API Reference
Complete reference for the Tropic API. All endpoints require authentication via Clerk JWT or API key unless noted.
https://api.tropic.bot/apiAuthorization: Bearer <token>Policies
/policiesList policies
Returns all policy profiles belonging to the authenticated user. Policies define ALLOW/REQUIRE CONFIRM/DENY rules that control agent behavior.
[
{
"id": "pol_8f3a2b1c",
"userId": "user_abc123",
"name": "Web Research Only",
"rules": "ALLOW: browse any public website\nALLOW: read local files\nDENY: shell commands\nDENY: sudo",
"createdAt": "2026-02-19T10:00:00.000Z",
"updatedAt": "2026-02-19T10:00:00.000Z"
}
]/policies/:idGet policy
Returns a single policy by ID. Returns 403 if the policy belongs to another user.
{
"id": "pol_8f3a2b1c",
"userId": "user_abc123",
"name": "Web Research Only",
"rules": "ALLOW: browse any public website\nALLOW: read local files\nDENY: shell commands",
"createdAt": "2026-02-19T10:00:00.000Z",
"updatedAt": "2026-02-19T10:00:00.000Z"
}/policiesCreate policy
Create a new policy profile. Rules use the ALLOW / REQUIRE CONFIRM / DENY format, one rule per line.
{
"name": "Strict Research",
"rules": "ALLOW: browse any public website\nREQUIRE CONFIRM: download files\nDENY: shell commands\nDENY: sudo"
}{
"id": "pol_9d4e3f2a",
"userId": "user_abc123",
"name": "Strict Research",
"rules": "ALLOW: browse any public website\nREQUIRE CONFIRM: download files\nDENY: shell commands\nDENY: sudo",
"createdAt": "2026-02-20T14:30:00.000Z",
"updatedAt": "2026-02-20T14:30:00.000Z"
}/policies/:idUpdate policy
Update an existing policy's name or rules. Only the fields you include will be changed. Agents using this policy will pick up the new rules on their next VM push.
{
"name": "Relaxed Research",
"rules": "ALLOW: browse any public website\nALLOW: download files\nALLOW: execute code in sandbox"
}{
"id": "pol_9d4e3f2a",
"name": "Relaxed Research",
"rules": "ALLOW: browse any public website\nALLOW: download files\nALLOW: execute code in sandbox",
"updatedAt": "2026-02-20T15:00:00.000Z"
}/policies/:idDelete policy
Permanently delete a policy. Any agents referencing this policy will have their policyId set to null.
{
"id": "pol_9d4e3f2a",
"name": "Relaxed Research",
"rules": "...",
"createdAt": "2026-02-20T14:30:00.000Z",
"updatedAt": "2026-02-20T15:00:00.000Z"
}Agents
/agents10/minDeploy agent
Deploy a new agent from a marketplace template. If policyId is omitted, the system auto-migrates your global settings into a policy. If the VM is running, the agent is pushed immediately via SSM. Otherwise it stays in "provisioning" until the VM starts.
Maximum 5 active agents per user. The policyId field is optional — omit it to use auto-migrated settings.
{
"templateId": "tmpl_web-research",
"name": "My Web Researcher",
"policyId": "pol_8f3a2b1c"
}{
"id": "agt_7b2c1d3e",
"userId": "user_abc123",
"templateId": "tmpl_web-research",
"policyId": "pol_8f3a2b1c",
"name": "My Web Researcher",
"status": "provisioning",
"config": {
"agent": { "model": "claude-sonnet-4-6", "skills": ["web-search"] },
"workspace": { "AGENTS.md": "..." }
},
"createdAt": "2026-02-19T10:00:00.000Z"
}/agentsList agents
Returns all agents belonging to the authenticated user, ordered by creation date (newest first). Includes the template name/slug/icon and the attached policy name.
[
{
"id": "agt_7b2c1d3e",
"name": "My Web Researcher",
"status": "ready",
"policyId": "pol_8f3a2b1c",
"template": {
"name": "Web Research",
"slug": "web-research",
"icon": "search"
},
"policy": {
"id": "pol_8f3a2b1c",
"name": "Web Research Only"
},
"createdAt": "2026-02-19T10:00:00.000Z"
}
]/agents/:idGet agent
Returns full details for a single agent, including the complete template and policy objects.
{
"id": "agt_7b2c1d3e",
"name": "My Web Researcher",
"status": "ready",
"template": {
"id": "tmpl_web-research",
"name": "Web Research",
"slug": "web-research",
"icon": "search",
"description": "...",
"bundleConfig": { ... },
"defaultPolicy": "..."
