Docs / API
Control-plane REST API
Two audiences: agents hit the broker endpoint with an end-user token; humans hit the admin surface with a verified session (or the dashboard does it for them). All admin routes are org-scoped and role-gated: viewer < admin < owner < superadmin.
The broker
POST /v1/credentials
POST /v1/credentials
Authorization: Bearer <end-user identity token>
X-Keyward-Agent: invoice-bot
X-Keyward-Environment: prod # optional, default prod
X-Keyward-Agent-Assertion: <oidc jwt> # required only for attested agents
X-Keyward-Delegation: <prior keyward credential> # chain extension (replaces user token)
{ "provider": "stripe", "scope": "charges:read", "ttl": "5m" }
→ 200 { credential, token_type, provider, scope, expires_at, delegation }
→ 202 { status: "pending_approval", approval_id } # policy effect require_approvalDenials are explicit and every one is audited: 401 invalid_user_token / invalid_delegation, 404 unknown_agent / unknown_provider, 403 agent_revoked / scope_not_allowed / policy_denied / agent_attestation_required / delegation_too_deep, 502 native_mint_failed.
Verification & health
Admin surface (session bearer, org-scoped)
Account & tenant auth
Provisioning (enterprise)
SCIM 2.0 Users under /scim/v2/Users (Okta / Entra provisioning; static bearer via KEYWARD_SCIM_TOKEN, disabled when unset). Audit events stream in real time to a SIEM webhook when configured — see Self-hosting for the environment variables.