or machine.feedback.all. Do not send secrets, plaintext credentials, or private user data in the feedback body.

Permission Endpoints

Manage project, vault, or vault-item access entries through the machine API.

Endpoint	Method	Description
`/api/v1/machine/permissions/:id/access`	GET	Inspect the current caller's effective access to one asset
`/api/v1/machine/permissions/:assetType/warning-message`	GET	Read asset-type-specific permission caveats
`/api/v1/machine/permissions/security-groups`	GET	List security groups you can assign
`/api/v1/machine/permissions/tenant-members`	GET	List tenant members you can assign
`/api/v1/machine/permissions/projects`	GET	List projects you can assign
`/api/v1/machine/permissions/agents`	GET	List agents you can assign
`/api/v1/machine/permissions/PROJECT/:id/permissions`	GET	List current project permission rows
`/api/v1/machine/permissions/PROJECT/:id/resolved-access`	GET	Inspect resolved project access
`/api/v1/machine/permissions/PROJECT/:id/set-permissions`	POST	Replace project permission rows
`/api/v1/machine/permissions/VAULT/:id/permissions`	GET	List current vault permission rows
`/api/v1/machine/permissions/VAULT/:id/resolved-access`	GET	Inspect resolved vault access
`/api/v1/machine/permissions/VAULT/:id/set-permissions`	POST	Replace vault permission rows
`/api/v1/machine/permissions/VAULT_ITEM/:id/permissions`	GET	List current vault-item permission rows
`/api/v1/machine/permissions/VAULT_ITEM/:id/resolved-access`	GET	Inspect resolved vault-item access
`/api/v1/machine/permissions/VAULT_ITEM/:id/set-permissions`	POST	Replace vault-item permission rows

Project permission edits are the simplest delegated-access flow. Vault and vault-item permission edits reuse the same platform ACL graph, and vault items still inherit parent-vault access. See Permission Management for the full request body, helper endpoints, and orchestration order.

set-permissions replaces the full permission list. Include every entry you want to keep, including the caller's own ADMIN row.

Vault Endpoints

Access and manage vault items and secrets programmatically.

Vault metadata such as vault names, item names, field labels, and websites is not end-to-end encrypted. Only field values are end-to-end encrypted v3 vault envelopes.

Endpoint	Method	Description
`/api/v1/machine/vault/public-key`	POST	Register or rotate the agent public key
`/api/v1/machine/vault/sync`	GET	Read the full or delta vault sync payload
`/api/v1/machine/vault`	POST	Create a vault
`/api/v1/machine/vault`	GET	List vaults accessible to the API key
`/api/v1/machine/vault/:vaultId`	GET	Get vault detail
`/api/v1/machine/vault/:id/update`	PATCH	Rename or reclassify a vault
`/api/v1/machine/vault/:vaultId`	DELETE	Archive a vault
`/api/v1/machine/vault/:vaultId/items`	POST	Create a vault item with client-encrypted fields
`/api/v1/machine/vault/:vaultId/items`	GET	List vault items with signed checkpoint metadata
`/api/v1/machine/vault/:vaultId/environment-fields`	GET	List only fields marked for env-var export
`/api/v1/machine/vault/:vaultId/fields/:fieldId`	GET	Get one field value with signed parent-item metadata
`/api/v1/machine/vault/:vaultId/items/:itemId`	GET	Get vault item detail with signed checkpoint metadata
`/api/v1/machine/vault-item/:id/update`	PATCH	Add, edit, or delete vault-item fields
`/api/v1/machine/vault-item/:id/move`	PATCH	Move a vault item to another vault
`/api/v1/machine/vault/:vaultId/items/:itemId`	DELETE	Archive a vault item

For /vaults compatibility aliases, vault-group, vault-import, wrapped-key, user-key-pair, shared-item, and vaults-data routes, use the Machine Endpoint Inventory or the Detailed Machine API Reference.

Attachment Endpoints

Manage encrypted vault attachments through the machine API.

Endpoint	Method	Description
`/api/v1/machine/attachments/:vaultId/initialize-multipart-upload`	GET	Start a multipart upload for a vault attachment
`/api/v1/machine/attachments/:vaultId/get-multipart-pre-signed-urls`	POST	Fetch presigned part URLs
`/api/v1/machine/attachments/:vaultId/finalize-multipart-upload`	POST	Finalize the multipart upload with S3
`/api/v1/machine/attachments/:vaultId/create`	POST	Create the attachment placeholder row
`/api/v1/machine/attachments/:vaultId/assets/:assetId/finish-upload`	PATCH	Persist the signed attachment checkpoint
`/api/v1/machine/attachments/:vaultId/assets/:assetId/download-ticket`	GET	Fetch a signed download ticket with checkpoint metadata

Pincer License Endpoints

Purchase and terminate licenses through the compact Pincer machine API. Catalog browsing, cart management, product detail, and catalog-admin provisioning routes are not public API surfaces.