},
"policy": {
"id": "pol_8f3a2b1c",
"name": "Web Research Only",
"rules": "ALLOW: browse any public website\n..."
},
"createdAt": "2026-02-19T10:00:00.000Z"
}/agents/:id/policyUpdate agent policy
Change or remove the security policy attached to an agent. If the agent's VM is running, the updated policy rules are pushed to the VM immediately via SSM. Set policyId to null to detach the policy.
To remove a policy entirely, send { "policyId": null }.
{
"policyId": "pol_9d4e3f2a"
}{
"id": "agt_7b2c1d3e",
"name": "My Web Researcher",
"status": "ready",
"template": { "name": "Web Research", "slug": "web-research", "icon": "search" },
"policy": { "id": "pol_9d4e3f2a", "name": "Strict Research" }
}/agents/:id/stopStop agent
Sets the agent's status to "stopped". No-op if the agent is already stopped.
{
"id": "agt_7b2c1d3e",
"name": "My Web Researcher",
"status": "stopped"
}/agents/:idRemove agent
Permanently deletes the agent record. This cannot be undone.
{ "success": true }Templates
/templatesList templates
Returns all available agent templates in the marketplace. Templates are blueprints that define an agent's model, skills, workspace files, and default policy.
[
{
"id": "tmpl_web-research",
"name": "Web Research",
"slug": "web-research",
"description": "Research assistant with web browsing capabilities",
"icon": "search",
"bundleConfig": {
"agent": { "model": "claude-sonnet-4-6", "skills": ["web-search", "summarize"] },
"workspace": { "AGENTS.md": "...", "TOOLS.md": "..." }
},
"defaultPolicy": "ALLOW: web browsing\nDENY: file system write"
}
]/templates/:slugGet template
Returns a single template by its slug identifier.
{
"id": "tmpl_web-research",
"name": "Web Research",
"slug": "web-research",
"description": "Research assistant with web browsing capabilities",
"icon": "search",
"bundleConfig": { ... },
"defaultPolicy": "ALLOW: web browsing\nDENY: file system write"
}Agent Tasks
/agents/:agentId/tasks10/minSubmit task
Submit a new work item to an agent. The task enters "pending" and is picked up by the orchestrator on the VM. Tasks matching REQUIRE CONFIRM rules will pause for approval.
{
"description": "Research the latest trends in AI safety and compile a summary"
}{
"id": "task_1a2b3c4d",
"agentId": "agt_7b2c1d3e",
"description": "Research the latest trends in AI safety and compile a summary",
"status": "pending",
"createdAt": "2026-02-19T11:00:00.000Z"
}/agents/:agentId/tasksList tasks for agent
Returns all tasks submitted to a specific agent.
[
{
"id": "task_1a2b3c4d",
"agentId": "agt_7b2c1d3e",
"description": "Research the latest trends in AI safety...",
"status": "completed",
"createdAt": "2026-02-19T11:00:00.000Z",
"updatedAt": "2026-02-19T11:05:00.000Z"
}
]/agent-tasksList all tasks
Returns all tasks across all agents for the authenticated user. Use the status query parameter to filter.
Filter by status: /agent-tasks?status=awaiting_approval
[
{
"id": "task_1a2b3c4d",
"agentId": "agt_7b2c1d3e",
"description": "...",
"status": "awaiting_approval",
"createdAt": "2026-02-19T11:00:00.000Z"
}
]/agent-tasks/:taskIdGet task
Returns full details for a specific task including its event history.
{
"id": "task_1a2b3c4d",
"agentId": "agt_7b2c1d3e",
"description": "Research the latest trends in AI safety...",
"status": "completed",
"events": [
{ "status": "pending", "timestamp": "2026-02-19T11:00:00.000Z" },
{ "status": "running", "timestamp": "2026-02-19T11:00:05.000Z" },
{ "status": "completed", "timestamp": "2026-02-19T11:05:00.000Z" }
]
}/agent-tasks/:taskId/approve10/minApprove task
Approve a task that is waiting for human confirmation. Transitions the task from "awaiting_approval" to "running".
{
"id": "task_1a2b3c4d",
"status": "running"
}/agent-tasks/:taskId/reject10/minReject task
Reject a task that is waiting for human confirmation. The agent will not execute the action.
{
"id": "task_1a2b3c4d",
"status": "rejected"
}API Keys
/api-keysCreate API key
Generate a new API key for programmatic access. The full key is returned only once in this response — store it securely. Keys are stored as SHA-256 hashes.
