API docs by Redocly

Workflow Approval System API (0.0.29)

Download OpenAPI specification:

API for a SaaS platform that allows customers to manage approvals for generic workflows, users, and groups.

Authentication

OIDC authentication and token management

Initiate OIDC login

Initiates OIDC authentication by generating PKCE challenge and redirecting to the OIDC provider

Responses

Response samples

Content type
application/json
{
  • "code": "string",
  • "message": "string",
  • "details": [
    ]
}

Initiate OIDC login for CLI

Initiates OIDC authentication specifying a loopback redirect URI for the CLI

Request Body schema: application/json
required
redirectUri
required
string

The local loopback URL to redirect the user to after authentication

Responses

Request samples

Content type
application/json
{
  • "redirectUri": "string"
}

Response samples

Content type
application/json
{
  • "authorizationUrl": "string"
}

Handle Web OIDC callback

Exchanges authorization code for tokens and sets them as HttpOnly cookies, then redirects to frontend

query Parameters
object (OidcCallbackRequest)

Responses

Refresh Web JWT token

Takes the refresh_token from the HttpOnly cookie and issues a new pair of tokens as cookies

Responses

Response samples

Content type
application/json
{
  • "code": "string",
  • "message": "string",
  • "details": [
    ]
}

Initiate Web privilege token generation (step-up)

Initiates step-up authentication flow returning the authorization URL as JSON.

Authorizations:
bearerAuth

Responses

Response samples

Content type
application/json
{
  • "authorizationUrl": "string"
}

Exchange Web privilege token

Exchanges an IDP token for a high-privilege step-up token and sets it as an HttpOnly cookie.

Authorizations:
bearerAuth
Request Body schema: application/json
required
code
required
string

The authorization code returned from the IDP

state
required
string

The state parameter returned from the IDP

resourceId
string

The identifier of the resource being accessed

operation
required
string (PrivilegedOperation)

The operation requiring high privilege authentication

Responses

Request samples

Content type
application/json
{
  • "code": "string",
  • "state": "string",
  • "resourceId": "string",
  • "operation": "string"
}

Response samples

Content type
application/json
{
  • "code": "string",
  • "message": "string",
  • "details": [
    ]
}

Initiate CLI privilege token generation (step-up)

Initiates the step-up authentication flow for the CLI by redirecting to the IDP. The CLI should open the returned redirect URL in a browser. After the user authenticates, the IDP will redirect to the CLI local server with a code and state parameter, which must then be exchanged via POST /auth/cli/exchangePrivilegedToken.

Authorizations:
bearerAuth

Responses

Response samples

Content type
application/json
{
  • "code": "string",
  • "message": "string",
  • "details": [
    ]
}

Exchange CLI privilege token

Exchanges an IDP authorization code for a high-privilege step-up token, returned as JSON.

Authorizations:
bearerAuth
Request Body schema: application/json
required
code
required
string

The authorization code returned from the IDP

state
required
string

The state parameter returned from the IDP

resourceId
string

The identifier of the resource being accessed

operation
required
string (PrivilegedOperation)

The operation requiring high privilege authentication

Responses

Request samples

Content type
application/json
{
  • "code": "string",
  • "state": "string",
  • "resourceId": "string",
  • "operation": "string"
}

Response samples

Content type
application/json
{
  • "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}

Exchange authorization code for CLI tokens

Exchanges an IDP authorization code and state for a pair of access and refresh tokens, returned as JSON.

Authorizations:
bearerAuth
Request Body schema: application/json
required
code
required
string

Authorization code returned by the IDP

state
required
string

State parameter passed to the IDP for CSRF protection

Responses

Request samples

Content type
application/json
{
  • "code": "string",
  • "state": "string"
}

Response samples

Content type
application/json
{
  • "accessToken": "string",
  • "refreshToken": "string"
}

Refresh CLI JWT token

Exchanges a refresh token for a new pair of access and refresh tokens, returned as JSON.

