https://docs.pau1.cloud
Alle öffentlichen Beispiele verwenden diese Domain. Lokal läuft die App auf 127.0.0.1:8096.
docs.pau1.cloud · Private Agent Gateway · Scoped API Keys
APIs, Hooks und Friend-Keys verständlich dokumentiert.
Dieses Wiki ist der menschliche Einstieg in Pauls API-Schicht. Links ist die hierarchische Navigation, rechts stehen Konzept, Auth, Scopes, konkrete Endpoints, JSON-Beispiele und cURL-Kommandos.
Bearer oder X-API-Key
Freunde bekommen begrenzte Tokens. Admin-Rechte bleiben getrennt.
Maschinenlesbar
Swagger, ReDoc und OpenAPI JSON sind parallel verfügbar.
Authentication
Jeder private Endpoint erwartet einen API-Key. Es gibt zwei gleichwertige Header-Varianten:
Bearer Token
Authorization: Bearer $TOKENX-API-Key
X-API-Key: $TOKENWichtig: Tokens werden serverseitig nur als SHA-256 Hash gespeichert. Raw Tokens werden nur einmal bei Erstellung ausgegeben.
Scopes
Scopes sind bewusst klein. Ein Freund bekommt nicht „die API“, sondern nur einzelne Fähigkeiten.
Integrationstest
Echo-Service zum Prüfen von Auth und JSON.
Briefing
Erstellt kompakte Briefings aus Text.
Summary Tool
Deterministische Textzusammenfassung.
Webhook Test
Empfängt Testevents und Payloads.
Key Admin
Erstellen, auditieren und widerrufen von Keys.
Friend-Key Modell
So gibst du Freunden gezielt Zugriff, ohne dein Agent-System komplett zu öffnen.
1 · Minimal geben
Nur die Scopes vergeben, die wirklich gebraucht werden. Beispiel: agent:brief + tools:summarize.
2 · Rate Limit setzen
Für Freunde z.B. 30 Requests/Minute. Für Admins höher.
3 · Token sicher teilen
Raw Token wird nur einmal erzeugt. Danach nur noch Fingerprint sichtbar.
4 · Revoken statt diskutieren
Wenn ein Token leakt oder zu breit ist: löschen und neu erstellen.
curl -X POST https://docs.pau1.cloud/v1/admin/keys \
-H "Authorization: Bearer $ADMIN_TOKEN" \
-H "Content-Type: application/json" \
-d '{"owner":"friend@example","scopes":["agent:brief","tools:summarize"],"note":"limited friend key","rate_limit_per_minute":30}'Hooks Roadmap
Aktuell gibt es einen sicheren Test-Hook. Produktions-Hooks sollten später je Integration eigene Scopes und Signaturen bekommen.
Jetzt live
Testempfänger für JSON Events.
Später
Stripe Events mit Signaturprüfung.
Später
Meta/Ads Lead- oder Conversion-Hooks.
Später
n8n Workflows triggern.
Später
Beschränkte agentische Aufgaben mit Queue und Kostenlimit.
Endpoint Reference
Alle aktuellen Endpoints mit Zweck, Scope, Request/Response und kopierbarem cURL.
GET /health
scope: public
Health Check
Simple uptime check for monitors, Traefik, and humans. Does not require an API key.
Response JSON
{
"ok": true,
"service": "agent-api-hub",
"time": "2026-05-23T21:00:00+00:00"
}cURL
curl https://docs.pau1.cloud/healthNotes
- Safe to expose publicly.
- No private data is returned.
GET /v1/me
scope: any valid key
Who am I?
Returns the current API key identity, granted scopes, and rate limit.
Response JSON
{
"key_id": "key_abc123",
"owner": "friend-demo",
"scopes": [
"agent:brief",
"tools:summarize"
],
"limits": {
"rate_limit_per_minute": 30
}
}cURL
curl -H "Authorization: Bearer $TOKEN" https://docs.pau1.cloud/v1/meNotes
- Does not reveal the raw token.
- Works with Authorization Bearer or X-API-Key.
GET /v1/services
scope: any valid key
Visible Services
Lists only the services that the current key is allowed to call.
Response JSON
{
"services": [
{
"id": "agent.brief",
"name": "Agent Brief",
"required_scope": "agent:brief",
"method": "POST",
"path": "/v1/agent/brief"
}
]
}cURL
curl -H "X-API-Key: $TOKEN" https://docs.pau1.cloud/v1/servicesNotes
- Admin-only endpoints appear only if the key has admin:keys.
- This is the cleanest discovery endpoint for external users.
POST /v1/agent/echo
scope: agent:echo
Agent Echo
Returns the submitted message and metadata unchanged. Useful for testing auth, JSON shape, and client plumbing.
