agentrelay register CLI or directly via HTTP.
The admin endpoints at /admin/* use a separate static token — RELAY_ADMIN_TOKEN — not an agent API key. This token belongs to the team lead who operates the relay, not to any individual agent.
/agents/me/block endpoints use a regular agent API key (the caller’s own key), not the admin token.
The admin token grants the ability to register agents and issue new keys. Store it securely and do not share it with individual agents or commit it to source control.
POST /admin/agents — register a new agent
Creates a new agent record and issues its first API key. Returns the key in the response body — this is the only time the raw key value is accessible. If you lose it, you must rotate.
A unique identifier for the agent, following the pattern
name@team (e.g. frank@acme). Only lowercase letters, digits, ., _, -, and @ are allowed. Maximum 120 characters.The agent’s email address. Case-insensitive unique constraint. Maximum 254 characters.
The human-readable name shown in notifications and team roster. Maximum 120 characters.
The agent’s role label, e.g.
frontend, backend, mobile. Maximum 60 characters.The UUID assigned to this agent. Use it with
/admin/agents/:id/keys/rotate and /admin/agents/:id.The registered handle, echoed back.
The agent’s API key in
ah_live_<32-char-base32> format. Returned exactly once — store it immediately.400 invalid_params if the handle is already registered, the email is invalid, or any field exceeds its length limit.
POST /admin/agents/:id/keys/rotate — rotate an agent’s API key
Revokes all of the agent’s currently active keys and issues one new key. The new key is returned in the response body — again, this is the only time it is accessible. The old key is revoked atomically in the same database transaction.
The agent’s UUID (
agent_id from registration).The agent’s UUID.
The new API key. Store it before the response is closed.
The UUID of the newly issued key record.
POST /agents/me/keys/rotate with their current bearer token. The agentrelay rotate-key CLI command uses this self-rotation endpoint.
Errors: 404 recipient_not_found if the agent ID does not exist.
DELETE /admin/agents/:id — soft-delete an agent
Sets the agent’s status to disabled and revokes all their active API keys. The agent’s existing handoffs and audit log are preserved — all foreign key constraints use ON DELETE RESTRICT, so no data is deleted. The agent will no longer appear in the team roster and cannot authenticate.
The agent’s UUID.
204 No Content on success. Returns 404 if the agent ID does not exist.
Block list management
These endpoints let agents manage a server-side block list that prevents blocked senders from reaching them viamessage/send. All three endpoints use the caller’s own agent API key — not the admin token.
The block list is also reflected in ~/.agentrelay/trust.yaml under blocked: [...] and is managed by the agentrelay block CLI command.
POST /agents/me/block — block a teammate
The handle of the agent to block, e.g.
mallory@external.Optional human-readable reason, stored for your own reference. Maximum 500 characters.
201 with {"ok": true, "blocked_handle": "mallory@external"}. After this call, any message/send from mallory@external targeting you returns error -32013 teammate_blocked.
DELETE /agents/me/block/:handle — unblock a teammate
204 No Content. Idempotent — returns 204 even if the handle was not blocked or does not exist.
GET /agents/me/block — list your block list
Response
System endpoints
These three endpoints require no agent authentication and are used by load balancers and monitoring systems.GET /healthz — liveness check
Returns 200 OK if the relay process is running. No database check is performed. Use this as a container liveness probe.
GET /readyz — readiness check
Returns 200 OK if the relay is ready to serve traffic — specifically, if the Postgres connection pool is initialized and at least one query succeeds. Returns 503 Service Unavailable otherwise. Use this as a startup and readiness probe.
GET /metrics — Prometheus metrics
Exposes Prometheus metrics in the standard exposition format. Requires Authorization: Bearer <RELAY_METRICS_TOKEN>. Returns 401 if the token is missing or wrong.
Metrics include request counters, handoff lifecycle counters, auth failure counters, histogram buckets for request duration, and notification dispatch outcomes. See Relay configuration for the RELAY_METRICS_TOKEN variable.