Authorizations:
bearerAuth
Request Body schema: application/json
required
refreshToken
required
string

Refresh token used to obtain a new access token

Responses

Request samples

Content type
application/json
{
  • "refreshToken": "sd8Axmi9Xkalsmcd..."
}

Response samples

Content type
application/json
{
  • "accessToken": "string",
  • "refreshToken": "string"
}

Get authenticated entity information

Returns basic information about the authenticated entity

Authorizations:
bearerAuth

Responses

Response samples

Content type
application/json
{
  • "entityType": "user",
  • "groups": [
    ]
}

Generate authentication challenge for agent

Creates an encrypted challenge that must be signed by the agent to obtain a token.

Challenge Format (Server → Agent): The server generates a challenge encrypted with the agent's public key. When decrypted and base64 decoded, it contains a JSON object with:

  • audience: string (agent name)
  • expires_at: ISO 8601 formatted date-time string
  • issuer: string (the name of the SaaS platform, e.g., "Approvio")
  • nonce: a random string to ensure uniqueness (the actual challenge)
Request Body schema: application/json
required
agentName
required
string

Name of the agent requesting authentication

Responses

Request samples

Content type
application/json
{
  • "agentName": "ci-deployment-agent"
}

Response samples

Content type
application/json
{
  • "challenge": "eyJhdWRpZW5jZSI6ImNpLWRlcGxveW1lbnQtYWdlbnQiLCJleHBpcmVzX2F0IjoiMjAyNS0wNC0xNVQxMjoxNTowMFoiLCJpc3N1ZXIiOiJBcHByb3ZpbyIsIm5vbmNlIjoiYWJjZGVmZ2hpams5ODc2NTQzMjEifQ=="
}

Exchange JWT assertion for access token

Validates a JWT assertion and returns a JWT access token for the authenticated agent using OAuth 2.0 JWT Bearer profile (RFC 7523).

JWT Assertion Requirements: The agent must create and sign a JWT assertion with their private key containing:

  • iss (issuer): Agent name
  • sub (subject): Agent name (same as issuer for client authentication)
  • aud (audience): Authorization server identifier
  • exp (expiration): JWT expiration time (Unix timestamp)
  • jti (JWT ID): Unique nonce from the server's challenge (prevents replay attacks)
  • iat (issued at): JWT issued time (Unix timestamp, optional)

Security Notes:

  • JWT must be signed with RS256 algorithm using the agent's private key
  • Server verifies signature using agent's registered public key
  • Each challenge nonce can only be used once (replay protection)
  • Agent identity is extracted from the JWT issuer claim
Request Body schema: application/json
required
grantType
required
string
Value: "urn:ietf:params:oauth:grant-type:jwt-bearer"

OAuth 2.0 grant type for JWT Bearer profile

clientAssertionType
required
string
Value: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"

OAuth 2.0 client assertion type for JWT Bearer profile

clientAssertion
required
string

JWT assertion signed with the agent's private key using RS256 algorithm.

JWT Header:

{
  "alg": "RS256",
  "typ": "JWT"
}

JWT Payload:

{
  "iss": "agent-name",
  "sub": "agent-name", 
  "aud": "authorization-server-identifier",
  "exp": 1640995200,
  "jti": "nonce-from-challenge",
  "iat": 1640991600
}

Requirements:

  • Must be signed with agent's private key using RS256
  • JWT ID (jti) must match nonce from server's challenge
  • Issuer (iss) and subject (sub) must be the agent name
  • Audience (aud) must be the authorization server identifier
  • Agent identity is extracted from the issuer claim

Responses

Request samples

Content type
application/json
{
  • "grantType": "urn:ietf:params:oauth:grant-type:jwt-bearer",
  • "clientAssertionType": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
  • "clientAssertion": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJjaS1kZXBsb3ltZW50LWFnZW50Iiwic3ViIjoiY2ktZGVwbG95bWVudC1hZ2VudCIsImF1ZCI6IkFwcHJvdmlvIiwiZXhwIjoxNjQwOTk1MjAwLCJqdGkiOiJhYmNkZWZnaGlqazk4NzY1NDMyMSIsImlhdCI6MTY0MDk5MTYwMH0.signature"
}