Endpoint	Method	Description
`/api/v1/machine/licenses/purchase`	POST	Start a license purchase
`/api/v1/machine/licenses/:licenseInstanceId/environment`	GET	Read the zero-trust environment bundle for a managed license
`/api/v1/machine/licenses/purchases/:purchaseId/status`	GET	Read license purchase status
`/api/v1/machine/licenses/purchases/:purchaseId/vault-item`	POST	Complete the encrypted vault-item handoff
`/api/v1/machine/licenses/purchases/:purchaseId/resume`	POST	Resume a failed license purchase
`/api/v1/machine/licenses/terminate`	POST	Start license termination
`/api/v1/machine/licenses/terminations/:terminationId/status`	GET	Read license termination status
`/api/v1/machine/licenses/terminations/:terminationId/resume`	POST	Resume a failed license termination

Use the public license catalog to copy an API-available license slug for licenseId. For an existing vault destination, copy the vault ID from Platform > Vaults > vault row More actions > Copy vault ID.

Webhook Endpoints

Create outbound webhook subscriptions for scoped machine events.

Endpoint	Method	Description
`/api/v1/machine/webhook`	GET	List the current machine key's webhook endpoints
`/api/v1/machine/webhook`	POST	Create a webhook endpoint and signing secret
`/api/v1/machine/webhook/:id/test`	POST	Send a signed synthetic test delivery
`/api/v1/machine/webhook/:id/deliveries`	GET	Read delivery history for one endpoint

Domain Manager Endpoints

Manage DNS records for domains purchased through R4.

Endpoint	Method	Description
`/api/v1/machine/domain-manager/dns-records`	GET	Get DNS records for a domain

Billing Endpoints

Read billing state and fund the workspace from machine credentials. See the Detailed Machine API Reference for payment-method and setup-intent routes.

Endpoint	Method	Description
`/api/v1/machine/billing/balance`	GET	Read the current prepaid credit balance
`/api/v1/machine/billing/readiness`	GET	Check whether billing is ready for paid machine writes
`/api/v1/machine/billing/credit-transactions`	GET	List credit transactions
`/api/v1/machine/billing/crypto-funding-intents`	POST	Create a wallet-only `USDC`/`Base` funding intent
`/api/v1/machine/billing/crypto-funding-intents`	GET	List crypto funding intents
`/api/v1/machine/billing/distributor-charges`	GET	List distributor (Pax8) charges for a month with per-license subtotals

GET /billing/distributor-charges accepts month (YYYY-MM), licenseInstanceId, tenantId, and includeLines=true for per-day line detail. It powers r4 licenses charges in the CLI.

Budget Endpoints

Inspect or create governed subject budgets through the machine billing surface.

Endpoint	Method	Description
`/api/v1/machine/budget`	POST	Create an org, tenant, user, or agent budget
`/api/v1/machine/budget`	GET	List visible budgets together with their active windows

Monitoring Endpoints

Read machine-visible monitoring data and platform health summaries.

Endpoint	Method	Description
`/api/v1/machine/monitoring/metric-stats`	GET	Read API request metrics filtered to the current machine session
`/api/v1/machine/monitoring/entity-counts`	GET	Read visible entity counts filtered to the current machine session
`/api/v1/machine/monitoring/request-events`	GET	Read raw scoped request telemetry with correlation metadata
`/api/v1/machine/monitoring/audit-events`	GET	Read scoped security audit events for compliance or incident response
`/api/v1/machine/monitoring/vault-activity-events`	GET	Read a scoped cross-vault activity feed for secret-change polling
`/api/v1/machine/monitoring/system-stats`	GET	Read process and host health stats with a global-admin-backed machine key
`/api/v1/machine/monitoring/session-stats`	GET	Read aggregate session-store stats with a global-admin-backed machine key

Common Response Formats

Success Responses

All successful responses return JSON with a 2xx status code. The response body structure varies by endpoint.

Error Responses

All errors follow a consistent format:

{
  "error": {
    "code": "error_code",
    "message": "Human-readable error message"
  }
}

Common error codes:

Code	HTTP Status	Description
`missing_machine_auth`	401	No API key or bearer token provided in the request
`unauthorized`	401	Invalid or expired machine credentials
`missing_api_key`	401	Legacy API-key-only route reported no API key
`invalid_api_key`	401	The provided API key is invalid
`machine_permission_denied`	403	The credentials do not include the required machine permission
`project_not_found`	404	The requested project was not found
`domain_not_found`	404	The requested domain was not found
`domain_not_managed`	403	The domain is not managed through R4

Pagination

List endpoints accept optional page and limit query parameters. When page is omitted, the endpoint returns all results with no pagination metadata, which keeps older integrations working unchanged.

Parameter	Type	Default	Description
`page`	number	none (all rows)	Page number (1-indexed)
`limit`	number	25	Number of items per page (max 100)

When page is supplied, the response includes a meta object alongside the endpoint's list key (agents, apiKeys, users, data, and so on):

{
  "agents": [...],
  "meta": {
    "total": 150,
    "page": 1,
    "limit": 25,
    "totalPages": 6
  }
}

Paginated list endpoints include agents, tenant/org API keys, tenant users and invitations, integrations, intelligence providers, crypto funding intents, credit transactions, domain tenants, and security groups. Endpoints that do not take page/limit (for example GET /vault and GET /vault/:vaultId/items) always return the full scoped result set.

Changelog

The canonical machine API changelog lives in the Detailed Machine API Reference. This quick index no longer keeps a separate version history, because the two changelogs had drifted apart.