Download OpenAPI specification:Download
Neutral, trustworthy infrastructure for verifiable delegated authority between humans and AI agents.
Lists onboarding access requests. Supports optional status filtering (PENDING, APPROVED, REJECTED) and cursor-based pagination. Requires Cognito JWT with mandaitor-admins group membership.
| status | string Enum: "PENDING" "APPROVED" "REJECTED" Filter by request status |
| limit | integer [ 1 .. 200 ] Default: 50 |
| cursor | string Base64url-encoded pagination cursor |
{- "requests": [
- {
- "request_id": "string",
- "company_name": "string",
- "contact_name": "string",
- "contact_email": "user@example.com",
- "use_case": "string",
- "status": "PENDING",
- "submitted_at": "2019-08-24T14:15:22Z",
- "reviewed_at": "2019-08-24T14:15:22Z",
- "reviewed_by": "string",
- "tenant_id": "string"
}
], - "next_cursor": "string"
}Processes an admin action on an onboarding request.
Supported values for {action}: approve, reject.
| requestId required | string |
| action required | string Enum: "approve" "reject" |
| notes | string |
{- "notes": "string"
}{- "tenant_id": "string",
- "company_name": "string",
- "plan": "string",
- "status": "ACTIVE",
- "created_at": "2019-08-24T14:15:22Z",
- "api_keys": [
- {
- "key_id": "string",
- "name": "string",
- "scopes": [
- "string"
], - "created_at": "2019-08-24T14:15:22Z"
}
]
}EMERGENCY OPERATION — Immediately revokes all ACTIVE and SUSPENDED mandates for a tenant. This is an irreversible bulk operation intended for security incidents, compliance breaches, or contract terminations.
Requires Cognito JWT with mandaitor-admins group membership.
A MANDATE_REVOKED audit event is emitted per mandate with
details.kill_switch_triggered = true.
| id required | string Example: tnt_ABC123 |
| reason required | string Mandatory reason for the emergency kill-switch |
{- "reason": "Security incident — unauthorized access detected"
}{- "tenant_id": "string",
- "revoked_count": 0,
- "skipped_count": 0,
- "execution_id": "string",
- "timestamp": "2019-08-24T14:15:22Z"
}Returns the current system mode (growth, sustain, maintenance, frozen)
and associated metadata. Requires Cognito JWT with mandaitor-admins
group membership.
{- "mode": "growth",
- "reason": "Default operational mode",
- "changed_at": "2019-08-24T14:15:22Z",
- "changed_by": "string",
- "estimated_duration_minutes": 0
}Changes the system operational mode. This immediately affects all API endpoints:
Mode changes propagate within ~10 seconds via in-memory cache TTL.
Requires Cognito JWT with mandaitor-admins group membership.
| mode required | string Enum: "growth" "sustain" "maintenance" "frozen" |
| reason | string |
| estimated_duration_minutes | integer |
{- "mode": "maintenance",
- "reason": "CDK stack update — estimated 30 minutes",
- "estimated_duration_minutes": 30
}{- "mode": "growth",
- "reason": "Default operational mode",
- "changed_at": "2019-08-24T14:15:22Z",
- "changed_by": "string",
- "estimated_duration_minutes": 0
}Creates a new OpenID4VP session for EUDI Wallet identity verification. Returns a QR code URI (cross-device) and deep link URI (same-device) that the user scans/opens with their EUDI Wallet.
| presentation_definition_id | string Default: "mandaitor-pid-standard" Enum: "mandaitor-pid-minimal" "mandaitor-pid-standard" "mandaitor-pid-delegation" ID of the presentation definition to use |
{- "presentation_definition_id": "mandaitor-pid-minimal"
}{- "session_id": "eudi_01HXYZ...",
- "status": "PENDING",
- "qr_code_uri": "string",
- "deep_link_uri": "string",
- "expires_at": "2019-08-24T14:15:22Z"
}Polls the status of an EUDI Wallet verification session. Returns the resolved identity when the session is completed.