Response samples

Content type
application/json
{
  • "accessToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJjaS1kZXBsb3ltZW50LWFnZW50IiwiZW50aXR5VHlwZSI6ImFnZW50IiwiaWF0IjoxNjc4OTAxMjAwLCJleHAiOjE2Nzg5ODc2MDB9.signature",
  • "refreshToken": "sd8Axmi9Xkalsmcd..."
}

Refresh agent JWT token

Exchanges a refresh token for a new pair of access and refresh tokens. Requires DPoP proof.

header Parameters
DPoP
required
string

DPoP proof based on RFC 9449

Request Body schema: application/json
required
refreshToken
required
string

Refresh token used to obtain a new access token

Responses

Request samples

Content type
application/json
{
  • "refreshToken": "sd8Axmi9Xkalsmcd..."
}

Response samples

Content type
application/json
{
  • "accessToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJjaS1kZXBsb3ltZW50LWFnZW50IiwiZW50aXR5VHlwZSI6ImFnZW50IiwiaWF0IjoxNjc4OTAxMjAwLCJleHAiOjE2Nzg5ODc2MDB9.signature",
  • "refreshToken": "sd8Axmi9Xkalsmcd..."
}

Workflows

Workflow management and approval

Create a new workflow

Creates a new workflow with approvers and rules

Authorizations:
bearerAuth
Request Body schema: application/json
required
name
required
string

User-friendly name for the workflow

description
string

Detailed description of the workflow

metadata
object

Additional custom metadata for the workflow

workflowTemplateId
required
string <uuid>

The unique identifier of the workflow template to use as parent

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "description": "string",
  • "metadata": { },
  • "workflowTemplateId": "53e62d87-459b-4f1f-ae45-ffe2549e140f"
}

Response samples

Content type
application/json
{
  • "code": "string",
  • "message": "string",
  • "details": [
    ]
}

List workflows

Returns a list of workflows with optional filtering

Authorizations:
bearerAuth
query Parameters
object (ListWorkflowsParams)

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "pagination": {
    }
}

Get workflow details

Returns the details of a specific workflow

Authorizations:
bearerAuth
path Parameters
workflowId
required
string

The unique identifier or name of the workflow

query Parameters
object (GetWorkflowParams)

Responses

Response samples

Content type
application/json
{
  • "id": "string",
  • "name": "string",
  • "description": "string",
  • "status": "string",
  • "workflowTemplateId": "53e62d87-459b-4f1f-ae45-ffe2549e140f",
  • "metadata": { },
  • "ref": {
    },
  • "createdAt": "2019-08-24T14:15:22Z",
  • "updatedAt": "2019-08-24T14:15:22Z",
  • "expiresAt": "2025-04-15T12:05:00Z"
}

Workflow Templates

Workflow template management

Create a new workflow template

Creates a new workflow template with approval rules, actions, and default expiry settings

Authorizations:
bearerAuth
Request Body schema: application/json
required
name
required
string

User-friendly name for the workflow template

description
string

Detailed description of the workflow template

metadata
object

Additional custom metadata for the workflow template

required
any (ApprovalRule)

Configuration of approval rules. Can be a boolean operator (AND/OR) combining nested rules, or a specific requirement (minimum count from a group).

Array of any (WorkflowAction)

Actions to be executed when workflow is approved

defaultExpiresInHours
integer [ 1 .. 8760 ]

Default expiry time for workflows created from this template (in hours, max 1 year)

spaceId
required
string <uuid>

ID of the space to which this workflow template belongs

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "description": "string",
  • "metadata": { },
  • "approvalRule": {
    },
  • "actions": [
    ],
  • "defaultExpiresInHours": 1,
  • "spaceId": "a330a273-e64a-4183-aedb-f3152797a9a5"
}

Response samples

Content type
application/json
{
  • "id": "string",
  • "name": "string",
  • "version": "string",
  • "description": "string",
  • "status": "ACTIVE",
  • "allowVotingOnDeprecatedTemplate": true,
  • "approvalRule": {
    },
  • "metadata": { },
  • "actions": [
    ],
  • "defaultExpiresInHours": 1,
  • "spaceId": "a330a273-e64a-4183-aedb-f3152797a9a5",
  • "createdAt": "2019-08-24T14:15:22Z",
  • "updatedAt": "2019-08-24T14:15:22Z"
}

List workflow templates

Returns a list of workflow templates with optional filtering

Authorizations:
bearerAuth
query Parameters
object (ListWorkflowTemplatesParams)

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "pagination": {
    }
}

Get workflow template details

Returns the details of a specific workflow template.

