Documentation

AgentCompliant Platform Reference

A complete reference for the three-engine architecture (Deploy, Govern, Comply), the 11 enterprise features, SDKs, and the regulatory coverage that backs the platform. Base URL https://agentcompliant.ai/api/v1.

Getting started Platform overview Deploy Govern Comply Feature flags SDKs Regulatory AICAP OpenAPI

Getting started

Every request targets the gateway base URL https://agentcompliant.ai/api/v1. Authenticate with either a Clerk session JWT (dashboard flows) or an API key issued from Settings → API Keys. All API keys begin with ac_live_.

Quick start: your first check-action call

The fastest path from zero to a live compliance decision is a single POST to the Comply engine.

cURL — first check-action

curl -sS -X POST "https://agentcompliant.ai/api/v1/compliance/check-action" \
  -H "Authorization: Bearer ac_live_YOUR_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "orgId": "org_123",
    "agentId": "agent_456",
    "actionType": "tool_call",
    "actionName": "send_email",
    "resourceType": "external_api",
    "input_summary": "Drafting outbound message to customer"
  }'

The response includes a decision (allow, warn, or block), the triggered rules, and a request ID you can match against the audit trail.

Authentication

API keys — Authorization: Bearer ac_live_…. Used for engine routes (agents, governance, compliance). Cannot call gateway-owned routes such as /v1/billing or/v1/api-keys.
Clerk JWT — Authorization: Bearer <session_jwt>. Used by the dashboard; the gateway requires organization context.

Base URL & versioning

All public routes are versioned under /v1. The interactive OpenAPI 3.1 spec is rendered at the bottom of this page and is also served at /api/openapi/gateway.

Platform overview

Three-engine architecture

Deploy

port 4001

Agent registration, lifecycle stages, dependency mapping, and blast-radius analysis.

Govern

port 4002

Real-time prompt-injection detection, conditional access, retention policies, kill switch, HITL.

Comply

port 4003

Content safety, bias, drift, scorecards, artifacts, usage analytics, regulation mapping.

Tier overview

Tier	Price	Highlights
Starter	$1,500/mo	Usage analytics, agent lifecycle, three-engine core.
Professional	$7,500/mo	+ prompt-injection, content safety, bias, drift, scorecards, artifacts.
Enterprise	$25,000+/mo	+ conditional access, retention, dependency mapping, SSO.

All plans include a 14-day free trial.

Deploy engine

The Deploy engine (port 4001) handles agent registration, lifecycle transitions, and the dependency graph used by blast-radius analysis.

Agents

POST/v1/agentsRegister an agent

GET/v1/agentsList agents

GET/v1/agents/:idGet agent details

Lifecycle (F10)

Agents move through five stages: planned → active → deprecated → retired → archived. Every transition is recorded as an event.

POST/v1/agents/:id/lifecycleTransition lifecycle stage

GET/v1/agents/:id/lifecycleStage + event history

Body — POST /v1/agents/:id/lifecycle

{
  "to_stage": "deprecated",
  "reason": "Superseded by v2 retrieval agent",
  "successor_agent_id": "agent_abc123",
  "metadata": { "ticket": "GOV-481" }
}

Dependencies (F11, T2)

Declare upstream/downstream dependencies between agents and the systems they touch, then query the impact graph.

POST/v1/agents/:id/dependenciesDeclare dependency

GET/v1/agents/:id/dependenciesList dependencies

GET/v1/agents/:id/dependencies/impactBlast-radius analysis

PATCH/v1/dependencies/:idUpdate dependency

DELETE/v1/dependencies/:idRemove dependency

Govern engine

The Govern engine (port 4002) enforces runtime policy: prompt-injection detection, conditional access, retention, the kill switch, HITL approvals, and anomaly detection.

Prompt injection pre-check (F7)

A 16-pattern detector with compound-boost scoring runs before any tool call. Severities arenone, low, medium, high, and critical. When the prompt_injection_detection flag is enabled, requests at high orcritical are blocked.

POST/v1/govern/check-actionPre-check action

Example response

{
  "decision": "block",
  "severity": "high",
  "score": 0.87,
  "patterns_matched": ["override_instructions", "exfiltrate_secrets"],
  "compound_boost": 0.15,
  "request_id": "req_01HW…"
}

Conditional access (F8, T2)

Build context-aware allow/deny policies (IP ranges, time windows, principal claims, resource tags) and evaluate them per call.

POST/v1/access-policiesCreate policy

GET/v1/access-policiesList policies

POST/v1/access-policies/evaluateEvaluate context

GET/v1/access-decisionsAudit trail of decisions

Retention policies (F9, T2)

Define data-retention rules per resource type, then trigger immediate enforcement or rely on the scheduled run.

POST/v1/retention/policiesCreate policy

GET/v1/retention/policiesList policies

POST/v1/retention/policies/:id/runTrigger immediate enforcement

GET/v1/retention/executionsExecution history

Kill switch, HITL, anomalies

The kill switch, human-in-the-loop approvals, and anomaly detection remain available on every tier. See the dedicated guides for kill switch, HITL, and anomaly detection.