| sessionId required | string |
{- "session_id": "string",
- "status": "PENDING",
- "created_at": "2019-08-24T14:15:22Z",
- "presentation_definition_id": "string",
- "resolved_identity": {
- "subject_id": "eudi:DE/1234567890abcdef",
- "subject_type": "NATURAL_PERSON",
- "provider": "EUDI_WALLET",
- "display_name": "string",
- "assurance_level": "HIGH",
- "eidas_attributes": {
- "unique_id": "string",
- "family_name": "string",
- "given_name": "string",
- "birth_date": "2019-08-24",
- "nationality": "string",
- "pid_issuer": "string",
- "issuing_country": "string",
- "assurance_level": "LOW"
}
}, - "verified_at": "2019-08-24T14:15:22Z",
- "errors": [
- "string"
]
}Receives the VP Token from the EUDI Wallet via direct_post response mode. This endpoint is called by the wallet after user consent. No authentication required as the wallet POSTs directly.
| sessionId required | string |
| vp_token required | string The VP Token (SD-JWT VC compact serialization) |
| presentation_submission | object DIF Presentation Submission mapping |
{- "vp_token": "string",
- "presentation_submission": { }
}{- "status": "COMPLETED",
- "session_id": "string"
}Serves the signed JWT Authorization Request Object that the EUDI Wallet fetches after scanning the QR code. Returns the JWT directly with content type application/oauth-authz-req+jwt.
| requestId required | string |
{- "error": "BAD_REQUEST",
- "message": "principal and delegate are required"
}Returns a paginated list of audit events for a specific mandate. Events form an immutable, hash-chained audit trail.
| id required | string Example: mdt_01HXYZ... |
| limit | integer [ 1 .. 200 ] Default: 50 |
| cursor | string Base64url-encoded pagination cursor |
{- "items": [
- {
- "event_id": "string",
- "tenant_id": "string",
- "mandate_id": "string",
- "event_type": "MANDATE_CREATED",
- "timestamp": "2019-08-24T14:15:22Z",
- "actor": {
- "type": "HUMAN",
- "subject_id": "monco:agent:validate-agent-v2",
- "display_name": "string",
- "identity_provider": "string",
- "identity_token_hash": "string"
}, - "details": { },
- "previous_event_hash": "string",
- "event_hash": "string",
- "kms_signature": "string",
- "hash_algorithm": "SHA_256",
- "signing_algorithm": "RSASSA_PSS_SHA_256"
}
], - "next_cursor": "string"
}Queries all audit events for the authenticated tenant, filtered by mandate_id. Supports optional event_type filtering and cursor-based pagination.
| mandate_id required | string Mandate ID to filter events by |
| event_type | string Enum: "MANDATE_CREATED" "MANDATE_SUSPENDED" "MANDATE_REACTIVATED" "MANDATE_REVOKED" "VERIFICATION_ALLOWED" "VERIFICATION_DENIED" "ESCALATION_TRIGGERED" |
| limit | integer [ 1 .. 200 ] Default: 50 |
| cursor | string Base64url-encoded pagination cursor |
{- "items": [
- {
- "event_id": "string",
- "tenant_id": "string",
- "mandate_id": "string",
- "event_type": "MANDATE_CREATED",
- "timestamp": "2019-08-24T14:15:22Z",
- "actor": {
- "type": "HUMAN",
- "subject_id": "monco:agent:validate-agent-v2",
- "display_name": "string",
- "identity_provider": "string",
- "identity_token_hash": "string"
}, - "details": { },
- "previous_event_hash": "string",
- "event_hash": "string",
- "kms_signature": "string",
- "hash_algorithm": "SHA_256",
- "signing_algorithm": "RSASSA_PSS_SHA_256"
}
], - "next_cursor": "string"
}Retrieves a single audit event by its ID. Requires the mandate_id query parameter to locate the event in the partition.
| id required | string Example: evt_01HXYZ... |
| mandate_id required | string Mandate ID the event belongs to |
{- "event_id": "string",
- "tenant_id": "string",
- "mandate_id": "string",
- "event_type": "MANDATE_CREATED",
- "timestamp": "2019-08-24T14:15:22Z",
- "actor": {
- "type": "HUMAN",
- "subject_id": "monco:agent:validate-agent-v2",
- "display_name": "string",
- "identity_provider": "string",
- "identity_token_hash": "string"
}, - "details": { },
- "previous_event_hash": "string",
- "event_hash": "string",
- "kms_signature": "string",
- "hash_algorithm": "SHA_256",
- "signing_algorithm": "RSASSA_PSS_SHA_256"
}Exports a comprehensive, court-ready evidence pack for a mandate containing:
The case_log_hash is a deterministic SHA-256 digest computed over the
canonical JSON representation of the event chain, enabling tamper detection.
