AxioRank Docs

Gateway API

The raw HTTP contract behind every AxioRank SDK — call it from any language.

The SDKs are thin wrappers over these endpoints. Use them directly from any language. All requests authenticate with a bearer token and send/receive JSON.

Authorization: Bearer axr_live_...
Content-Type: application/json

The base URL is your deployment — https://app.axiorank.com by default. The canonical versioned base path is /api/v1 (e.g. POST /api/v1/gateway/tool-call); the unversioned /api/... paths shown below remain available as aliases. See Versioning & stability.

Prefer an interactive explorer? Open the API Reference to try requests live, or import the machine-readable OpenAPI spec into Postman / your codegen of choice.

Idempotency

POST /api/gateway/tool-call and POST /api/gateway/verify-card accept an optional Idempotency-Key header. Send a unique key (e.g. a UUID) and a safe retry replays the first response instead of re-executing — so a dropped connection never double-counts quota or writes a duplicate audit row. Keys are scoped to your API key and retained for 24 hours.

  • Reusing a key with a different request body → 422.
  • A retry while the first request is still in flight → 409 (retry shortly).
  • Every response carries Idempotent-Replayed: true|false.

POST /api/gateway/tool-call

Score a tool call and apply your policies.

Request

{ "tool": "aws.delete_bucket", "arguments": { "name": "prod-data" } }

Response

{
  "decision": "allow",
  "reason": "no matching deny policy",
  "risk": 12,
  "auditLogId": "log_...",
  "signals": [],
  "approvalId": null
}
  • decisionallow, deny, or hold.
  • risk — 0–100.
  • signals — redacted content-inspection findings that contributed to the score.
  • approvalId — present only when decision is hold (see below).
  • 401 is returned for a missing/invalid key; 400 for a malformed body.

GET /api/gateway/approvals/{approvalId}

When a require_approval policy fires, the tool-call response is decision: "hold" with an approvalId. Poll this endpoint until a human resolves it; the server long-polls (~8s per request), so polling is cheap.

Response

{ "status": "approved", "decision": "allow", "reason": "approved by ops" }

decision stays hold while pending. The SDKs do this polling for you and only ever surface the final allow / deny.

POST /api/gateway/verify-card

Preflight an external MCP server / A2A agent before trusting it. Send a url to fetch the card from, or an inline document.

{ "url": "https://mcp.acme.com" }

The response carries decision (allow | review | deny), risk, the resolved identity (signature validity, key domain-binding), declared capabilities, auth, and warnings.

POST /api/gateway/verify-request

Verify an inbound agent request against a property's site key. The axioGuard middleware builds this call for you; the response includes decision (allow | challenge | block), verification (status, method, confidence), and risk.

Next steps

LangChain

Put every tool a LangChain agent runs behind the AxioRank gateway.

API Reference

Interactive reference for the AxioRank gateway API, generated from the live OpenAPI 3.1 spec.

On this page

IdempotencyPOST /api/gateway/tool-callGET /api/gateway/approvals/{approvalId}POST /api/gateway/verify-cardPOST /api/gateway/verify-requestNext steps