DEVELOPER SDK

OAuth for AI agents.

OAuth lets users delegate authority to apps without sharing passwords. VAC lets humans delegate authority to AI agents without losing accountability. Every agent action traces through a cryptographic chain back to a verified human. Issue tokens, enforce scoped authority, and audit everything — one API.

L1
one API call to start
Ed25519
signed tokens
558
patent claims
Get Free API Key View Docs
How It Works
1
Issue Token
Human authenticates (API key, SSO, or biometric). Gets a signed authority token with scoped permissions.
2
Record Actions
Agent performs actions. Each one is recorded in the execution graph with trust score, scope, and outcome.
3
Human Reviews
Human rates the outcome (approved/flagged/rejected). Feedback drives agent reputation and smarter routing.

Quickstart — The Simple Path

Already have an agent? Two API calls and you're in the execution graph.

cURL
Python
JavaScript
bash# 1. Issue an L1 token (API key level — instant, no biometrics) curl -X POST https://vac-system-production.up.railway.app/v1/vat/issue/l1 \ -H "Content-Type: application/json" \ -d '{"developer_email":"you@company.com","agent_id":"my-agent","resources":["calendar:events"],"actions":["read","write"]}' # Returns: { jti: "vat_root_...", provenance_ref: "prov_...", compact_jwt: "eyJ..." } # 2. Record an agent action (one call — simplest integration) curl -X POST https://vac-system-production.up.railway.app/v1/vat/record/action \ -H "Content-Type: application/json" \ -d '{"vat_jti":"YOUR_TOKEN_JTI","action":"read","resource":"calendar:events","result":"success"}' # Returns: { recorded: true, aar_id: "aar_...", provenance_ref: "prov_..." } # 3. Human rates the result curl -X POST https://vac-system-production.up.railway.app/v1/vat/aar/AAR_ID/feedback \ -H "Content-Type: application/json" \ -d '{"rating":"approved","note":"Result was correct"}' # 4. Check agent reputation (built from execution + feedback) curl https://vac-system-production.up.railway.app/v1/vat/reputation/my-agent # Returns: { execution_score: 1.0, feedback_score: 1.0, combined_reputation: 1.0 }
pythonimport requests BASE = "https://vac-system-production.up.railway.app" # 1. Issue L1 token token = requests.post(f"{BASE}/v1/vat/issue/l1", json={ "developer_email": "you@company.com", "agent_id": "my-agent", "resources": ["calendar:events"], "actions": ["read", "write"] }).json() # 2. Your agent does its thing, then record it result = agent.read_calendar() # your existing code aar = requests.post(f"{BASE}/v1/vat/record/action", json={ "vat_jti": token["jti"], "action": "read", "resource": "calendar:events", "result": "success" }).json() # 3. Human feedback requests.post(f"{BASE}/v1/vat/aar/{aar['aar_id']}/feedback", json={ "rating": "approved" }) # 4. Check reputation rep = requests.get(f"{BASE}/v1/vat/reputation/my-agent").json() print(f"Reputation: {rep['combined_reputation']}")
javascriptconst BASE = 'https://vac-system-production.up.railway.app'; const post = (path, body) => fetch(`${BASE}${path}`, { method: 'POST', headers: {'Content-Type': 'application/json'}, body: JSON.stringify(body) }).then(r => r.json()); // 1. Issue L1 token const token = await post('/v1/vat/issue/l1', { developer_email: 'you@company.com', agent_id: 'my-agent', resources: ['calendar:events'], actions: ['read', 'write'] }); // 2. Record action const aar = await post('/v1/vat/record/action', { vat_jti: token.jti, action: 'read', resource: 'calendar:events', result: 'success' }); // 3. Human feedback await post(`/v1/vat/aar/${aar.aar_id}/feedback`, { rating: 'approved' }); // 4. Reputation const rep = await fetch(`${BASE}/v1/vat/reputation/my-agent`).then(r => r.json()); console.log(`Reputation: ${rep.combined_reputation}`);
Use Cases
🤖
Multi-Agent Workflows
Delegate authority from human to agent to sub-agent. Scope narrows at every level. One revoke kills the entire chain.
📊
Execution Graph
Every action recorded. Query by workflow (provenance_ref), agent, action type, or time range. Agent reputation builds from real data.
🏥
Regulated Industries
Healthcare, finance, legal, defence. Tamper-evident audit trail with human feedback ratings. Policy assertions (HIPAA, SOC2, NIST ZTA) in every token.
Pricing

