AI Agent API
A dedicated API for AI agents to create links, update profiles, and complete purchases on behalf of an EdgeURL user. Separate auth tier, explicit permissions, full audit trail.
Request an ai_* Bearer token via OAuth-style flow, then call POST /api/ai/v1/actions/links (or profile, or purchase) with the token. Every action is rate-limited, logged, and attributed to the issuing agent.
Why a separate API?
Sharing a session cookie or API key with an agent is risky: you give up scope control, rate limits apply to you instead of the agent, and there's no attribution for agent-initiated actions.
/api/ai/v1 fixes all three:
- Scoped tokens — each agent gets its own
ai_*token with explicit permissions (read-only analytics, create-links, make-purchases). - Per-agent rate limits — one misbehaving agent can't exhaust your session's quota.
- Usage attribution — every call emits a row in
ai_usage_events. You see what each agent did, when, and how much AI cost it incurred. - Instant revocation — revoke a token from the dashboard and the agent is locked out within one request cycle.
Auth flow
Agents don't register themselves. A human EdgeURL user grants an agent token through the authorization flow.
- Agent calls
POST /api/ai/v1/request-accesswith its identity (name, description, requested permissions). Returns arequest_idand the user is emailed an authorization link. - User clicks the approval link (
GET /api/ai/v1/authorize?token=<token>&action=approve) from their email. Signed-in users can also POST to the same route programmatically. The request moves toapprovedordenied. - Agent polls
GET /api/ai/v1/status?request_id=<id>until the response reportsapproved, then receives itsai_*token. - Agent includes token in
Authorization: Bearer ai_<token>on every subsequent API call.GET /api/ai/v1/status(no query param) verifies the token is still valid.
Endpoints
/api/ai/v1/request-accessStart the authorization flow. Public, rate-limited by IP. Triggers an email to the user with the approval link.
/api/ai/v1/status?request_id={id}Poll authorization status by request ID. Returns pending | approved | denied. Also works with Bearer ai_* token (no query param) to verify the current token is still valid.
/api/ai/v1/authorize?token={t}&action=approve|denyApprove or deny a pending request. Used by the email link the user receives. Also available as POST for programmatic approval by a signed-in user.
/api/ai/v1/actions/linksCreate a smart link on behalf of the user. Requires links:write permission.
/api/ai/v1/actions/links/{id}Update an existing smart link. Requires links:write permission.
/api/ai/v1/actions/profileUpdate the user's bio, avatar, or content blocks. Requires profile:write permission.
/api/ai/v1/actions/accountRead the authorized user's account summary (plan, usage, limits). Read-only.
/api/ai/v1/actions/analyticsRead aggregate click + conversion analytics for the authorized user's links. Read-only.
/api/ai/v1/actions/purchaseInitiate a Stripe checkout for add-ons, link packs, or plan upgrades. Requires purchase permission. Two-step flow: POST starts the request, user confirms via POST /api/ai/v1/purchase/approve.
/api/ai/v1/signupAgent can sign up a new user on their behalf (whitelabel flows). Requires platform-level partnership. Confirmation via POST /api/ai/v1/signup/confirm.
BYOK — bring your own key
Agents that need to run their own AI calls (classification, generation, embeddings) can ship user-provided provider keys. EdgeURL supports:
- OpenAI (gpt-4o, gpt-4o-mini, o-series)
- Anthropic (Claude 4.x family)
- Google (Gemini 1.5/2.0)
- Mistral (small/medium/large)
- Cohere (command-r/command-r-plus)
BYOK calls route through the user's key with zero platform markup. When no BYOK is set, calls use the platform key at cost-plus pricing. Both paths emit the same usage events for attribution.
Rate limits
Separate sliding-window limits per agent token (not per IP or user):
- Read (GET): 60 requests / 10 seconds
- Write (POST/PATCH on links, profile): 20 requests / 10 seconds
- Purchase: 5 requests / minute, with a hard daily spend cap set at grant time
- Authorize flow: 10 requests / 10 seconds per IP
Attribution + cost tracking
Every call writes a row into ai_usage_events with the agent's token prefix, action taken, resource touched, and (if AI was called) model + prompt/completion tokens. Admins see platform-wide per-agent breakdowns at /admin/unit-economics. User-facing per-agent usage dashboards ship in a later release.
Need something this page doesn't cover?
Edge cases, enterprise partnership, or you want a managed ai_* token for your agent framework?
Contact us