API Overview
The Steward API is a REST API built with Hono running on Bun. All responses follow a consistentApiResponse<T> shape.
Base URL
Authentication
Steward supports three authentication methods:- Tenant API Key
- Agent JWT
- SIWE (Sign In With Ethereum)
For tenant-level operations (agent CRUD, policy management, secret management):The API key is returned once when a tenant is created and cannot be retrieved again.
Platform Key
For platform-level operations (cross-tenant management), use the platform key:Response Format
All endpoints return a consistent format:HTTP Status Codes
| Code | Meaning |
|---|---|
| 200 | Success |
| 201 | Created (new resource) |
| 202 | Accepted (transaction queued for approval) |
| 400 | Bad request (invalid input) |
| 401 | Unauthorized (missing or invalid auth) |
| 403 | Forbidden (policy denied, wrong scope) |
| 404 | Not found |
| 409 | Conflict (duplicate resource) |
| 429 | Too many requests |
| 500 | Internal server error |
| 502 | Bad gateway (RPC error from blockchain) |
Rate Limits
The Bun API entrypoint enforces a process-local global request limit per client IP, and sensitive wallet routes can enforce Redis-backed per-agent limits via policies. Production multi-instance deployments should configure Redis for shared auth and wallet-action throttles. Rate-limited responses return429 with Retry-After, standard
RateLimit-Limit, RateLimit-Remaining, and RateLimit-Reset headers, plus
legacy X-RateLimit-* compatibility headers. Successful wallet-action
responses that evaluate a rate-limit policy include the same standard remaining
budget headers without Retry-After.
Request Hardening Inventory
The generated OpenAPI contract marks sensitive mutating operations withx-steward-hardening. These operations are under the same sensitive-prefix
inventory used by the request-expiry and authorization-signature middleware.
For these routes:
X-Steward-Request-TimestamporX-Steward-Request-Expires-Atis required when request-expiry enforcement is enabled.X-Steward-Signatureis required when authorization signatures are enabled. The header accepts HMACv1=signatures and P-256p256=signatures.X-Steward-Signing-Key-Idcan select a managed tenant request-signing key.Idempotency-Keyis required for signed sensitive requests and recommended for all sensitive mutations.
x-steward-hardening extension records when they
become mandatory.
Idempotency and safe retries
For fund-moving or signing workflows, include a caller-stablereferenceId in
the request body when the endpoint supports it, and send an Idempotency-Key
header for sensitive mutations where your deployment accepts or requires one.
Use the same values when retrying after client timeouts so transaction history,
audit events, and lifecycle webhooks can be correlated to one business
operation.
Bitcoin PSBT signing is sign/finalize-only: POST /vault/:agentId/sign-bitcoin-psbt returns Steward’s transactionId, may return
finalized raw transaction metadata when finalize: true, and never broadcasts.
Because the route enforces fee caps and spend/address policies before signing,
clients should query by referenceId before creating replacement PSBT requests.
If a finalized raw transaction was already handed to a broadcaster, do not retry
that broadcast blindly; check the Bitcoin txId with your broadcaster or
indexer first.
Route Groups
| Prefix | Description | Auth Required |
|---|---|---|
/agents | Agent CRUD + policy management | Tenant key or agent JWT |
/accounts | Digital asset account resources grouping tenant wallets | Tenant key |
/user/me/wallet | Authenticated user-wallet provisioning, indexed wallets, and additional signers | Personal user session |
/vault | Signing, approvals, history | Agent JWT or tenant key |
/audit | Tenant audit events and action-history filters | Owner/admin session + recent MFA |
/secrets | Secret + route CRUD | Tenant key only |
/condition-sets | Reusable policy allow/block list CRUD and item management | Tenant owner/admin session |
/tenants | Tenant management | Tenant key |
/auth | SIWE, passkeys, email login | Varies |
/platform | Cross-tenant admin | Platform key |
/health | Health check | None |