API Reference

BSA/OFAC compliance middleware for AI agent-initiated payments.

Base URL api.clearagent.dev Version 0.2.0 Protocol HTTPS Response JSON

Introduction

CLEARAGENT is a single-call compliance layer that sits between an AI agent and a payment rail. Send a KYA credential token and transaction details; receive a verdict — PROCEED, REVIEW, BLOCK, or UNKNOWN — in under 50ms.

The API runs on Cloudflare Workers at the edge. There is no server, no backend, no warm-up time. Every request is processed in the data center closest to the caller.

No Claude API at runtime. The screening engine is fully deterministic — 25 rules executed in sequence. The same inputs always produce the same verdict. No LLM inference occurs during a screen call.

Authentication

All endpoints except /v1/health and /v1/.well-known/jwks.json require a Bearer token in the Authorization header.

curl https://api.clearagent.dev/v1/screen \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{...}'

Contact [email protected] to request a credentialed API key.

Base URL

https://api.clearagent.dev

Verdict Reference

Every POST /v1/screen response includes a verdict field with one of four values:

Verdict	Meaning	Recommended action
PROCEED	All 25 rules passed. Transaction is clear.	Allow payment to execute.
REVIEW	A spend policy, behavioral flag, or soft risk rule triggered.	Route to compliance officer queue before executing.
BLOCK	OFAC hit, invalid credential, or hard policy violation.	Reject the transaction. Do not execute.
UNKNOWN	No KYA credential presented, or credential is structurally invalid.	Hold transaction. Request credential from agent operator.

BLOCK is final. A BLOCK verdict from an OFAC hit or revoked credential cannot be overridden by institution policy. REVIEW verdicts are subject to institution-level configuration.

Error Codes

HTTP Status	Code	Description
400	missing_token	No KYA token provided in the request body.
400	invalid_json	Request body is not valid JSON.
401	unauthorized	Missing or invalid API key.
404	not_found	Audit record txnId does not exist or has expired (90-day TTL).
405	method_not_allowed	Wrong HTTP method for this endpoint.
500	internal_error	Worker fault. Contact support with the txnId if available.

Register Agent

POST /v1/agents/register Auth required

Issue a W3C Verifiable Credential (ES256-signed JWT) for an AI agent. The operator wallet and legal name are OFAC-screened at issuance. The credential is valid for 91 days and stored in KV under cred:{agentId}.

Request body

Field	Type	Required	Description
agentName	string	required	Human-readable name for the agent (e.g. "PayrollBot v2").
agentFramework	string	optional	Framework powering the agent: `LangChain`, `CrewAI`, `OpenAI Assistants`, `AutoGen`, etc.
underlyingModel	string	optional	Underlying LLM: `claude-sonnet-4-6`, `gpt-4o`, etc. Model change after issuance triggers a REVIEW flag.
agentType	string	required	`autonomous` or `supervised`. Autonomous agents require human heartbeat attestation every 24h.
operatorWallet	string	crypto	Operator Ethereum wallet address. OFAC-screened at issuance.
operatorEIN	string	tradfi	Operator EIN for TradFi/ACH payment flows.
operatorLegalName	string	required	Legal entity name. Checked against OFAC CONS_ENHANCED name list.
purpose	string	required	Plain-language description of the agent's payment purpose.
spendPolicy	object	optional	Spend limits and restrictions (see below).

spendPolicy object

Field	Type	Description
maxSingleTxUSDC	number	Maximum single transaction value in USD. Transactions above this trigger REVIEW.
dailyLimitUSDC	number	Cumulative daily spend ceiling in USD. Tracked per agent per UTC date.
allowedChains	string[]	Permitted payment chains: `ETH`, `BASE`, `SOL`, `ACH`, `WIRE`, `SWIFT`.
allowedRails	string[]	Permitted payment rails: `USDC`, `ACH`, `WIRE`, `SWIFT`, `IBAN`.
counterpartyScreening	string	Screening level: `OFAC`, `OFAC+CONS`.
noMixerProtocols	boolean	If true, transactions to Tornado Cash, Railgun, or other mixers are blocked.

