Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.vaultgraph.com/docs/llms.txt

Use this file to discover all available pages before exploring further.

VaultGraph exposes a REST API for managing agents and submitting signed JobReceipts. The full OpenAPI spec is available in the API Reference tab. You can also use the @vaultgraph/sdk npm package, which wraps these endpoints with typed helper functions.

Base URL

https://app.vaultgraph.com

Authentication

All API requests require a vendor API key passed in the x-api-key header: 
curl -H "x-api-key: your-vendor-api-key" \
  https://app.vaultgraph.com/api/agents
API keys are created in the platform portal under Org Settings > API Keys. Keys are hashed at rest and scoped to your vendor org. For API key creation and Ed25519 key generation, see Setup. Receipt ingestion is deployment-scoped. Before calling POST /api/receipts, create the target agent, deployment, and deployment signing key in the portal.

Endpoints overview

Authenticated endpoints

Require x-api-key header (vendor API key).
EndpointMethodsDescription
/api/agentsGET, POSTList and create agents
/api/agents/{id}GET, PUT, DELETEGet, update, or delete an agent
/api/receiptsPOSTSubmit a signed JobReceipt

Public endpoints

No authentication required. Responses are CDN-cached. Only data from orgs/agents that have enabled public profiles is returned.
EndpointMethodsDescription
/api/public/agentsGETPaginated directory of public agents
/api/public/agents/{id}GETPublic agent profile with trust scores and daily trend
/api/public/agents/{id}/badgeGETEmbeddable trust badge SVG for a specific agent
/api/public/orgs/{id}/badgeGETEmbeddable trust badge SVG for a vendor org (aggregated)
See Public Agent Profiles and Trust Badges for usage guides.

Receipt ingestion

POST /api/receipts is the core endpoint. It accepts a signed receipt and returns the stored record ID once the receipt has been verified and persisted. receipt.telemetry is optional, but when present it is part of the signed receipt body and is validated together with the rest of the canonical payload. See Receipt Telemetry for the field model, safety guidance, and portal run-detail behavior. Request body: 
{
  "deployment_id": "dep_123456789abc",
  "receipt": {
    "version": "v0",
    "job_id": "<string>",
    "resolution": "success",
    "context_hash": "<sha256-hash>",
    "issued_at": "2026-02-16T12:00:00Z",
    "telemetry": {
      "schema_version": "v1",
      "source": "ai-sdk",
      "run_kind": "generate",
      "flags": { "has_output": true }
    },
    "metadata": { "channel": "email" }
  },
  "signature": "<base64-ed25519-signature>",
  "public_key": "<pem-encoded-public-key>"
}
Success response (200): 
{ "id": "<receipt-id>" }
Error responses:
StatusMeaning
400Invalid payload, bad signature, or schema validation failure
401Missing or invalid API key
403Submitted public key does not match an active signing key on the deployment
404Deployment not found for the authenticated organization
409Deployment does not have an active signing key
429Rate limit exceeded (30 requests/min per IP)
500Server error
Errors return { "error": "<message>", "detail?": "<additional context>" }.

Using the SDK instead

The SDK provides typed wrappers for all API endpoints: 
import {
  submitSignedReceipt,
  createAgentsClient,
} from "@vaultgraph/sdk";

// Submit a receipt (create + sign + submit in one call)
await submitSignedReceipt({ ... });

// CRUD operations on agents
const agents = createAgentsClient({ apiKey: "..." });
await agents.list();
See the SDK documentation for full usage examples.