Free while we build

The SDK is free during the development phase. Early adopters will be grandfathered when paid tiers launch.

CURRENT
EARLY ACCESS
$0
during development
  • All endpoints available
  • L1, L2, L3 assurance levels
  • Delegation chains
  • Action recording + feedback
  • Agent reputation
  • Execution graph queries
  • Ed25519 signed tokens
Get Started
ENTERPRISE
Custom
when you need SLAs
  • Dedicated infrastructure
  • SLA guarantee
  • On-premise option
  • Custom policy assertions
  • Priority support
Contact
API Reference

Endpoints

POST /v1/vat/record/action Record an agent action (simplest integration)

One call: authorize + record + complete. Simplest way to add any action to the execution graph.

{ "recorded": true, "aar_id": "aar_e11bbdf3c1d4", "provenance_ref": "prov_4074e6f503a3", "trust_score": 0.4, "delegation_depth": 0 }
POST /v1/vat/issue/l1 Issue L1 token (API key level — instant)

Issue a root authority token. No biometrics needed for L1. Returns Ed25519-signed JWT with scoped permissions.

{ "jti": "vat_root_850fcb1c7e03", "provenance_ref": "prov_4074e6f503a3", "compact_jwt": "eyJhbGciOiJFZERTQSI...", "claims": { "vac_trust_score": 0.4, "vac_scope": { "resources": ["calendar:events"], "actions": ["read", "write"] } } }
POST /v1/vat/authorize Check permission before acting (full control)

Pre-flight check: is this action within scope? Creates a pending AAR. Use with /complete for the full lifecycle.

{ "authorized": true, "aar_id": "aar_3dc53332e417", "trust_score": 0.4, "provenance_ref": "prov_...", "human_ref": "sha256:7af91dcf...", "assurance_level": "L1" }
POST /v1/vat/aar/{id}/feedback Human rates agent action

Rate an action: approved, flagged, or rejected. Immutable once set. Feeds into agent reputation.

{ "aar_id": "aar_3dc53332e417", "rating": "approved", "feedback_at": "2026-03-10T09:42:15Z" }
GET /v1/vat/reputation/{agent_id} Agent reputation score

Two-dimensional: execution_score (from AAR outcomes) + feedback_score (from human ratings). Combined 60/40.

{ "agent_id": "agent:my-agent", "total_actions": 47, "execution_score": 0.957, "feedback_score": 0.85, "combined_reputation": 0.914, "has_human_feedback": true }
GET /v1/vat/aar/provenance/{ref} Query entire workflow

One provenance_ref returns every action by every agent in a workflow. The execution graph query.

{ "provenance_ref": "prov_4074e6f503a3", "total_records": 12, "unique_agents": 3, "actions_by_type": { "read": 8, "write": 3, "delegate": 1 }, "results_by_type": { "success": 11, "error": 1 } }
View all 68+ endpoints →
Get Started

Get Your API Key

Free during development. All endpoints available immediately.

VAC Protocol — Patent Pending (558 claims, 12 filings with IP Australia)

Submitted to NIST NCCoE AI Agent Identity and Authorization project

SDK Overview · Full API Docs · Try Biometric Verification

vacprotocol.org · aiinternet.ai · developers@vacprotocol.org

© 2026 Violet Shores Pty Ltd. All rights reserved.