API Reference
Base URL: http://127.0.0.1:4317 (default)
Authentication
Skill Token
Include in request header:
x-clauth-skill-token: <issued-token>Session JWT
Alternative to skill token. Include as Bearer token:
Authorization: Bearer <jwt>The JWT sub claim must match the skillId in the request body.
Admin Token
For admin-only endpoints:
x-clauth-admin-token: <configured-token>Set via CLAUTH_ADMIN_TOKEN environment variable.
Health & Status
GET /health
Auth: None
Response:
{
"ok": true,
"service": "clauth",
"version": "0.1.0"
}
GET /clauth/v1/capabilities
Auth: None
Response:
{
"product": "clauth",
"version": "0.1.0",
"brokeredExecution": true,
"endpointPolicyEnforced": true,
"transport": "tcp",
"requireSkillToken": true,
"supportsIdentityBroker": true,
"supportedProofMethods": ["signed-challenge", "oauth", "email"]
}
GET /clauth/v1/status
Auth: None
Response:
{
"vaultUnlocked": true,
"transport": "tcp",
"daemon": "http://127.0.0.1:4317",
"requireSkillToken": true,
"activeSkillTokens": 2,
"activeGrants": 5,
"auditIntegrity": {
"valid": true,
"entries": 42
}
}
Proxy
POST /clauth/v1/proxy
Auth: Skill token or JWT
Execute a brokered API request. Clauth validates scope, runs firewall checks, resolves credentials, injects auth headers, and returns the provider response.
Request:{
"skillId": "my-agent",
"provider": "github",
"credentialHandle": "github-main",
"scope": "github:read",
"method": "GET",
"endpoint": "https://api.github.com/user",
"headers": {},
"body": null
}
{
"status": 200,
"headers": {
"content-type": "application/json"
},
"body": {
"login": "octocat",
"id": 1
}
}
{
"error": {
"code": "ACCESS_DENIED",
"message": "No active grant for skill 'my-agent' provider 'github' scope 'github:write'."
}
}
{
"error": {
"code": "ACCESS_DENIED",
"message": "Firewall blocked request: Burst threshold exceeded (21 in 10000ms)."
}
}
Grants & Revocation
POST /clauth/v1/emergency-revoke
Auth: Admin token
Revoke all active grants immediately.
Response:{
"revoked": 5
}
Skill Tokens
POST /clauth/v1/admin/skill-token/issue
Auth: Admin token
Request:
{
"skillId": "my-agent"
}
{
"skillId": "my-agent",
"token": "clauth_sk_..."
}
POST /clauth/v1/admin/skill-token/revoke
Auth: Admin token
Request:
{
"skillId": "my-agent"
}
{
"skillId": "my-agent",
"revoked": true
}
GET /clauth/v1/admin/skill-token/list
Auth: Admin token
Response:
{
"tokens": [
{
"skillId": "my-agent",
"active": true,
"createdAt": "2025-01-15T10:00:00.000Z"
}
]
}
Alerts
POST /clauth/v1/admin/alerts/test
Auth: Admin token
Test webhook delivery.
Request:{
"url": "https://hooks.slack.com/services/xxx"
}
{
"ok": true,
"url": "https://hooks.slack.com/services/xxx"
}
Identity Broker
POST /clauth/v1/identity/challenge
Auth: Skill token or JWT
Create an identity verification challenge.
Request:{
"skillId": "my-agent",
"provider": "github",
"accountId": "octocat",
"method": "signed-challenge"
}
Supported methods: signed-challenge, oauth, email
{
"challengeId": "550e8400-e29b-41d4-a716-446655440000",
"challenge": "base64url-random-token",
"expiresAt": "2025-01-15T10:10:00.000Z"
}
When method is oauth, the response includes:
{
"challengeId": "...",
"challenge": "...",
"expiresAt": "...",
"oauthUrl": "https://github.com/login/oauth/authorize?client_id=...&state=..."
}
POST /clauth/v1/identity/verify
Auth: Skill token or JWT
Submit proof for a challenge.
Request:{
"challengeId": "550e8400-e29b-41d4-a716-446655440000",
"proof": "credential-handle-or-code",
"skillId": "my-agent"
}
For signed-challenge: proof is the credential handle. Clauth uses the stored credential to call the provider API and verify the account matches.
For email: proof is the challenge token (returned in the create response).
{
"status": "verified",
"verifiedAt": "2025-01-15T10:05:00.000Z"
}
{
"status": "failed"
}
GET /clauth/v1/identity/challenge/:id/status
Auth: Skill token or JWT
Poll challenge status.
Response:{
"status": "pending",
"verifiedAt": null
}
Status values: pending, verified, expired, failed
GET /clauth/v1/identity/proofs
Auth: None
List verified identity proofs. Optional ?skillId= filter.
{
"proofs": [
{
"challengeId": "550e8400-...",
"provider": "github",
"accountId": "octocat",
"method": "signed-challenge",
"verifiedAt": "2025-01-15T10:05:00.000Z",
"signature": "hex-hmac-signature"
}
]
}
GET /clauth/v1/identity/oauth/callback
Auth: None (uses HMAC-signed state parameter)
OAuth provider callback. Automatically exchanges authorization code for access token, verifies identity, and marks the challenge as verified.
Query parameters: state, code
Returns HTML page indicating verification result.
DELETE /clauth/v1/admin/identity/proofs/:id
Auth: Admin token
Revoke a verified identity proof.
Response:{
"revoked": true
}
Pages
GET /
Landing page with architecture overview, request flow visualization, identity verification methods, and before/after comparison.
GET /dashboard
Operator dashboard for status and admin operations.
Error Format
All errors follow:
{
"error": {
"code": "ERROR_CODE",
"message": "Human-readable description"
}
}
Common error codes:
UNAUTHORIZED— Missing or invalid auth token (401)ACCESS_DENIED— Scope denied or firewall blocked (403)FORBIDDEN— Remote address not allowed (403)NOT_FOUND— Resource not found (404)VALIDATION_ERROR— Invalid request format (422)ADMIN_AUTH_DISABLED—CLAUTH_ADMIN_TOKENnot configured (503)UPSTREAM_ERROR— Provider request failed (502)INTERNAL_ERROR— Unexpected server error (500)