Authorizations:
bearerAuth
path Parameters
templateIdentifier
required
string

The unique identifier of the workflow template (UUID)

Responses

Response samples

Content type
application/json
{
  • "id": "string",
  • "name": "string",
  • "version": "string",
  • "description": "string",
  • "status": "ACTIVE",
  • "allowVotingOnDeprecatedTemplate": true,
  • "approvalRule": {
    },
  • "metadata": { },
  • "actions": [
    ],
  • "defaultExpiresInHours": 1,
  • "spaceId": "a330a273-e64a-4183-aedb-f3152797a9a5",
  • "createdAt": "2019-08-24T14:15:22Z",
  • "updatedAt": "2019-08-24T14:15:22Z"
}

Update a workflow template

Updates an existing workflow template by creating a new version and optionally canceling active workflows

Authorizations:
bearerAuth
path Parameters
templateIdentifier
required
string

The name of the workflow template to update

Request Body schema: application/json
required
description
string

Detailed description of the workflow template

metadata
object

Additional custom metadata for the workflow template

any (ApprovalRule)

Configuration of approval rules. Can be a boolean operator (AND/OR) combining nested rules, or a specific requirement (minimum count from a group).

Array of any (WorkflowAction)

Actions to be executed when workflow is approved

defaultExpiresInHours
integer [ 1 .. 8760 ]

Default expiry time for workflows created from this template (in hours, max 1 year)

cancelWorkflows
boolean
Default: false

If true, all in-progress workflows associated with this template will be canceled when creating a new version. This affects the allowVotingOnDeprecatedTemplate setting: when true, voting is disabled on the deprecated template.

Responses

Request samples

Content type
application/json
{
  • "description": "string",
  • "metadata": { },
  • "approvalRule": {
    },
  • "actions": [
    ],
  • "defaultExpiresInHours": 1,
  • "cancelWorkflows": false
}

Response samples

Content type
application/json
{
  • "id": "string",
  • "name": "string",
  • "version": "string",
  • "description": "string",
  • "status": "ACTIVE",
  • "allowVotingOnDeprecatedTemplate": true,
  • "approvalRule": {
    },
  • "metadata": { },
  • "actions": [
    ],
  • "defaultExpiresInHours": 1,
  • "spaceId": "a330a273-e64a-4183-aedb-f3152797a9a5",
  • "createdAt": "2019-08-24T14:15:22Z",
  • "updatedAt": "2019-08-24T14:15:22Z"
}

Deprecate a workflow template

Marks a workflow template as deprecated with optional workflow cancellation

Authorizations:
bearerAuth
path Parameters
templateName
required
string

The name of the workflow template to deprecate

Request Body schema: application/json
optional

Options for deprecating a workflow template.

cancelWorkflows
boolean
Default: false

If true, all in-progress workflows associated with this template will be canceled. This affects the allowVotingOnDeprecatedTemplate setting: when true, voting is disabled on the deprecated template.

Responses

Request samples

Content type
application/json
{
  • "cancelWorkflows": false
}

Response samples

Content type
application/json
{
  • "id": "string",
  • "name": "string",
  • "version": "string",
  • "description": "string",
  • "status": "ACTIVE",
  • "allowVotingOnDeprecatedTemplate": true,
  • "approvalRule": {
    },
  • "metadata": { },
  • "actions": [
    ],
  • "defaultExpiresInHours": 1,
  • "spaceId": "a330a273-e64a-4183-aedb-f3152797a9a5",
  • "createdAt": "2019-08-24T14:15:22Z",
  • "updatedAt": "2019-08-24T14:15:22Z"
}

Users

User management

Create a new user

Creates a new user in the system.

Authorizations:
bearerAuth
Request Body schema: application/json
required
displayName
required
string

User's display name.

email
required
string <email>

User's email address (must be unique).

orgRole
required
string

Role assigned to the user within the organization.

