Browse docs+

API Reference

This page is the quick endpoint index for the machine API.

It sits between the conceptual docs and the full HTTP reference:

Machine API Overview explains the model, auth setup, and policy rules
this page gives you the fastest route to the right endpoint or endpoint guide
Detailed Machine API Reference covers full request and response details
Machine Endpoint Inventory is the audited controller-level route list

Use the CLI or Node SDK unless you specifically need raw HTTP control.

If you are using R4 as a password manager for an agent runtime, follow this sequence first:

Register Agent Public Key
List Vaults
List Vault Items
Get Vault Field Value when you already know the fieldId
Get Vault Item Detail when you need the whole item's values

The first successful public-key registration is what makes the agent eligible for security-group, project, and direct vault access. Operators should grant those access paths only after step 1 succeeds.

Recommended Agent Flow

Step	Endpoint	Method	Purpose
1	`/api/v1/machine/vault/public-key`	`POST`	Register or rotate the runtime public key
2	`/api/v1/machine/vault/sync`	`GET`	Read the full or delta vault sync payload for continuous runtimes
3	`/api/v1/machine/vault`	`GET`	List the vaults accessible to the API key
4	`/api/v1/machine/search`	`POST`	Search machine-visible vault and license metadata
5	`/api/v1/machine/vault/:vaultId/public-keys`	`GET`	Fetch the signer directory for wrapped-DEK and checkpoint verification
6	`/api/v1/machine/vault/:vaultId/wrapped-key`	`GET`	Fetch the wrapped vault DEK for the authenticated agent
7	`/api/v1/machine/vault/:vaultId/items`	`GET`	List vault items with signed summary metadata
8	`/api/v1/machine/vault/:vaultId/fields/:fieldId`	`GET`	Fetch one field ciphertext plus the parent signed detail checkpoint
9	`/api/v1/machine/vault/:vaultId/items/:itemId`	`GET`	Fetch item ciphertext plus signed detail metadata

Rotating to a different runtime key still requires the current private key and, when the old key still has active vault access, a complete replacement wrapped-DEK batch.

Important Current Constraint

AGENT-scoped machine API keys are the supported runtime path for password retrieval, secret usage, and checkpoint-signed vault metadata writes when the runtime has an active registered encryption key.

Attachment parity, procurement flows, and outbound machine webhooks now live on the same machine API, but they still require the right endpoint permissions and any extra tenant or org roles. See Current Limitations.

Machine API keys can also be limited by policy. The simplest setup is machine.all, but least-privilege runtimes can choose grouped grants such as machine.vault.all or individual permissions such as machine.vault.read and machine.vault.secret.read.

If you are building a "master agent" that creates other agents, add machine.agent.all, machine.permissions.all, and the tenant role TENANT_AGENT_MANAGER.

Use Agent Orchestration and Permission Management when you are building delegated agent workflows instead of simple secret retrieval.

If you want machine-side metadata discovery without broad project/admin powers, add machine.search.read. Continuous runtimes that need full or delta sync should add machine.vault.sync.read or the grouped machine.vault.all.

If you are building a read-only observer or anomaly-detection runtime, add machine.monitoring.read. metric-stats, entity-counts, request-events, audit-events, and vault-activity-events are scoped to the authenticated machine session; system-stats and session-stats are reserved for global-admin-backed machine keys.

If the CLI, SDK, MCP server, or current raw machine API is missing a capability your AGENT runtime needs, submit product-gap feedback through POST /api/v1/machine/feedback.

Identity Endpoint

Inspect the current machine principal, scope, tenant binding, and write-path constraints.

Endpoint	Method	Description
`/api/v1/machine/me`	GET	Read the authenticated API key, org/tenant/agent context, and warnings

Search Endpoints

Search machine-visible metadata without decrypting secret values.

Endpoint	Method	Description
`/api/v1/machine/search`	POST	Search vaults, vault items, field labels, and eligible licenses

Project Endpoints

Manage projects and their associated resources programmatically.