Example request

curl -X POST https://api.clearagent.dev/v1/agents/register \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "agentName": "PayrollBot v2",
    "agentFramework": "LangChain",
    "underlyingModel": "claude-sonnet-4-6",
    "agentType": "autonomous",
    "operatorLegalName": "Acme Corp",
    "operatorWallet": "0xYourWalletAddress",
    "purpose": "Automated USDC payroll disbursements to contractors",
    "spendPolicy": {
      "maxSingleTxUSDC": 10000,
      "dailyLimitUSDC": 50000,
      "allowedChains": ["ETH", "BASE"],
      "counterpartyScreening": "OFAC+CONS",
      "noMixerProtocols": true
    }
  }'

Example response

{
  "agentId": "agt_Xk9mQ2Rz",
  "token": "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9...",
  "credential": {
    "@context": ["https://www.w3.org/2018/credentials/v1", "https://kya.protocol/v1"],
    "type": ["VerifiableCredential", "KYAAgentCredential"],
    "issuer": "did:kya:clearagent-alpha",
    "credentialSubject": {
      "agentId": "agt_Xk9mQ2Rz",
      "agentName": "PayrollBot v2",
      "agentType": "autonomous",
      "operatorLegalName": "Acme Corp",
      "spendPolicy": { "maxSingleTxUSDC": 10000, "dailyLimitUSDC": 50000, "allowedChains": ["ETH","BASE"] },
      "complianceAttestation": {
        "ofacAtIssuance": "CLEAR",
        "screenedAt": "2026-03-11T14:22:00Z",
        "credentialStatus": "ACTIVE"
      }
    },
    "expirationDate": "2026-06-10T14:22:00Z"
  }
}

Screen Transaction

POST /v1/screen Auth required

Screen a proposed transaction against the 25-rule compliance engine. Returns a verdict in under 50ms. A txnId is generated for every call and the full result is written to the tamper-evident audit log (90-day retention).

Request body

Field	Type	Required	Description
token	string	required	KYA credential JWT. Accepts `Bearer`, `VerifiableCredential`, `ProofPack`, or `JWT` scheme prefixes, or raw token.
amount	number	required	Transaction amount in USD.
chain	string	optional	Payment chain: `ETH`, `BASE`, `SOL`, `ACH`, `WIRE`, `SWIFT`.
rail	string	optional	Payment rail: `USDC`, `ACH`, `WIRE`, `SWIFT`, `IBAN`.
cpWallet	string	crypto	Counterparty Ethereum wallet address. OFAC-screened.
cpName	string	optional	Counterparty legal name. Checked against OFAC CONS_ENHANCED name list.
cpType	string	optional	Counterparty type: `individual`, `business`, `exchange`.
protocol	string	optional	Protocol or platform name. Used for mixer/privacy protocol detection.

Example request

curl -X POST https://api.clearagent.dev/v1/screen \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "token": "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9...",
    "amount": 4500,
    "chain": "ETH",
    "rail": "USDC",
    "cpWallet": "0xRecipientWalletAddress",
    "cpName": "Contractor LLC",
    "cpType": "business"
  }'

Example response — PROCEED

{
  "verdict": "PROCEED",
  "txnId": "txn_A8bKmQ3x",
  "rule": null,
  "reason": "All compliance checks passed.",
  "agentId": "agt_Xk9mQ2Rz",
  "agentName": "PayrollBot v2",
  "operatorLegalName": "Acme Corp",
  "credentialStatus": "ACTIVE",
  "ofacSource": "kv:live",
  "screenedAt": "2026-03-11T14:23:01Z",
  "latencyMs": 38
}

Example response — BLOCK (OFAC hit)

{
  "verdict": "BLOCK",
  "txnId": "txn_B7cNpR4y",
  "rule": "R6_COUNTERPARTY_WALLET_OFAC",
  "reason": "Counterparty wallet matches OFAC SDN list: Lazarus Group / DPRK (Ronin Bridge, $620M, Mar 2022)",
  "agentId": "agt_Xk9mQ2Rz",
  "screenedAt": "2026-03-11T14:23:44Z",
  "latencyMs": 29
}

25-Rule Screening Precedence

Rules are evaluated in order — first match wins. BLOCK rules take precedence over REVIEW rules.