Responses

Request samples

Content type
application/json
{
  • "displayName": "Alex Chen",
  • "email": "alex.chen@example.com",
  • "orgRole": "member"
}

Response samples

Content type
application/json
{
  • "code": "string",
  • "message": "string",
  • "details": [
    ]
}

List users

Returns a list of users

Authorizations:
bearerAuth
query Parameters
search
string

Fuzzy search term for user display name or email.

page
integer
Default: 1

Page number for pagination

limit
integer
Default: 20

Number of results per page

Responses

Response samples

Content type
application/json
{
  • "users": [
    ],
  • "pagination": {
    }
}

Get user details

Returns the details of a specific user by their ID.

Authorizations:
bearerAuth
path Parameters
userId
required
string <uuid>

The unique identifier (UUID) of the user.

Responses

Response samples

Content type
application/json
{
  • "id": "a1b2c3d4-e5f6-7890-1234-567890abcdef",
  • "displayName": "Alex Chen",
  • "email": "alex.chen@example.com",
  • "orgRole": "member",
  • "createdAt": "2025-04-15T12:05:00Z"
}

Assign roles to a user

Assigns standard roles to a user by replacing all existing role assignments. Roles are specified by their system-defined names and scopes. The user must be authenticated as a human (not an agent) to use this endpoint.

Authorizations:
bearerAuth
path Parameters
userId
required
string <uuid>

The unique identifier (UUID) of the user.

Request Body schema: application/json
required
required
Array of objects (RoleOperationItem)

Array of role assignments specifying role names and their scopes

Responses

Request samples

Content type
application/json
{
  • "roles": [
    ]
}

Response samples

Content type
application/json
{
  • "code": "string",
  • "message": "string",
  • "details": [
    ]
}

Remove roles from a user

Removes specified roles from a user. Only the roles matching both the role name and scope will be removed. The user must be authenticated as a human (not an agent) to use this endpoint.

Authorizations:
bearerAuth
path Parameters
userId
required
string <uuid>

The unique identifier (UUID) of the user.

Request Body schema: application/json
required
required
Array of objects (RoleOperationItem)

Array of role assignments specifying role names and their scopes

Responses

Request samples

Content type
application/json
{
  • "roles": [
    ]
}

Response samples

Content type
application/json
{
  • "code": "string",
  • "message": "string",
  • "details": [
    ]
}

List entities in a group

Returns a list of all entities (users, systems, etc.) that belong to a specific group, including their roles.

Authorizations:
bearerAuth
path Parameters
groupId
required
string <uuid>

The unique identifier (UUID) of the group.

query Parameters
page
integer
Default: 1

Page number for pagination

limit
integer
Default: 20

Number of results per page

Responses

Response samples

Content type
application/json
{
  • "entities": [
    ],
  • "pagination": {
    }
}

Add group entities

Add entities (like users) within a specific group.

Authorizations:
bearerAuth
path Parameters
groupId
required
string <uuid>

The unique identifier (UUID) of the group.

Request Body schema: application/json
required
required
Array of objects (EntityMembershipAdd)

List of entities to add to the group.

Responses

Request samples

Content type
application/json
{
  • "entities": [
    ]
}

Response samples

Content type
application/json
{
  • "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
  • "name": "string",
  • "description": "string",
  • "entitiesCount": 0,
  • "createdAt": "2019-08-24T14:15:22Z",
  • "updatedAt": "2019-08-24T14:15:22Z"
}

Remove group entities

Remove entities (like users) from a specific group.

Authorizations:
bearerAuth
path Parameters
groupId
required
string <uuid>

The unique identifier (UUID) of the group.

Request Body schema: application/json
required
required
Array of objects (EntityMembershipRemove)

List of entities to remove from the group.