Request JSON
{
"message": "Hello Paul",
"metadata": {
"source": "demo-client"
}
}Response JSON
{
"message": "Hello Paul",
"metadata": {
"source": "demo-client"
},
"echoed_at": "2026-05-23T21:00:00+00:00"
}cURL
curl -X POST https://docs.pau1.cloud/v1/agent/echo \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"message":"Hello Paul","metadata":{"source":"demo-client"}}'Notes
- No external LLM call.
- Good smoke test for friend keys.
POST /v1/agent/brief
scope: agent:brief
Agent Brief
Creates a deterministic brief from supplied text: compact summary, bullets, and word count.
Request JSON
{
"title": "Meeting notes",
"text": "Long text goes here...",
"bullets": 5
}Response JSON
{
"title": "Meeting notes",
"summary": "Compact summary...",
"bullets": [
"Key point one",
"Key point two"
],
"word_count": 420
}cURL
curl -X POST https://docs.pau1.cloud/v1/agent/brief \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"title":"Meeting notes","text":"FastAPI exposes scoped APIs. Friend keys only get selected services.","bullets":3}'Notes
- Current implementation is local/deterministic, not a paid LLM call.
- Text limit: 30,000 characters. Bullets: 1-10.
POST /v1/tools/summarize
scope: tools:summarize
Extractive Summarizer
Ranks sentences by keyword frequency and returns the strongest sentences as a summary.
Request JSON
{
"text": "Sentence one. Sentence two. Sentence three.",
"sentences": 3
}Response JSON
{
"summary": "Sentence one. Sentence three.",
"selected_sentences": [
"Sentence one.",
"Sentence three."
],
"sentence_count": 2
}cURL
curl -X POST https://docs.pau1.cloud/v1/tools/summarize \
-H "X-API-Key: $TOKEN" \
-H "Content-Type: application/json" \
-d '{"text":"APIs need docs. Docs need examples. Examples reduce support.","sentences":2}'Notes
- No external network calls.
- Text limit: 30,000 characters. Sentences: 1-10.
POST /v1/webhook/test
scope: webhook:test
Webhook Test Receiver
Receives a named event with arbitrary JSON payload and returns a timestamped receipt.
Request JSON
{
"event": "demo.created",
"payload": {
"user": "friend-demo",
"value": 123
}
}Response JSON
{
"ok": true,
"event": "demo.created",
"payload": {
"user": "friend-demo",
"value": 123
},
"received_at": "2026-05-23T21:00:00+00:00"
}cURL
curl -X POST https://docs.pau1.cloud/v1/webhook/test \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"event":"demo.created","payload":{"user":"friend-demo","value":123}}'Notes
- Currently a receipt/test endpoint, not a queue.
- Future production hooks should add signature verification.
GET /v1/admin/keys
scope: admin:keys
List API Keys
Returns metadata for all known keys: owner, scopes, creation time, revocation state, rate limit, and fingerprint.
Response JSON
[
{
"id": "key_abc123",
"owner": "Paul Admin",
"scopes": [
"admin:keys",
"agent:brief"
],
"revoked_at": null,
"rate_limit_per_minute": 300,
"fingerprint": "sha256:abcd1234"
}
]cURL
curl -H "Authorization: Bearer $ADMIN_TOKEN" https://docs.pau1.cloud/v1/admin/keysNotes
- Admin scope required.
- Friend keys correctly receive 403 here.
POST /v1/admin/keys
scope: admin:keys
Create Scoped API Key
Creates a new scoped key for a friend, customer, service, or integration. Raw token is returned once.
Request JSON
{
"owner": "friend@example",
"scopes": [
"agent:brief",
"tools:summarize"
],
"note": "limited friend key",
"rate_limit_per_minute": 30
}Response JSON
{
"token": "bah_live_generated_once",
"key": {
"id": "key_abc123",
"owner": "friend@example",
"scopes": [
"agent:brief",
"tools:summarize"
],
"fingerprint": "sha256:abcd1234"
}
}cURL
curl -X POST https://docs.pau1.cloud/v1/admin/keys \
-H "Authorization: Bearer $ADMIN_TOKEN" \
-H "Content-Type: application/json" \
-d '{"owner":"friend@example","scopes":["agent:brief","tools:summarize"],"note":"limited friend key","rate_limit_per_minute":30}'Notes
- Copy the returned token immediately; it is not shown again.
- Store friend/customer tokens outside chat unless intentionally sharing.
DELETE /v1/admin/keys/{key_id}
scope: admin:keys
Revoke API Key
Revokes a key by ID. Revoked keys can no longer authenticate.
Response JSON
{
"id": "key_abc123",
"revoked": true,
"revoked_at": "2026-05-23T21:00:00+00:00"
}cURL
curl -X DELETE -H "Authorization: Bearer $ADMIN_TOKEN" https://docs.pau1.cloud/v1/admin/keys/key_abc123Notes
- Revocation is safer than editing scopes in place.
- Create a new narrower key if access should continue.