The schema_version field allows forward-compatible evolution of the pack format.
| id required | string Example: mdt_01HXYZ... |
| event_id | string Scope the evidence pack to a specific verification event |
{- "schema_version": "1.1.0",
- "export_timestamp": "2019-08-24T14:15:22Z",
- "tenant_id": "string",
- "mandate_id": "string",
- "mandate_snapshot": { },
- "event_chain": [
- {
- "event_id": "string",
- "tenant_id": "string",
- "mandate_id": "string",
- "event_type": "MANDATE_CREATED",
- "timestamp": "2019-08-24T14:15:22Z",
- "actor": {
- "type": "HUMAN",
- "subject_id": "monco:agent:validate-agent-v2",
- "display_name": "string",
- "identity_provider": "string",
- "identity_token_hash": "string"
}, - "details": { },
- "previous_event_hash": "string",
- "event_hash": "string",
- "kms_signature": "string",
- "hash_algorithm": "SHA_256",
- "signing_algorithm": "RSASSA_PSS_SHA_256"
}
], - "event_count": 0,
- "case_log_hash": "string",
- "chain_integrity": {
- "first_event_hash": "string",
- "last_event_hash": "string",
- "genesis_verified": true
}, - "issuer": {
- "did": "did:web:api.mandaitor.io",
}, - "proof_tokens": [
- "string"
], - "crypto_metadata": {
- "hash_algorithm": "SHA_256",
- "signing_algorithm": "RSASSA_PSS_SHA_256",
- "case_log_hash_algorithm": "SHA_256"
}, - "metadata": {
- "mandate_created_at": "2019-08-24T14:15:22Z",
- "mandate_status": "string",
- "export_requested_by": "string",
- "event_id_filter": "string"
}
}| id required | string |
{- "tenant_id": "string",
- "identity_providers": {
- "enabled_providers": [
- "API_KEY"
], - "auth0": {
- "domain": "your-tenant.auth0.com",
- "audience": "string",
- "client_id": "string"
}, - "entra": {
- "tenant_id": "34f5c98e-f430-457b-a812-92637d0c6fd0",
- "client_id": "5b3fa7ba-57d3-4017-a65b-d57dcd2db643"
}, - "eudi": {
- "rp_id": "string",
- "presentation_policies": [
- "string"
]
}, - "google": {
- "client_id": "xxxx.apps.googleusercontent.com",
- "hosted_domain": "company.com"
}, - "aws_iam_idc": {
- "audience": "string"
}, - "generic_oidc": {
- "name": "Keycloak",
- "audience": "mandaitor-client",
- "subject_prefix": "keycloak"
}
}
}| id required | string |
| enabled_providers required | Array of strings Items Enum: "API_KEY" "COGNITO" "EUDI_WALLET" "AUTH0" "OKTA" "ENTRA_ID" "GOOGLE" "AWS_IAM_IDC" "GENERIC_OIDC" |
object | |
object | |
object | |
object | |
object | |
object | |
object |
{- "enabled_providers": [
- "API_KEY"
], - "auth0": {
- "domain": "your-tenant.auth0.com",
- "audience": "string",
- "client_id": "string"
}, - "entra": {
- "tenant_id": "34f5c98e-f430-457b-a812-92637d0c6fd0",
- "client_id": "5b3fa7ba-57d3-4017-a65b-d57dcd2db643"
}, - "eudi": {
- "rp_id": "string",
- "presentation_policies": [
- "string"
]
}, - "google": {
- "client_id": "xxxx.apps.googleusercontent.com",
- "hosted_domain": "company.com"
}, - "aws_iam_idc": {
- "audience": "string"
}, - "generic_oidc": {
- "name": "Keycloak",
- "audience": "mandaitor-client",
- "subject_prefix": "keycloak"
}
}{- "tenant_id": "string",
- "identity_providers": {
- "enabled_providers": [
- "API_KEY"
], - "auth0": {
- "domain": "your-tenant.auth0.com",
- "audience": "string",
- "client_id": "string"
}, - "entra": {
- "tenant_id": "34f5c98e-f430-457b-a812-92637d0c6fd0",
- "client_id": "5b3fa7ba-57d3-4017-a65b-d57dcd2db643"
}, - "eudi": {
- "rp_id": "string",
- "presentation_policies": [
- "string"
]
}, - "google": {
- "client_id": "xxxx.apps.googleusercontent.com",
- "hosted_domain": "company.com"
}, - "aws_iam_idc": {
- "audience": "string"
}, - "generic_oidc": {
- "name": "Keycloak",
- "audience": "mandaitor-client",
- "subject_prefix": "keycloak"
}
}
}Exchange a user's access token for a scoped delegation token. Implements RFC 8693 Token Exchange for On-Behalf-Of (OBO) flows where AI agents act on behalf of authenticated users.