Responses

Request samples

Content type
application/json
{
  • "entities": [
    ]
}

Response samples

Content type
application/json
{
  • "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
  • "name": "string",
  • "description": "string",
  • "entitiesCount": 0,
  • "createdAt": "2019-08-24T14:15:22Z",
  • "updatedAt": "2019-08-24T14:15:22Z"
}

Groups

Group management

Create a new approver group

Create a new group for organizing approvers

Authorizations:
bearerAuth
Request Body schema: application/json
required
name
required
string

Name of the group

description
string

Description of the group

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "description": "string"
}

Response samples

Content type
application/json
{
  • "code": "string",
  • "message": "string",
  • "details": [
    ]
}

List groups

Returns a list of groups

Authorizations:
bearerAuth
query Parameters
page
integer
Default: 1

Page number for pagination

limit
integer
Default: 20

Number of results per page

Responses

Response samples

Content type
application/json
{
  • "groups": [
    ],
  • "pagination": {
    }
}

Get group details

Returns the details of a specific group

Authorizations:
bearerAuth
path Parameters
groupIdentifier
required
string

The unique identifier of the group or the name of the group

Responses

Response samples

Content type
application/json
{
  • "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
  • "name": "string",
  • "description": "string",
  • "entitiesCount": 0,
  • "createdAt": "2019-08-24T14:15:22Z",
  • "updatedAt": "2019-08-24T14:15:22Z"
}

List entities in a group

Returns a list of all entities (users, systems, etc.) that belong to a specific group, including their roles.

Authorizations:
bearerAuth
path Parameters
groupId
required
string <uuid>

The unique identifier (UUID) of the group.

query Parameters
page
integer
Default: 1

Page number for pagination

limit
integer
Default: 20

Number of results per page

Responses

Response samples

Content type
application/json
{
  • "entities": [
    ],
  • "pagination": {
    }
}

Add group entities

Add entities (like users) within a specific group.

Authorizations:
bearerAuth
path Parameters
groupId
required
string <uuid>

The unique identifier (UUID) of the group.

Request Body schema: application/json
required
required
Array of objects (EntityMembershipAdd)

List of entities to add to the group.

Responses

Request samples

Content type
application/json
{
  • "entities": [
    ]
}

Response samples

Content type
application/json
{
  • "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
  • "name": "string",
  • "description": "string",
  • "entitiesCount": 0,
  • "createdAt": "2019-08-24T14:15:22Z",
  • "updatedAt": "2019-08-24T14:15:22Z"
}

Remove group entities

Remove entities (like users) from a specific group.

Authorizations:
bearerAuth
path Parameters
groupId
required
string <uuid>

The unique identifier (UUID) of the group.

Request Body schema: application/json
required
required
Array of objects (EntityMembershipRemove)

List of entities to remove from the group.

Responses

Request samples

Content type
application/json
{
  • "entities": [
    ]
}

Response samples

Content type
application/json
{
  • "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
  • "name": "string",
  • "description": "string",
  • "entitiesCount": 0,
  • "createdAt": "2019-08-24T14:15:22Z",
  • "updatedAt": "2019-08-24T14:15:22Z"
}

Spaces

Space management

Create a new space

Creates a new organizational space

Authorizations:
bearerAuth
Request Body schema: application/json
required
name
required
string

Name of the space (max 255 characters)

description
string

Description of the space (max 2048 characters)

Responses

Request samples

Content type
application/json
{
  • "name": "Engineering Team",
  • "description": "Space for engineering team collaboration"
}

Response samples

Content type
application/json
{
  • "code": "string",
  • "message": "string",
  • "details": [
    ]
}

List spaces

Returns a list of spaces

Authorizations:
bearerAuth
query Parameters
page
integer
Default: 1

Page number for pagination

limit
integer
Default: 20

Number of results per page

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "pagination": {
    }
}

Get space details

Returns the details of a specific space

Authorizations:
bearerAuth
path Parameters
spaceId
required
string <uuid>

The unique identifier of the space

Responses

Response samples

Content type
application/json
{
  • "id": "a1b2c3d4-e5f6-7890-1234-567890abcdef",
  • "name": "Engineering Team",
  • "description": "Space for engineering team collaboration",
  • "createdAt": "2025-04-15T12:05:00Z",
  • "updatedAt": "2025-04-15T12:05:00Z"
}

Delete a space

Deletes a space

Authorizations:
bearerAuth
path Parameters
spaceId
required
string <uuid>

The unique identifier of the space

Responses

Response samples

Content type
application/json
{
  • "code": "string",
  • "message": "string",
  • "details": [
    ]
}

