All REST requests go to the gateway at https://api.regentprotocol.org (production) and authenticate with a single header:
Authorization: Bearer rgnt_<your-api-key>Or equivalently (some tools prefer the explicit header name):
X-API-Key: rgnt_<your-api-key>Get an API key
From the dashboard: API Keys → Create API Key. The rgnt_… value is shown once.
Smoke test
curl https://api.regentprotocol.org/v1/organizations/<org-id>/agents \
-H "Authorization: Bearer rgnt_..."A 200 with a JSON array (possibly empty) means auth and org scoping are both working.
A 401 means the key is missing/expired. A 403 with code: NOT_A_MEMBER means the key is for a different org than the one in the path.
Org scoping
Every /v1/organizations/{org_id}/... endpoint requires the org ID to match the org your API key is scoped to. The gateway enforces this server-side — you can’t access another org’s data even if you guess UUIDs.
Rate limits
Default per-key limits during the demo phase:
| Bucket | Limit |
|---|---|
| Read endpoints | 100 req/s |
| Write endpoints | 50 req/s |
| Authorize endpoint | 200 req/s (mandate decisions are tight loops) |
Rate-limited responses return 429 RATE_LIMITED with a Retry-After header.
Error format
Every non-2xx returns the same shape:
{
"detail": {
"code": "MANDATE_LIMIT_EXCEEDED",
"message": "Amount 200 exceeds per-transaction limit 50",
"authorization_id": "abc..."
}
}See the error code reference for the full list.