| subject_token required | string The original user's access token |
| subject_token_type | string Default: "urn:ietf:params:oauth:token-type:access_token" |
| mandate_id required | string Mandate ID that authorizes the delegation |
| scope | string |
| audience | string |
{- "subject_token": "string",
- "subject_token_type": "urn:ietf:params:oauth:token-type:access_token",
- "mandate_id": "string",
- "scope": "string",
- "audience": "string"
}{- "access_token": "string",
- "token_type": "Bearer",
- "expires_in": 3600,
- "scope": "string",
- "issued_token_type": "string",
- "delegation": {
- "mandate_id": "string",
- "principal": "string",
- "delegate": "string",
- "provider": "string"
}
}Creates a new delegation mandate between a principal and a delegate. The mandate defines the scope of delegated authority, optional constraints, and an expiration date. A KMS-signed audit event is emitted on success.
required | object (Subject) Represents an entity (human, AI agent, service, or organization) that participates in a mandate as either principal or delegate. |
required | object (Subject) Represents an entity (human, AI agent, service, or organization) that participates in a mandate as either principal or delegate. |
required | object (Scope) Defines the actions, resources, and effect (ALLOW/DENY) that a mandate authorizes, with optional conditions. |
object (Constraints) Optional restrictions on mandate usage including time windows, geographic fencing, MFA requirements, IP whitelisting, and escalation rules. | |
| metadata | object |
| expires_at | string <date-time> |
| taxonomy_id | string Taxonomy identifier to validate the mandate scope against (e.g., "construction", "realestate", "venture"). |
| taxonomy_version | string^[a-z][a-z0-9-]*(@\d+\.\d+\.\d+(-[a-z0-9.]+)?... Versioned taxonomy reference. Accepts either a plain ID (uses latest version)
or |
| require_approval | boolean Default: false When true, the mandate starts in PENDING_APPROVAL status and requires explicit approval before becoming ACTIVE. |
{- "principal": {
- "type": "HUMAN",
- "subject_id": "monco:agent:validate-agent-v2",
- "display_name": "string",
- "identity_provider": "string",
- "identity_token_hash": "string"
}, - "delegate": {
- "type": "HUMAN",
- "subject_id": "monco:agent:validate-agent-v2",
- "display_name": "string",
- "identity_provider": "string",
- "identity_token_hash": "string"
}, - "scope": {
- "actions": [
- "construction.validation.approve"
], - "resources": [
- "monco:project:*/zone:*/installation:*"
], - "effect": "ALLOW",
- "conditions": { }
}, - "constraints": {
- "max_uses": 0,
- "time_window": {
- "start": "2019-08-24T14:15:22Z",
- "end": "2019-08-24T14:15:22Z"
}, - "geo_fence": {
- "allowed_regions": [
- "string"
]
}, - "require_mfa": true,
- "ip_whitelist": [
- "string"
], - "escalation_rules": {
- "deviation_above_percent": 0,
- "escalate_to": "string",
- "escalation_method": "string"
}
}, - "metadata": { },
- "expires_at": "2019-08-24T14:15:22Z",
- "taxonomy_id": "construction",
- "taxonomy_version": "construction@2.0.0",
- "require_approval": false