Organization Admins

Organization administrator management

Add organization administrator

Adds a new organization administrator by email to the specified organization

Authorizations:
bearerAuth
path Parameters
organization-name
required
string
Example: my-org

The name or identifier of the organization

Request Body schema: application/json
required
email
required
string <email>

Email address of the organization administrator

Responses

Request samples

Content type
application/json
{
  • "email": "admin@example.com"
}

Response samples

Content type
application/json
{
  • "code": "string",
  • "message": "string",
  • "details": [
    ]
}

List organization administrators

Returns a list of administrators for the specified organization

Authorizations:
bearerAuth
path Parameters
organization-name
required
string
Example: my-org

The name or identifier of the organization

query Parameters
page
integer
Default: 1

Page number for pagination

limit
integer
Default: 20

Number of results per page

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "pagination": {
    }
}

Remove organization administrator

Removes an organization administrator from the specified organization

Authorizations:
bearerAuth
path Parameters
organization-name
required
string
Example: my-org

The name or identifier of the organization

Request Body schema: application/json
required
userId
required
string <uuid>

The unique identifier of the user to remove from organization admins

Responses

Request samples

Content type
application/json
{
  • "userId": "a1b2c3d4-e5f6-7890-1234-567890abcdef"
}

Response samples

Content type
application/json
{
  • "code": "string",
  • "message": "string",
  • "details": [
    ]
}

Workflow Actions

Workflow actions and voting

Vote on a workflow

Allows an authenticated entity to cast a vote (approve or veto) on a specific workflow.

Authorizations:
bearerAuth
path Parameters
workflowId
required
string

The unique identifier of the workflow

Request Body schema: application/json
required
reason
string

Optional reason for the vote. Can be used for approval comments or reject reasons.

required
any

Responses

Request samples

Content type
application/json
{
  • "reason": "Missing critical information or LGTM!",
  • "voteType": {
    }
}

Response samples

Content type
application/json
{ }

Retrieve votes for a workflow

Returns a list of all votes cast for the specified workflow.

Authorizations:
bearerAuth
path Parameters
workflowId
required
string

The unique identifier of the workflow

Responses

Response samples

Content type
application/json
{
  • "votes": [
    ]
}

Check if the current entity can vote on a workflow

Determines if the authenticated entity is eligible to cast a vote on the specified workflow.

Authorizations:
bearerAuth
path Parameters
workflowId
required
string

The unique identifier of the workflow.

Responses

Response samples

Content type
application/json
{
  • "canVote": true,
  • "voteStatus": "VOTE_PENDING",
  • "cantVoteReason": "string",
  • "requireHighPrivilege": true
}

Agents

Agent registration and management

List agents

Returns a list of agents

Authorizations:
bearerAuth
query Parameters
object (ListAgentsParams)

Responses

Response samples

Content type
application/json
{
  • "agents": [
    ],
  • "pagination": {
    }
}

Register a new agent

Creates a new agent registration entry with generated asymmetric key pair for future authentication

Authorizations:
bearerAuth
Request Body schema: application/json
required
agentName
required
string [ 1 .. 1024 ] characters

Unique name for the agent (must be unique across the system)

Responses

Request samples

Content type
application/json
{
  • "agentName": "ci-deployment-agent"
}

Response samples

Content type
application/json
{
  • "agentId": "a1b2c3d4-e5f6-7890-1234-567890abcdef",
  • "agentName": "ci-deployment-agent",
  • "publicKey": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUEuLi4KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t",
  • "privateKey": "LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUVWd0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnZ2dnU2tBZ0VBQW9JQkFRQy4uLgotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0t",
  • "createdAt": "2025-04-15T12:05:00Z"
}

Get agent details

Returns the details of a specific agent by their ID or name.

Authorizations:
bearerAuth
path Parameters
agentIdOrName
required
string

The unique identifier (UUID) or the name of the agent.

Responses

Response samples

Content type
application/json
{
  • "id": "a1b2c3d4-e5f6-7890-1234-567890abcdef",
  • "agentName": "ci-deployment-agent",
  • "publicKey": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUEuLi4KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t",
  • "createdAt": "2025-04-15T12:05:00Z"
}

Assign roles to an agent

Assigns standard roles to an agent by replacing all existing role assignments. Roles are specified by their system-defined names and scopes. The user must be authenticated as a human (not an agent) to use this endpoint.