Endpoint	Method	Description
`/api/v1/machine/project`	GET	List all projects
`/api/v1/machine/project`	POST	Create a new project
`/api/v1/machine/project/:id`	GET	Get project details

Agent Endpoints

Create and manage subordinate AGENT runtimes programmatically.

Endpoint	Method	Description
`/api/v1/machine/agent`	GET	List agents in the current tenant, including each agent's `domainTenantId`
`/api/v1/machine/agent`	POST	Create a new agent and receive its one-time API key
`/api/v1/machine/agent/:id`	GET	Get one agent
`/api/v1/machine/agent/:id`	PATCH	Update agent metadata or security groups
`/api/v1/machine/agent/:id/archive`	PATCH	Archive an agent
`/api/v1/machine/agent/:id/regenerate-api-key`	POST	Rotate the agent's API key
`/api/v1/machine/agent/:id/vault-item`	PATCH	Link the agent API key to a vault item
`/api/v1/machine/agent/:id/tenant-roles`	GET	Read direct and inherited tenant roles
`/api/v1/machine/agent/:id/tenant-roles`	PATCH	Replace direct tenant roles

These routes require both the machine permission family (machine.agent.read / machine.agent.write) and the session tenant role TENANT_AGENT_MANAGER. See Agent Orchestration for the end-to-end lifecycle and delegation flow.

Feedback Endpoints

Report unsupported product capabilities from an AGENT runtime.

Endpoint	Method	Description
`/api/v1/machine/feedback`	POST	Store AGENT feedback about missing CLI, SDK, MCP, or machine-API features

This route is AGENT-only and requires machine.feedback.write or machine.feedback.all. Do not send secrets, plaintext credentials, or private user data in the feedback body.

Permission Endpoints

Manage project, vault, or vault-item access entries through the machine API.

Endpoint	Method	Description
`/api/v1/machine/permissions/:id/access`	GET	Inspect the current caller's effective access to one asset
`/api/v1/machine/permissions/:assetType/warning-message`	GET	Read asset-type-specific permission caveats
`/api/v1/machine/permissions/security-groups`	GET	List security groups you can assign
`/api/v1/machine/permissions/tenant-members`	GET	List tenant members you can assign
`/api/v1/machine/permissions/projects`	GET	List projects you can assign
`/api/v1/machine/permissions/agents`	GET	List agents you can assign
`/api/v1/machine/permissions/PROJECT/:id/permissions`	GET	List current project permission rows
`/api/v1/machine/permissions/PROJECT/:id/resolved-access`	GET	Inspect resolved project access
`/api/v1/machine/permissions/PROJECT/:id/set-permissions`	POST	Replace project permission rows
`/api/v1/machine/permissions/VAULT/:id/permissions`	GET	List current vault permission rows
`/api/v1/machine/permissions/VAULT/:id/resolved-access`	GET	Inspect resolved vault access
`/api/v1/machine/permissions/VAULT/:id/set-permissions`	POST	Replace vault permission rows
`/api/v1/machine/permissions/VAULT_ITEM/:id/permissions`	GET	List current vault-item permission rows
`/api/v1/machine/permissions/VAULT_ITEM/:id/resolved-access`	GET	Inspect resolved vault-item access
`/api/v1/machine/permissions/VAULT_ITEM/:id/set-permissions`	POST	Replace vault-item permission rows

Project permission edits are the simplest delegated-access flow. Vault and vault-item permission edits require checkpoint-backed writes, and vault items still inherit parent-vault access. See Permission Management for the full request body, helper endpoints, and orchestration order.

set-permissions replaces the full permission list. Include every entry you want to keep, including the caller's own ADMIN row.

Vault Endpoints

Access and manage vault items and secrets programmatically.

Vault metadata such as vault names, item names, field labels, and websites is not end-to-end encrypted. Only field values are end-to-end encrypted v3 vault envelopes.

