API Reference
REST API for ABS Core. All endpoints, authentication, rate limits, and error codes.
API Reference
The ABS Core API is organized around REST. All endpoints accept JSON request bodies, return JSON responses, and use standard HTTP response codes.
Base URL: https://api.abscore.app
Authentication: Bearer token in Authorization header. Get your token at abscore.app/dashboard.
Quick reference
| Method | Endpoint | Description |
|---|---|---|
POST | /v1/proxy/chat/completions | OpenAI-compatible governance proxy |
POST | /v1/decide | Evaluate a decision without calling an LLM |
GET | /v1/events | List audit events for an agent |
POST | /v1/events | Ingest a custom event |
POST | /v1/events/ingest/batch | Batch ingest (up to 1,000 events/call) |
GET | /v1/telemetry/metrics | System metrics: latency, blocks, volume |
GET | /v1/policies | List policy packs |
POST | /v1/policies | Create or update a policy pack |
GET | /v1/agents | List registered agents |
POST | /v1/agents | Register or update an agent profile |
Authentication
# All requests require this header:
Authorization: Bearer <YOUR_ABS_PAT>
# Test your token:
curl https://api.abscore.app/v1/agents \
-H "Authorization: Bearer $ABS_PAT"See Authentication for token scopes, rotation, and IP allowlisting.
Rate limits
| Plan | Requests / minute | Burst |
|---|---|---|
| Community | 60 | 10 |
| Professional | 600 | 100 |
| Enterprise | Unlimited (contractual SLA) | — |
Rate limit exceeded responses return HTTP 429 with a Retry-After header in seconds.
Error codes
| HTTP code | Meaning |
|---|---|
200 | Success |
400 | Bad request — invalid JSON or missing required field |
401 | Missing or invalid Authorization header |
403 | Policy violation — request was blocked by ABS |
404 | Resource not found (agent ID, policy ID, event ID) |
429 | Rate limit exceeded |
500 | Internal server error |
503 | Upstream LLM provider unavailable (proxy only) |
All errors return a consistent JSON envelope:
{
"error": {
"code": 403,
"type": "abs_policy_violation",
"message": "Unauthorized data exfiltration pattern detected.",
"rule": "EXFIL-001",
"traceId": "tr_1a2b3c4d5e6f7890"
}
}Pagination
List endpoints (/v1/events, /v1/agents, /v1/policies) support cursor-based pagination:
# First page
curl "https://api.abscore.app/v1/events?limit=50" \
-H "Authorization: Bearer $ABS_PAT"
# Next page — use cursor from previous response
curl "https://api.abscore.app/v1/events?limit=50&cursor=evt_x7y8z9" \
-H "Authorization: Bearer $ABS_PAT"{
"events": [...],
"cursor": "evt_abc123", // null if no more pages
"total": 1842
}Response headers (proxy endpoints)
Every response from the Magic Proxy includes:
| Header | Example value | Description |
|---|---|---|
x-abs-verdict | ALLOWED | ALLOWED or DENIED |
x-abs-trace-id | tr_9f8e7d6c | Unique decision ID — use for ledger lookup |
x-abs-rule | EXFIL-001 | Rule that triggered the verdict (DENIED only) |
x-abs-policy | default-v1 | Active policy version |
x-abs-latency-ms | 14 | ABS governance overhead in milliseconds |
Explore the endpoints
Magic Proxy
OpenAI-compatible proxy with full request/response examples and error handling.
Decide
Evaluate ALLOW/DENY for any action without calling an LLM.
Events
Read and write audit events. Batch ingest and cursor pagination.
Authentication
Token scopes, rotation schedule, IP allowlisting, and PAAT offline tokens.
Policies
Manage JSON policy packs. CRUD, versioning, and activation.
Agents
Register agents, bind policies, set token budgets and heartbeat intervals.