}{- "mandate_id": "mdt_01HXYZ...",
- "tenant_id": "string",
- "version": 0,
- "status": "DRAFT",
- "principal": {
- "type": "HUMAN",
- "subject_id": "monco:agent:validate-agent-v2",
- "display_name": "string",
- "identity_provider": "string",
- "identity_token_hash": "string"
}, - "delegate": {
- "type": "HUMAN",
- "subject_id": "monco:agent:validate-agent-v2",
- "display_name": "string",
- "identity_provider": "string",
- "identity_token_hash": "string"
}, - "scope": {
- "actions": [
- "construction.validation.approve"
], - "resources": [
- "monco:project:*/zone:*/installation:*"
], - "effect": "ALLOW",
- "conditions": { }
}, - "constraints": {
- "max_uses": 0,
- "time_window": {
- "start": "2019-08-24T14:15:22Z",
- "end": "2019-08-24T14:15:22Z"
}, - "geo_fence": {
- "allowed_regions": [
- "string"
]
}, - "require_mfa": true,
- "ip_whitelist": [
- "string"
], - "escalation_rules": {
- "deviation_above_percent": 0,
- "escalate_to": "string",
- "escalation_method": "string"
}
}, - "proof": {
- "creation_method": "API_KEY",
- "issuer": "string",
- "created_by": "string",
- "mandate_hash": "string",
- "signature": "string",
- "eidas_loa": "string"
}, - "metadata": { },
- "created_at": "2019-08-24T14:15:22Z",
- "updated_at": "2019-08-24T14:15:22Z",
- "expires_at": "2019-08-24T14:15:22Z"
}Returns a paginated list of mandates for the authenticated tenant. Supports optional filtering by status and cursor-based pagination.
| status | string Enum: "DRAFT" "ACTIVE" "SUSPENDED" "REVOKED" "EXPIRED" |
| limit | integer [ 1 .. 200 ] Default: 50 |
| cursor | string Base64url-encoded pagination cursor |
{- "items": [
- {
- "mandate_id": "mdt_01HXYZ...",
- "tenant_id": "string",
- "version": 0,
- "status": "DRAFT",
- "principal": {
- "type": "HUMAN",
- "subject_id": "monco:agent:validate-agent-v2",
- "display_name": "string",
- "identity_provider": "string",
- "identity_token_hash": "string"
}, - "delegate": {
- "type": "HUMAN",
- "subject_id": "monco:agent:validate-agent-v2",
- "display_name": "string",
- "identity_provider": "string",
- "identity_token_hash": "string"
}, - "scope": {
- "actions": [
- "construction.validation.approve"
], - "resources": [
- "monco:project:*/zone:*/installation:*"
], - "effect": "ALLOW",
- "conditions": { }
}, - "constraints": {
- "max_uses": 0,
- "time_window": {
- "start": "2019-08-24T14:15:22Z",
- "end": "2019-08-24T14:15:22Z"
}, - "geo_fence": {
- "allowed_regions": [
- "string"
]
}, - "require_mfa": true,
- "ip_whitelist": [
- "string"
], - "escalation_rules": {
- "deviation_above_percent": 0,
- "escalate_to": "string",
- "escalation_method": "string"
}
}, - "proof": {
- "creation_method": "API_KEY",
- "issuer": "string",
- "created_by": "string",
- "mandate_hash": "string",
- "signature": "string",
- "eidas_loa": "string"
}, - "metadata": { },
- "created_at": "2019-08-24T14:15:22Z",
- "updated_at": "2019-08-24T14:15:22Z",
- "expires_at": "2019-08-24T14:15:22Z"
}
], - "next_cursor": "string"
}Retrieves a single mandate by its ID. Returns the full mandate record including principal, delegate, scope, constraints, and proof metadata.