Endpoint	Method	Description
`/api/v1/machine/vault/public-key`	POST	Register or rotate the agent public key
`/api/v1/machine/vault/sync`	GET	Read the full or delta vault sync payload
`/api/v1/machine/vault`	POST	Create a vault with signed metadata
`/api/v1/machine/vault`	GET	List vaults accessible to the API key
`/api/v1/machine/vault/:vaultId`	GET	Get vault detail
`/api/v1/machine/vault/:id/update`	PATCH	Rename or reclassify a vault
`/api/v1/machine/vault/:vaultId`	DELETE	Archive a vault
`/api/v1/machine/vault/:vaultId/items`	POST	Create a vault item with signed checkpoints
`/api/v1/machine/vault/:vaultId/items`	GET	List vault items with signed checkpoint metadata
`/api/v1/machine/vault/:vaultId/fields/:fieldId`	GET	Get one field value with signed parent-item metadata
`/api/v1/machine/vault/:vaultId/items/:itemId`	GET	Get vault item detail with signed checkpoint metadata
`/api/v1/machine/vault-item/:id/update`	PATCH	Add, edit, or delete vault-item fields
`/api/v1/machine/vault-item/:id/move`	PATCH	Move a vault item to another vault
`/api/v1/machine/vault/:vaultId/items/:itemId`	DELETE	Archive a vault item

For vault-group, vault-import, wrapped-key, user-key-pair, shared-item, and vaults-data routes, use the Machine Endpoint Inventory or the Detailed Machine API Reference.

Attachment Endpoints

Manage checkpointed vault attachments through the machine API.

Endpoint	Method	Description
`/api/v1/machine/attachments/:vaultId/initialize-multipart-upload`	GET	Start a multipart upload for a vault attachment
`/api/v1/machine/attachments/:vaultId/get-multipart-pre-signed-urls`	POST	Fetch presigned part URLs
`/api/v1/machine/attachments/:vaultId/finalize-multipart-upload`	POST	Finalize the multipart upload with S3
`/api/v1/machine/attachments/:vaultId/create`	POST	Create the attachment placeholder row
`/api/v1/machine/attachments/:vaultId/assets/:assetId/finish-upload`	PATCH	Persist the signed attachment checkpoint
`/api/v1/machine/attachments/:vaultId/assets/:assetId/download-ticket`	GET	Fetch a signed download ticket with checkpoint metadata

Marketplace Endpoints

Search the catalog, manage machine-owned carts, and checkout orders.

Endpoint	Method	Description
`/api/v1/machine/marketplace/catalog/all`	GET	List the published marketplace catalog
`/api/v1/machine/marketplace/catalog/search`	GET	Search the catalog with filters
`/api/v1/machine/marketplace/quote`	POST	Compute a quote for a product configuration
`/api/v1/machine/marketplace/create-cart`	POST	Create a machine-owned cart
`/api/v1/machine/marketplace/add-to-cart`	POST	Add a quoted item to the current cart
`/api/v1/machine/marketplace/:id/cart`	GET	Read one machine-owned cart with aggregate quote
`/api/v1/machine/marketplace/checkout`	POST	Convert the cart into an order

Webhook Endpoints

Create outbound webhook subscriptions for scoped machine events.

Endpoint	Method	Description
`/api/v1/machine/webhook`	GET	List the current machine key's webhook endpoints
`/api/v1/machine/webhook`	POST	Create a webhook endpoint and signing secret
`/api/v1/machine/webhook/:id/test`	POST	Send a signed synthetic test delivery
`/api/v1/machine/webhook/:id/deliveries`	GET	Read delivery history for one endpoint

Domain Manager Endpoints

Manage DNS records for domains purchased through R4.

Endpoint	Method	Description
`/api/v1/machine/domain-manager/dns-records`	GET	Get DNS records for a domain

Budget Endpoints

Inspect or create governed subject budgets through the machine billing surface.

