IntentGate APIs
Every authorization decision the gateway makes is reachable over a clean HTTP surface. Mint capability tokens, push Rego policies, query the tamper-evident audit chain, review approvals, inspect SIEM forwarder health. The Pro console adds agent discovery, a governed inventory, and reporting on top. Apache 2.0 SDKs in Python and TypeScript.
Who can build on these APIs
Self-hosted teams
Anyone running the open-source gateway has the full HTTP surface available — no license tier gates the API. Mint tokens, push policies, query audit, all from your CI pipeline or operator console.
OEMs & integrators
Build IntentGate authorization into your own product or platform. Embed the SDKs, wrap the admin API in your customer console, ship policy templates as part of your offering.
API surface
Nine endpoint groups. The runtime path is what agents call on every tool invocation; the admin path is what operators and the console use to manage the gateway; and two Pro console surfaces add agent discovery, a governed inventory, and reporting.
Runtime
POST /v1/mcp · POST /v1/tool-call Inline tool-call authorization. Every agent request traverses the four-check pipeline (capability, intent, policy, budget) and either forwards to the upstream tool server or returns one of five typed JSON-RPC error codes.
Capabilities
/v1/admin/mint · /v1/admin/revoke · /v1/admin/revocations Issue capability tokens, revoke by JTI, list active revocations. Tokens bind subject, tenant, optional per-tool scope, budget caveats, and optional step-up annotations — all signed by the gateway.
Policies
/v1/admin/policies/{drafts,active,rollback,dry-run} Two-stage Rego lifecycle: drafts CRUD, dry-run against synthetic or historical input, atomic per-tenant promote, one-call rollback. Hot-reloaded across replicas via Postgres LISTEN/NOTIFY.
Audit
/v1/admin/audit · /audit/verify · /audit/export Query the per-tenant tamper-evident audit chain, verify hash reconciliation for compliance attestation, stream CSV or NDJSON for auditor handoff and offline review.
Approvals
/v1/admin/approvals · /approvals/{id}/decide Human-review queue for policy-escalated calls. List pending decisions, approve or reject with operator identity captured for the audit trail.
Tenants
GET /v1/admin/tenants Tenant inventory for the console switcher. Per-tenant active policy hash, pending approval count, recent event volume. Superadmin sees all; per-tenant admin sees its own.
Integration health
GET /v1/admin/integrations Health of every configured SIEM and webhook destination — Splunk, Datadog, Sentinel, S3, webhook. Endpoint, flush counts, last error. Sensitive fields never returned. For vendor recipes, see the Integrations section below.
Discovery & inventory
POST /api/discovery/ingest · POST /api/discovery/sync Find the AI agents the gateway doesn't see yet. Push logs from any CASB, proxy, or DNS tool, or auto-pull from a configured source on a schedule. Native parsers for Zscaler, Netskope, Microsoft Defender for Cloud Apps, and Infoblox normalise each vendor's records into one agent inventory you can own and govern.
Governance reports
GET /api/reports/{posture,access,attestation,activity} Read-only reporting over the agent inventory, ownership, attestation, and the gateway audit log: coverage posture, an agent access register, attestation evidence, and decision activity. JSON for pipelines, CSV for auditors.
Built to work with your stack
Nine integration lanes
Most connectors are built into the gateway binary, configured by
environment variable, and surface in
GET /v1/admin/integrations for health-check use. The
discovery sources are Pro console connectors that feed the agent
inventory.
Agent runtimes
The protocols your existing agent stack already speaks.
Native MCP server — initialize, tools/list, ping, tool calls.
Direct tool/call invocation for non-MCP agent runtimes.
Compatible via MCP or the JSON-RPC fallback.
Wire the Python SDK into any LangChain Tool.
Anything that can issue HTTPS and carry a bearer token.
Upstream tool servers
Any MCP-compatible or HTTP-callable backend the gateway forwards allowed calls to.
Forward verbatim to any compliant MCP backend.
Internal microservices, SaaS APIs, database front-ends.
Identity & access
Authentication and provisioning hooks for the operator console.
Sign in against any OpenID Connect provider — Okta, Entra ID, Auth0, Keycloak.
Provision and off-board operators from your IdP.
Fresh-factor verification for destructive operations.
Policy engine
Embedded policy evaluator and the language operators write rules in.
CNCF-graduated evaluator, embedded in the gateway. Bundle hash logged on every decision.
Declarative policy language — destructive-verb deny-lists, bulk-row ceilings, value thresholds.
SIEM & audit forwarders
Native sinks for the audit event stream. Configure with env vars; surfaces in GET /v1/admin/integrations.
HTTP Event Collector with token + optional index routing.
API key + site + optional service tag.
Modern Logs Ingestion API via Azure AD service principal + DCE/DCR.
Native v1.7+ — Hive-partitioned gzipped NDJSON for Athena.
HMAC-signed fan-out for downstream relays (Lambda, Logic App, Mulesoft, Service Bus).
Notifications
Operator alerts on denials, escalations, approval timeouts, step-up requirements.
Per-tenant channel routing via the webhook fan-out.
Per-tenant channel routing via the webhook fan-out.
Critical alerts for capability or budget check failures.
Storage & runtime
What the gateway depends on at runtime. Self-hosted, no SaaS dependency.
Backing store for audit, drafts, revocations, approvals, JIT elevations.
Production deployment — chart packages gateway + extractor + Postgres-backed audit.
Single-node evaluation deployments and CI smoke tests.
Single Go binary, no runtime deps. Drop on any Linux host.
Observability
Health, metrics, and traces for the gateway itself.
/metrics endpoint exposes request counts, decision rates, batch sink health.
Distributed traces emitted to any OTLP collector (gRPC).
Discovery sources
Connect the tools that already see egress to AI services; matching traffic becomes a discovered agent. Push their logs to the ingest endpoint, or have the console auto-pull on a schedule.
SWG / SSE web logs — egress to AI endpoints by user or host.
CASB app events, Generative-AI app category.
Cloud app discovery and activity.
DNS queries + IPAM — source IP resolves to a named host.
Any proxy or SIEM that can POST records to the ingest endpoint.
Get started in minutes
Quickstart
One docker run, mint a token, see the four-check pipeline fire. The shortest path from zero to a real authorization decision.
Python
Three-line Gateway() construction. Typed exception per check. attenuate() for sub-agent delegation. Python 3.10+.
pip install intentgate
Resources
API reference
Every endpoint, request, response. Auth, error codes, pagination.
OpenAPI spec
Machine-readable contract. Generate clients in any language.
Architecture
Components, request lifecycle, audit chain, multi-tenant model.
AWS + Sentinel
Integration recipe for landing audit in a common SIEM topology.
Deployment runbook
27-page operator guide. Helm + Docker, day-1 + day-2.
Community
GitHub Discussions. Ask the team, ask other operators.
Ready to build?
Talk to us about a pilot, ask a question about the surface, or just say hi.
Talk to us