| id required | string Example: mdt_01HXYZ... |
{- "mandate_id": "mdt_01HXYZ...",
- "tenant_id": "string",
- "version": 0,
- "status": "DRAFT",
- "principal": {
- "type": "HUMAN",
- "subject_id": "monco:agent:validate-agent-v2",
- "display_name": "string",
- "identity_provider": "string",
- "identity_token_hash": "string"
}, - "delegate": {
- "type": "HUMAN",
- "subject_id": "monco:agent:validate-agent-v2",
- "display_name": "string",
- "identity_provider": "string",
- "identity_token_hash": "string"
}, - "scope": {
- "actions": [
- "construction.validation.approve"
], - "resources": [
- "monco:project:*/zone:*/installation:*"
], - "effect": "ALLOW",
- "conditions": { }
}, - "constraints": {
- "max_uses": 0,
- "time_window": {
- "start": "2019-08-24T14:15:22Z",
- "end": "2019-08-24T14:15:22Z"
}, - "geo_fence": {
- "allowed_regions": [
- "string"
]
}, - "require_mfa": true,
- "ip_whitelist": [
- "string"
], - "escalation_rules": {
- "deviation_above_percent": 0,
- "escalate_to": "string",
- "escalation_method": "string"
}
}, - "proof": {
- "creation_method": "API_KEY",
- "issuer": "string",
- "created_by": "string",
- "mandate_hash": "string",
- "signature": "string",
- "eidas_loa": "string"
}, - "metadata": { },
- "created_at": "2019-08-24T14:15:22Z",
- "updated_at": "2019-08-24T14:15:22Z",
- "expires_at": "2019-08-24T14:15:22Z"
}Permanently revokes a mandate. Only active or suspended mandates can be revoked. An optional reason can be provided. A KMS-signed audit event is emitted.
| id required | string Example: mdt_01HXYZ... |
| reason | string |
{- "reason": "Contract terminated"
}{- "mandate_id": "string",
- "status": "string",
- "updated_at": "2019-08-24T14:15:22Z"
}Temporarily suspends an active mandate. Suspended mandates can be reactivated later. An optional reason can be provided.
| id required | string Example: mdt_01HXYZ... |
| reason | string |
{- "reason": "Under review"
}{- "mandate_id": "string",
- "status": "string",
- "updated_at": "2019-08-24T14:15:22Z"
}Reactivates a previously suspended mandate, returning it to ACTIVE status. Only mandates in SUSPENDED state can be reactivated.
| id required | string Example: mdt_01HXYZ... |
{- "mandate_id": "string",
- "status": "string",
- "updated_at": "2019-08-24T14:15:22Z"
}Approves a mandate that is in PENDING_APPROVAL state, transitioning it
to ACTIVE. Only mandates created with require_approval: true enter
this state. An audit event (MANDATE_APPROVED) is emitted.
| id required | string Example: mdt_01HXYZ... |
| reason | string Optional reason/notes for the approval |
{- "reason": "string"
}{- "mandate_id": "string",
- "status": "string",
- "updated_at": "2019-08-24T14:15:22Z"
}Rejects a mandate that is in PENDING_APPROVAL state, transitioning it to REVOKED. An audit event (MANDATE_REJECTED) is emitted.
| id required | string Example: mdt_01HXYZ... |
| reason | string Reason for rejection |
{- "reason": "string"
}{- "mandate_id": "string",
- "status": "string",
- "updated_at": "2019-08-24T14:15:22Z"
}Submits a new tenant access request. No authentication required. The request enters PENDING state and must be approved by an admin.
| company_name required | string |
| contact_name | string |
| contact_email required | string <email> |
| use_case required | string |
| industry | string Enum: "construction" "real_estate" "venture_capital" "other" |
| website | string <uri> |
{- "company_name": "monco GmbH",
- "contact_name": "Max Mustermann",
- "contact_email": "max@monco.ai",
- "use_case": "AI agent delegation for construction validation",
- "industry": "construction",
}{- "request_id": "string",
- "status": "PENDING",
- "message": "string"
}Generates a new API key for a tenant. The raw key is returned only once in the response and cannot be retrieved again. Requires Cognito JWT.
| id required | string |
| name | string |
| scopes | Array of strings |
{- "name": "production-key",
- "scopes": [
- "mandates:read",
- "mandates:write",
- "verify"
]
}{- "key_id": "string",
- "api_key": "string",
- "name": "string",
- "scopes": [
- "string"
], - "created_at": "2019-08-24T14:15:22Z"
}Returns service health status. No sensitive data is exposed. Suitable for monitoring, load balancers, and Trust Center embedding.