Endpoint	Method	Description
`/api/v1/machine/budget`	POST	Create an org, tenant, user, or agent budget
`/api/v1/machine/budget`	GET	List visible budgets together with their active windows

Monitoring Endpoints

Read machine-visible monitoring data and platform health summaries.

Endpoint	Method	Description
`/api/v1/machine/monitoring/metric-stats`	GET	Read API request metrics filtered to the current machine session
`/api/v1/machine/monitoring/entity-counts`	GET	Read visible entity counts filtered to the current machine session
`/api/v1/machine/monitoring/request-events`	GET	Read raw scoped request telemetry with correlation metadata
`/api/v1/machine/monitoring/audit-events`	GET	Read scoped security audit events for compliance or incident response
`/api/v1/machine/monitoring/vault-activity-events`	GET	Read a scoped cross-vault activity feed for secret-change polling
`/api/v1/machine/monitoring/system-stats`	GET	Read process and host health stats with a global-admin-backed machine key
`/api/v1/machine/monitoring/session-stats`	GET	Read aggregate session-store stats with a global-admin-backed machine key

Common Response Formats

Success Responses

All successful responses return JSON with a 2xx status code. The response body structure varies by endpoint.

Error Responses

All errors follow a consistent format:

{
  "error": {
    "code": "error_code",
    "message": "Human-readable error message"
  }
}

Common error codes:

Code	HTTP Status	Description
`unauthorized`	401	Invalid or missing API key
`missing_api_key`	401	No API key provided in the request
`invalid_api_key`	401	The provided API key is invalid
`project_not_found`	404	The requested project was not found
`domain_not_found`	404	The requested domain was not found
`domain_not_managed`	403	The domain is not managed through R4

Pagination

Currently, endpoints return all results in a single response. Future endpoints may support pagination with the following format:

{
  "data": [...],
  "pagination": {
    "page": 1,
    "limit": 50,
    "total": 150,
    "totalPages": 3
  }
}

Query parameters for paginated endpoints:

Parameter	Type	Default	Description
`page`	number	1	Page number (1-indexed)
`limit`	number	50	Number of items per page (max 100)

Changelog

v1.10.0 (March 2026)

Added GET /api/v1/machine/me for machine identity, context, and capability introspection
Added POST /feedback for AGENT capability-gap feedback
Added the Submit Feedback endpoint guide and linked it from the agent-facing docs

v1.9.0 (March 2026)

Added links for the machine vault update, vault-item update, and vault-item move write paths
Added the audited Machine Endpoint Inventory

v1.8.0 (March 2026)

Added machine monitoring endpoints under /monitoring
Added scoped metric-stats and entity-counts reads for machine observers
Added global-admin-gated system-stats and session-stats for infrastructure monitoring

v1.7.0 (March 2026)

Added machine agent lifecycle endpoints under /agent
Added direct agent tenant-role reads/writes under /agent/:id/tenant-roles
Added machine project/vault permission management under /permissions/:assetType/:id/*

v1.6.0 (March 2026)

Added GET /vault/:vaultId/fields/:fieldId for narrow single-field reads with the parent signed detail checkpoint

v1.5.0 (March 2026)

Removed the legacy GET /vault/env/:projectId plaintext env endpoint
Added signed machine vault summary/detail checkpoint metadata to GET /vault/:vaultId/items and GET /vault/:vaultId/items/:itemId
Tightened machine vault writes so create/archive flows now require user-backed signed checkpoints and client-encrypted field values

v1.3.0 (February 2026)

Added POST /vault/:vaultId/items endpoint for creating vault items

v1.2.0 (January 2026)

Added GET /project endpoint for listing all projects
Added POST /project endpoint for creating projects

v1.1.0 (January 2026)

Added GET /project/:id endpoint for project details

v1.0.0 (January 2026)

Initial release
Added GET /domain-manager/dns-records endpoint