API Reference

Everything your agent needs to request spending tokens programmatically.

Base URL: https://cardrail.polsia.app

Token Request (Core Endpoint)

POST /api/tokens/request

Request a single-use spending token for an agent. This is the primary endpoint your AI agent calls when it needs to make a purchase.

ParameterTypeDescription
api_keystringrequired*Agent's API key (or use agent_id)
agent_idintegerrequired*Agent ID (alternative to api_key)
amountnumberrequiredDollar amount (e.g. 12.00)
merchantstringrequiredMerchant name (e.g. "vercel.com")
categorystringoptionalSpending category (e.g. "cloud_hosting")
 
// Request
curl -X POST https://cardrail.polsia.app/api/tokens/request \
  -H "Content-Type: application/json" \
  -d '{
    "api_key": "cr_a1b2c3...",
    "amount": 12.00,
    "merchant": "vercel.com"
  }'
// Success Response (201)
{
  "success": true,
  "token": {
    "token": "tok_7x9f2k...",
    "amount": 12.00,
    "merchant": "vercel.com",
    "expires_in_seconds": 600
  },
  "card": {
    "number": "4242 4242 4242 7291",
    "exp_month": "06",
    "exp_year": "2027",
    "cvc": "482"
  },
  "guardrails": {
    "daily_remaining": 38.00,
    "monthly_remaining": 488.00
  }
}
// Denied Response (403)
{
  "success": false,
  "message": "Amount $95.00 exceeds daily limit of $50.00",
  "decline_reason": "daily_limit_exceeded"
}

Agents

POST /api/agents

Create a new agent with spending guardrails. Returns the API key once (save it!).

curl -X POST /api/agents \
  -H "Content-Type: application/json" \
  -d '{
    "name": "deploy-bot",
    "daily_limit": 50,
    "monthly_limit": 500,
    "per_txn_limit": 20,
    "allowed_merchants": ["vercel", "aws", "render"]
  }'
GET /api/agents

List all agents with current spending stats.

PATCH /api/agents/:id

Update agent settings. Set is_active: false to kill the agent immediately (voids all active tokens).

// Kill switch
curl -X PATCH /api/agents/1 \
  -H "Content-Type: application/json" \
  -d '{ "is_active": false }'

Transactions

GET /api/transactions

List all transactions (approved and denied). Filter by agent or status.

Query ParamTypeDescription
agent_idintegeroptionalFilter by agent
statusstringoptional"approved" or "denied"
limitintegeroptionalMax results (default: 50, max: 100)
GET /api/transactions/stats

Dashboard summary stats: active agents, spending totals, denied count.

Guardrail Rules

Every token request is validated against these rules in order. If any rule fails, the request is denied and logged.

  1. Kill switch — agent must be active
  2. Per-transaction limit — amount vs max per txn
  3. Merchant allow list — must be on the list (if set)
  4. Merchant block list — must not be blocked
  5. Category block list — must not be in blocked category
  6. Daily spending limit — cumulative 24h cap
  7. Monthly spending limit — cumulative monthly cap