Authorizations:
bearerAuth
path Parameters
agentId
required
string <uuid>

The unique identifier (UUID) of the agent.

Request Body schema: application/json
required
required
Array of objects (RoleOperationItem)

Array of role assignments specifying role names and their scopes

Responses

Request samples

Content type
application/json
{
  • "roles": [
    ]
}

Response samples

Content type
application/json
{
  • "code": "string",
  • "message": "string",
  • "details": [
    ]
}

Remove roles from an agent

Removes specified roles from an agent. Only the roles matching both the role name and scope will be removed. The user must be authenticated as a human (not an agent) to use this endpoint.

Authorizations:
bearerAuth
path Parameters
agentId
required
string <uuid>

The unique identifier (UUID) of the agent.

Request Body schema: application/json
required
required
Array of objects (RoleOperationItem)

Array of role assignments specifying role names and their scopes

Responses

Request samples

Content type
application/json
{
  • "roles": [
    ]
}

Response samples

Content type
application/json
{
  • "code": "string",
  • "message": "string",
  • "details": [
    ]
}

Roles

Role template management and listing

Assign roles to an agent

Assigns standard roles to an agent by replacing all existing role assignments. Roles are specified by their system-defined names and scopes. The user must be authenticated as a human (not an agent) to use this endpoint.

Authorizations:
bearerAuth
path Parameters
agentId
required
string <uuid>

The unique identifier (UUID) of the agent.

Request Body schema: application/json
required
required
Array of objects (RoleOperationItem)

Array of role assignments specifying role names and their scopes

Responses

Request samples

Content type
application/json
{
  • "roles": [
    ]
}

Response samples

Content type
application/json
{
  • "code": "string",
  • "message": "string",
  • "details": [
    ]
}

Remove roles from an agent

Removes specified roles from an agent. Only the roles matching both the role name and scope will be removed. The user must be authenticated as a human (not an agent) to use this endpoint.

Authorizations:
bearerAuth
path Parameters
agentId
required
string <uuid>

The unique identifier (UUID) of the agent.

Request Body schema: application/json
required
required
Array of objects (RoleOperationItem)

Array of role assignments specifying role names and their scopes

Responses

Request samples

Content type
application/json
{
  • "roles": [
    ]
}

Response samples

Content type
application/json
{
  • "code": "string",
  • "message": "string",
  • "details": [
    ]
}

List predefined role templates

Returns a list of all predefined role templates available in the system

Authorizations:
bearerAuth

Responses

Response samples

Content type
application/json
{
  • "roles": [
    ]
}

Assign roles to a user

Assigns standard roles to a user by replacing all existing role assignments. Roles are specified by their system-defined names and scopes. The user must be authenticated as a human (not an agent) to use this endpoint.

Authorizations:
bearerAuth
path Parameters
userId
required
string <uuid>

The unique identifier (UUID) of the user.

Request Body schema: application/json
required
required
Array of objects (RoleOperationItem)

Array of role assignments specifying role names and their scopes

Responses

Request samples

Content type
application/json
{
  • "roles": [
    ]
}

Response samples

Content type
application/json
{
  • "code": "string",
  • "message": "string",
  • "details": [
    ]
}

Remove roles from a user

Removes specified roles from a user. Only the roles matching both the role name and scope will be removed. The user must be authenticated as a human (not an agent) to use this endpoint.

Authorizations:
bearerAuth
path Parameters
userId
required
string <uuid>

The unique identifier (UUID) of the user.

Request Body schema: application/json
required
required
Array of objects (RoleOperationItem)

Array of role assignments specifying role names and their scopes

Responses

Request samples

Content type
application/json
{
  • "roles": [
    ]
}

Response samples

Content type
application/json
{
  • "code": "string",
  • "message": "string",
  • "details": [
    ]
}

Health

Health check endpoints

Health check

Returns the health status of the service

Responses

Response samples

Content type
application/json
{
  • "status": "string",
  • "message": "string"
}