#	Rule ID	Verdict	Trigger
1	R1_NO_CREDENTIAL	UNKNOWN	No token or structurally invalid JWT
2	R2_CREDENTIAL_STATUS	BLOCK	Credential status is REVOKED, EXPIRED, or SUSPENDED
3	R3_OPERATOR_OFAC_ISSUANCE	BLOCK	Operator wallet matched OFAC at issuance
4	R4_OPERATOR_WALLET_LIVE	BLOCK	Operator wallet matches live OFAC SDN (re-screened every call)
5	R5_OPERATOR_NAME_OFAC	BLOCK	Operator legal name matches OFAC CONS_ENHANCED entity list
6	R6_COUNTERPARTY_WALLET_OFAC	BLOCK	Counterparty wallet matches OFAC SDN
7	R7_COUNTERPARTY_NAME_OFAC	BLOCK	Counterparty name matches OFAC entity list
8	R8_OWNERSHIP_TRANSFER	BLOCK	Ownership transfer flag set — credential must be re-issued
9	R9_CHAIN_POLICY	REVIEW	Transaction chain not in allowedChains
10	R10_SINGLE_TX_LIMIT	REVIEW	Transaction amount exceeds maxSingleTxUSDC
11	R11_DAILY_LIMIT	REVIEW	Transaction would exceed dailyLimitUSDC
12	R12_FLEET_DAILY_LIMIT	REVIEW	Fleet aggregate daily limit would be exceeded
13	R13_COUNTERPARTY_WHITELIST	REVIEW	Counterparty not on approved whitelist (when whitelist is set)
14	R14_MIXER_PROTOCOL	BLOCK	Protocol field matches known mixer/privacy protocol
15	R15_MODEL_CHANGED	REVIEW	Underlying model has changed since credential issuance
16	R16_VELOCITY_FLAG	REVIEW	Unusual transaction velocity detected
17	R17_UNUSUAL_HOUR	REVIEW	Transaction outside normal operating hours
18–25	R18–R25	—	Additional rail, counterparty type, and policy rules
—	ALL_CLEAR	PROCEED	No rules triggered

Create Fleet

POST /v1/fleets/create Auth required

Create a fleet spend envelope under an operator. Agents can be assigned to a fleet, which enforces an aggregate daily spend limit across all agents in the fleet. Useful for organizations running multiple agents under a shared budget.

curl -X POST https://api.clearagent.dev/v1/fleets/create \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "fleetName": "Finance Operations Fleet",
    "operatorLegalName": "Acme Corp",
    "dailyLimitUSDC": 200000
  }'

Create Delegate

POST /v1/delegates/create Auth required

Mint a child agent credential from a parent agent credential. The child credential inherits the parent's policy and can only narrow it — it cannot expand spend limits or add chains beyond what the parent allows. Delegation depth is capped at 3 levels.

Register User

POST /v1/users/register Auth required

Issue a 30-day individual user credential. Valid for supervised agent contexts only — autonomous agents cannot be assigned user credentials. User credentials are stored under user:{userId} in KV with a 31-day TTL.

Human Attestation

POST /v1/agents/:id/attest Auth required

Record a human heartbeat re-attestation for an autonomous agent. Autonomous agents must be re-attested every 24 hours. If attestation is stale, transactions over $10,000 are automatically escalated to REVIEW. Attestation records are stored under attest:{agentId} with a 25-hour TTL.

curl -X POST https://api.clearagent.dev/v1/agents/agt_Xk9mQ2Rz/attest \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "attestedBy": "[email protected]",
    "note": "Routine daily attestation"
  }'

Review Disposition

POST /v1/reviews/:txnId Auth required

Post a BSA officer's disposition on a transaction that received a REVIEW verdict. This is the human-in-the-loop endpoint: when the screening engine flags a transaction for review (spend policy, velocity anomaly, model change, etc.), a compliance officer calls this endpoint to record their decision.