Comply engine

The Comply engine (port 4003) is the synchronous compliance gate plus the async evaluation pipeline. The check-action endpoint runs the full pipeline: F7 injection scan → F4 content safety → rules engine → F1 usage events.

Real-time and on-demand evaluation

POST/v1/compliance/check-actionReal-time compliance check

POST/v1/compliance/evaluateOn-demand evaluation (triggers F2 + F3 async)

Body — POST /v1/compliance/check-action

{
  "orgId": "org_123",
  "agentId": "agent_456",
  "actionType": "tool_call",
  "actionName": "send_email",
  "resourceType": "external_api",
  "input_summary": "Outbound message to customer about refund"
}

Content safety (F4, T1+)

Per-call scan across toxicity, hate, harassment,self_harm, sexual, violence, profanity, andpii. Industry-gated detectors add PHI patterns for healthcare and PCI for financial. Detected PII is auto-redacted in content_preview before persistence.

Bias detection (F2, T1+)

v1 covers three dimensions — gender, race, and age — using keyword/lexicon analysis on agent outputs. Runs post-evaluation on a BullMQ worker so the synchronous path stays fast.

Drift monitoring (F3, T1+)

Z-score detection over daily baselines on latency, error_rate, andcompliance_score. Severities map to standard deviations:

< 1σ — info
1–2σ — warn
2–3σ — critical
> 3σ — emergency

Risk scorecards (F5, T1+)

Six dimensions roll up to a single grade: compliance, bias, drift,safety, prompt_injection, governance. Aggregated weekly via a BullMQ cron, with a SHA-512 verification hash for tamper evidence.

Grade	Score band
A+	≥ 95
A	≥ 85
B	≥ 70
C	≥ 55
D	≥ 40
F	< 40

Compliance artifacts (F6, T1+)

Generate audit-ready Markdown documents on demand — system cards, model cards, DPAs, privacy policies, safety cases, and transparency reports. Each artifact ships with a SHA-512 verification hash.

POST/v1/compliance/artifacts/generateGenerate artifact

GET/v1/compliance/artifactsList artifacts

GET/v1/compliance/artifacts/:idFull body

Supported types: system_card, model_card, dpa, privacy_policy, safety_case, transparency_report.

Usage analytics (F1, T0+)

Every meaningful action is recorded as a usage event. Available on every tier — including Starter — so the audit trail begins on day one.

compliance_check — every real-time check-action call
compliance_violation — rule failures
compliance_block — blocked outcomes
prompt_injection — F7 detections
content_safety — F4 scans
bias_detection — F2 results
drift_detection — F3 alerts
risk_scorecard — F5 weekly aggregates
agent_lifecycle — F10 transitions
compliance_artifact — F6 generations

Feature flag gating

Every enterprise feature is gated by a flag and a tier. The gateway checks flags on every request; routes return 403 with AC-1004 when a flag is off for the calling org.

Feature	Flag key	Starter	Pro	Enterprise
Usage Analytics	`usage_analytics`
Agent Lifecycle	`agent_retirement`
Prompt Injection	`prompt_injection_detection`
Content Safety	`content_safety`
Bias Detection	`bias_detection`
Drift Monitoring	`drift_monitoring`
Risk Scorecards	`risk_scorecards`
Compliance Artifacts	`compliance_artifacts`
Conditional Access	`conditional_access`
Retention Policies	`retention_policies`
Dependency Mapping	`dependency_mapping`

SDKs

Node.js

@agentcompliant/node-sdk

npm install @agentcompliant/node-sdk

Read the Node.js guide →

Python

agentcompliant

pip install agentcompliant

Read the Python guide →

Both SDKs wrap the same gateway base URL and share the same auth model. Source for both is generated from the OpenAPI spec.

Regulatory coverage

The compliance catalog ships with 51 regulations across 20 jurisdictions. Rules are mapped to controls and to AICAP document types, so generating an artifact pulls in the right evidence automatically.

US Federal

NIST AI RMF · EO 14110 · FTC Act · ECOA · FCRA · HIPAA · GLBA · SOX · BSA/AML

US State

CCPA / CPRA · NY DFS 500 · Colorado AI Act · Illinois BIPA

EU & UK

EU AI Act · GDPR · UK AI Framework

International

Singapore FEAT · ISO 42001 · OECD AI Principles

AICAP framework

The AI Compliance Attestation Passport (AICAP) is the certification framework backing audit-ready evidence. It defines 31 document types, 256 regulation-document mappings, and four certification tiers. Passports are issued, signed, and verifiable through the platform.

Bronze

Foundational

Silver

Operational

Gold

Mature

Platinum

Leading

Interactive OpenAPI

The full machine-readable spec is rendered below via Scalar. Every endpoint above is documented here with request/response schemas, examples, and AC-XXXX error codes.

Loading API reference…