Endpoints
GET /
Redirects (302) to /.well-known/agent.json.
GET /.well-known/agent.json
Returns the agent’s identity document. See agent.json Schema.
CORS enabled. No authentication required.
POST /d/{token}
Deposit endpoint. Accepts a POST body and stores it encrypted in the vault.
The {token} is a signed deposit URL token. Invalid or expired tokens return 404. Replay attempts return 404.
Request:
curl -X POST https://agent.example.com/d/dt_a1b2c3... \
-d 'the secret value'Response (success):
{
"status": "deposited",
"label": "stripe-key"
}Errors: 404 for invalid/expired/used tokens. No information leakage — every failure looks the same.
GET /m/{code}
Magic link verification. Returns 200 with {"status": "verified"} if the code is valid and not expired. Returns 404 otherwise.
Rate limited to 10 requests per minute per IP. Codes under 20 characters are rejected.
All other routes
Return 404.
Security headers
Every response includes:
| Header | Value |
|---|---|
X-Content-Type-Options | nosniff |
Cache-Control | no-store |
Referrer-Policy | no-referrer |
Content-Security-Policy | default-src 'none' |
Strict-Transport-Security | max-age=63072000 (HTTPS only) |