{- "status": "ok",
- "timestamp": "2019-08-24T14:15:22Z",
- "version": "1.2.3-beta.1",
- "stage": "prod"
}Returns the W3C DID Document for the Mandaitor issuer DID (did:web:api.mandaitor.io). Contains the public key used to verify Proof-of-Mandate SD-JWT VCs.
{- "@context": [
- "string"
], - "id": "did:web:api.mandaitor.io",
- "verificationMethod": [
- { }
], - "authentication": [
- "string"
], - "assertionMethod": [
- "string"
], - "service": [
- { }
]
}Returns machine-readable trust metadata including region, partition, issuer DID, data residency claims, and supported open standards. Unauthenticated and cache-friendly (5-minute client, 10-minute CDN).
{- "schema_version": "1.0.0",
- "region": "eusc-de-east-1",
- "partition": "aws-eusc",
- "issuer_did": "did:web:api.mandaitor.io",
- "data_residency": {
- "primary_region": "string",
- "partition": "string",
- "jurisdiction": "EU (European Sovereign Cloud)"
}, - "open_standards": [
- "string"
], - "build_version": "string",
- "stage": "string",
- "timestamp": "2019-08-24T14:15:22Z"
}Submits a new tenant access request. No authentication required. The request enters PENDING state and must be approved by an admin.
| company_name required | string |
| contact_name | string |
| contact_email required | string <email> |
| use_case required | string |
| industry | string Enum: "construction" "real_estate" "venture_capital" "other" |
| website | string <uri> |
{- "company_name": "monco GmbH",
- "contact_name": "Max Mustermann",
- "contact_email": "max@monco.ai",
- "use_case": "AI agent delegation for construction validation",
- "industry": "construction",
}{- "request_id": "string",
- "status": "PENDING",
- "message": "string"
}Returns the public-safe widget configuration for embedding. No authentication required. Sensitive fields (secrets, internal IDs) are stripped from the response.
| widgetId required | string |
{- "widget_id": "string",
- "tenant_name": "string",
- "branding": { },
- "enabled_idps": [
- "string"
], - "taxonomy_libraries": [
- "string"
]
}| userId required | string |
{ }{- "error": "BAD_REQUEST",
- "message": "principal and delegate are required"
}| userId required | string |
{ }{- "error": "BAD_REQUEST",
- "message": "principal and delegate are required"
}Performance-critical endpoint. Target: < 50ms p99 latency (without PoM), < 200ms p99 (with PoM). Returns ALLOW or DENY with optional escalation metadata and an optional Proof-of-Mandate Verifiable Credential.
| pom | string Value: "sd-jwt-vc" Request a Proof-of-Mandate Verifiable Credential in the response. The VC is an SD-JWT signed by the Mandaitor issuer DID. |
| delegate_subject_id | string Canonical field. Subject ID of the delegate to verify. |
| agent_id | string Deprecated Deprecated legacy alias for |
| action required | string |
| resource required | string |
| context | object Additional context for constraint evaluation. When a mandate has
|
{- "delegate_subject_id": "monco:agent:validate-agent-v2",
- "agent_id": "monco:agent:validate-agent-v2",
- "action": "construction.validation.approve",
- "resource": "monco:project:proj_ABC123/zone:EG/installation:stk_42",
- "context": { }
}{- "decision": "ALLOW",
- "mandate_id": "string",
- "event_id": "string",
- "reason_codes": [
- "NO_MATCHING_MANDATE"
], - "constraints_remaining": { },
- "proof_of_mandate": {
- "compact": "eyJhbGciOiJQUzI1NiIsInR5cCI6InZjK3NkLWp3dCJ9.eyJ2Y3QiOiJQcm9vZk9mTWFuZGF0ZSJ9.sig~disc1~disc2~",
- "payload": {
- "vct": "ProofOfMandate",
- "decision": "ALLOW",
- "mandate_id": "string",
- "verification_event_id": "string",
- "verification_timestamp": "2019-08-24T14:15:22Z",
- "requested_action": "string",
- "requested_resource": "string",
- "delegate_subject_id": "string",
- "principal_subject_id": "string",
- "tenant_id": "string",
- "reason_codes": [
- "string"
], - "constraints_snapshot": { },
- "latency_ms": 0,
- "iss": "did:web:api.mandaitor.io",
- "sub": "string",
- "iat": 0,
- "exp": 0,
- "_sd_alg": "sha-256"
}
}, - "proof_token": "string"
}Retrieves the widget configuration for a tenant. Returns the latest version by default, or a specific version if the version query parameter is provided.