Path Parameters

Name	Type	Required	Description
`txnId`	string	Yes	Transaction ID from the `/v1/screen` response (format: `txn_XXXXXXXX`)

Request Body

Field	Type	Required	Description
`disposition`	string	Yes	`APPROVED` \| `REJECTED` \| `ESCALATE_SAR`
`reviewedBy`	string	Yes	Reviewer name or employee ID (BSA audit trail)
`notes`	string	No	Free-text rationale for the decision

Example Request

curl -X POST https://api.clearagent.dev/v1/reviews/txn_a1b2c3d4 \
  -H "Authorization: Bearer $API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "disposition": "APPROVED",
    "reviewedBy": "J. Smith, BSA Officer",
    "notes": "Reviewed velocity flag — within normal operating pattern for this agent."
  }'

Response (200)

Returns the full updated audit record with disposition fields appended:

{
  "txnId": "txn_a1b2c3d4",
  "verdict": "REVIEW",
  "ruleTriggered": "VELOCITY_SPIKE",
  "reason": "Transaction velocity exceeded 3x rolling average",
  "disposition": "APPROVED",
  "reviewedBy": "J. Smith, BSA Officer",
  "reviewedAt": "2026-03-15T14:22:01Z",
  "notes": "Reviewed velocity flag — within normal operating pattern for this agent.",
  "sarEscalated": false,
  ...
}

Dispositions

Value	Meaning	Effect
`APPROVED`	Transaction is compliant	Audit record updated. Payment can proceed.
`REJECTED`	Transaction denied by reviewer	Audit record updated. Payment should not proceed.
`ESCALATE_SAR`	Suspicious activity — SAR candidate	Sets `sarEscalated: true` on the audit record. Route to SAR filing workflow.

Error Responses

Status	Condition
400	Transaction verdict is not `REVIEW` (CLEAR/BLOCK/UNKNOWN cannot be dispositioned)
404	Transaction ID not found (expired or never written)
409	Disposition already recorded (idempotency guard — prevents double-disposition)
422	Invalid `disposition` value or missing `reviewedBy`

Get Audit Record

GET /v1/audit/:txnId Auth required

Retrieve a tamper-evident audit record by its txnId. Every /v1/screen call generates a txnId (format: txn_XXXXXXXX) and writes the full result plus request inputs to KV. Records are retained for 90 days.

curl https://api.clearagent.dev/v1/audit/txn_A8bKmQ3x \
  -H "Authorization: Bearer YOUR_API_KEY"

{
  "txnId": "txn_A8bKmQ3x",
  "verdict": "PROCEED",
  "rule": null,
  "reason": "All compliance checks passed.",
  "agentId": "agt_Xk9mQ2Rz",
  "agentName": "PayrollBot v2",
  "operatorLegalName": "Acme Corp",
  "credentialStatus": "ACTIVE",
  "ofacSource": "kv:live",
  "screenedAt": "2026-03-11T14:23:01Z",
  "_request": {
    "amount": 4500,
    "chain": "ETH",
    "cpWallet": "0xRecipient...",
    "cpName": "Contractor LLC",
    "rail": "USDC"
  }
}

90-day hot retention. KV records expire after 90 days. For BSA 5-year record-keeping requirements, institutions should implement a scheduled bulk export to their own long-term store. A bulk export endpoint is on the roadmap.

Health Check

GET /v1/health Public — no auth required

Returns API version, OFAC list status, KV connectivity, and signing key state. No authentication required.

curl https://api.clearagent.dev/v1/health

{
  "status": "ok",
  "version": "0.2.0",
  "ofac": {
    "source": "kv:live",
    "count": 77,
    "syncedAt": "2026-03-11T02:00:14Z"
  },
  "kv": "connected",
  "signingKey": "production"
}

JWKS Public Key

GET /v1/.well-known/jwks.json Public — no auth required

Returns the P-256 public key in standard JWKS format. Use this endpoint to independently verify any KYA credential JWT without calling the CLEARAGENT API — any standard JWT library that supports ES256 can verify the signature.

curl https://api.clearagent.dev/v1/.well-known/jwks.json

{
  "keys": [{
    "kty": "EC",
    "crv": "P-256",
    "use": "sig",
    "alg": "ES256",
    "kid": "cc-v1",
    "x": "...",
    "y": "..."
  }]
}

Independent verification. Any party that receives a KYA credential can verify its authenticity without trusting CLEARAGENT — fetch the JWKS endpoint once, cache the public key, and verify all future tokens locally. This is the standard W3C Verifiable Credential verification pattern.