| id required | string |
{- "tenant_id": "string",
- "widget_id": "string",
- "identity_providers": [
- {
- "provider": "eidas_eudi",
- "enabled": true,
- "config": { }
}
], - "taxonomy_libraries": [
- "@mandaitor/taxonomy-construction"
], - "mandate_templates": [
- { }
], - "branding": {
- "primary_color": "string",
- "logo_url": "string",
- "company_name": "string"
}, - "approval_workflow": {
- "require_principal_approval": true,
- "require_admin_approval": true,
- "auto_approve_trusted_idps": true
}, - "updated_at": "2019-08-24T14:15:22Z"
}Updates the widget configuration for a tenant. Creates a new versioned record. IdP credentials are stored in AWS Secrets Manager.
| id required | string |
| identity_providers | Array of objects |
| taxonomy_libraries | Array of strings |
| mandate_templates | Array of objects |
| branding | object |
| approval_workflow | object |
| webhook_url | string <uri> |
{- "identity_providers": [
- { }
], - "taxonomy_libraries": [
- "string"
], - "mandate_templates": [
- { }
], - "branding": { },
- "approval_workflow": { },
}{- "tenant_id": "string",
- "widget_id": "string",
- "identity_providers": [
- {
- "provider": "eidas_eudi",
- "enabled": true,
- "config": { }
}
], - "taxonomy_libraries": [
- "@mandaitor/taxonomy-construction"
], - "mandate_templates": [
- { }
], - "branding": {
- "primary_color": "string",
- "logo_url": "string",
- "company_name": "string"
}, - "approval_workflow": {
- "require_principal_approval": true,
- "require_admin_approval": true,
- "auto_approve_trusted_idps": true
}, - "updated_at": "2019-08-24T14:15:22Z"
}Validates an Identity Provider configuration by attempting a client credentials flow against the specified provider (Entra ID, Auth0, Okta, or eIDAS).
Alias support: Accepts both provider (canonical) and idpType (legacy).
If both are present, provider takes precedence.
| id required | string |
| provider | string Enum: "eidas_eudi" "entra_id" "auth0" "okta" Canonical field. The IdP type to validate. |
| idpType | string Deprecated Deprecated legacy alias for |
| config required | object |
{- "provider": "eidas_eudi",
- "idpType": "string",
- "config": { }
}{- "results": {
- "property1": {
- "valid": true,
- "message": "string"
}, - "property2": {
- "valid": true,
- "message": "string"
}
}
}Returns a paginated list of all configuration versions for the tenant, sorted by version number descending (newest first). Each entry contains version metadata (not the full configuration body).
| id required | string |
| limit | integer <= 100 Default: 20 |
| cursor | string |
{- "versions": [
- {
- "configVersion": 0,
- "updatedAt": "2019-08-24T14:15:22Z",
- "createdAt": "2019-08-24T14:15:22Z",
- "status": "string",
- "widgetId": "string",
- "rollbackFrom": 0
}
], - "next_cursor": "string"
}Rolls back the widget configuration to a previous version by creating a new version that is a copy of the target version. This preserves the full version history for audit purposes — no versions are deleted.
The new version includes a rollbackFrom field indicating which version
it was copied from.
| id required | string |
| version required | integer >= 1 The version number to roll back to |
{- "version": 1
}{- "message": "string",
- "version": 0,
- "rollbackFrom": 0,
- "widgetId": "string"
}