The key field is only returned on creation. Store it immediately.
{
"id": "key_4f5e6d7c",
"key": "tropic_live_sk_a1b2c3d4e5f6g7h8i9j0...",
"prefix": "tropic_live_sk_a1b2",
"createdAt": "2026-02-19T10:00:00.000Z"
}/api-keysList API keys
Returns all API keys for the authenticated user. Only the key prefix is shown — the full key is never returned after creation.
[
{
"id": "key_4f5e6d7c",
"prefix": "tropic_live_sk_a1b2",
"lastUsedAt": "2026-02-20T08:30:00.000Z",
"createdAt": "2026-02-19T10:00:00.000Z"
}
]/api-keys/:idRevoke API key
Permanently revoke an API key. Any requests using this key will immediately return 401.
{ "success": true }Credits
/credits/:userId/balanceGet balance
Returns the user's current credit balance. VM runtime costs 5 credits/hour, deducted every 5 minutes.
{
"balance": 847.5,
"userId": "user_abc123"
}/credits/:userId/transactionsGet transactions
Returns the credit transaction history for the user, ordered by most recent first.
[
{
"id": "txn_1a2b3c",
"amount": 1000,
"type": "purchase",
"description": "1000 credits ($25.00)",
"createdAt": "2026-02-19T10:00:00.000Z"
},
{
"id": "txn_4d5e6f",
"amount": -0.42,
"type": "vm_runtime",
"description": "VM runtime (5 min)",
"createdAt": "2026-02-19T10:05:00.000Z"
}
]/credits/create-checkout-sessionCreate checkout session
Creates a Stripe Checkout session for purchasing credits. Returns a URL to redirect the user to.
{
"quantity": 1000,
"successUrl": "https://tropic.bot/credits?success=true",
"cancelUrl": "https://tropic.bot/credits"
}{
"url": "https://checkout.stripe.com/c/pay/cs_live_..."
}VM
/vm/:userId/startStart VM
Start the user's EC2 virtual machine. If no VM exists, one is provisioned from the custom AMI. Captures the client's IP for SSH access.
{
"status": "provisioning",
"instanceId": "i-0abc123def456"
}/vm/:userId/stopStop VM
Stop the user's VM. The instance is stopped (not terminated), preserving data on the EBS volume.
{
"status": "stopping"
}/vm/:userId/statusGet VM status
Returns the current VM status. Possible values: stopped, provisioning, starting, running.
{
"status": "running",
"instanceId": "i-0abc123def456",
"publicIp": "54.123.45.67",
"region": "ap-southeast-1"
}/vm/:userId/openclaw/gateway/statusGet gateway status
Returns the OpenClaw gateway status on the VM. The gateway is the HTTP/WebSocket server that handles chat sessions.
{
"gatewayStatus": "running",
"uptime": 3600
}/vm/:userId/openclaw/gateway/restartRestart gateway
Restarts the OpenClaw gateway systemd service on the VM via SSM.
{
"status": "restarting"
}Settings
/settings/:userId/commandsGet command bundles
Returns the user's enabled command bundles. Available bundles: browser-search, code-execution, os-commands.
{
"bundles": ["browser-search", "code-execution"]
}/settings/:userId/commandsUpdate command bundles
Set which command bundles are enabled for the user's agent. Changes are synced to the VM if running.
{
"bundles": ["browser-search", "code-execution", "os-commands"]
}{
"bundles": ["browser-search", "code-execution", "os-commands"]
}/settings/:userId/firewall-rulesGet firewall rules
Returns the user's firewall rules by port. Each port maps to a list of allowed CIDR blocks.
{
"rules": {
"22": ["203.0.113.45/32"],
"80": ["0.0.0.0/0"],
"443": ["0.0.0.0/0"],
"18789": []
}
}/settings/:userId/firewall-rulesUpdate firewall rules
Replace the firewall rules for all ports. Rules are applied to the VM's security group immediately.
{
"rules": {
"22": ["203.0.113.45/32"],
"80": ["0.0.0.0/0"],
"443": ["0.0.0.0/0"]
}
}{ "success": true }/settings/:userId/current-ipDetect current IP
Returns the public IP address of the requesting client. Useful for populating the "My IP" button in firewall settings.
{
"ip": "203.0.113.45"
}Instances
/instances/:userId/localRegister local instance
Register a local OpenClaw installation as a managed instance. Returns an activation code that must be verified on the local machine.
{
"name": "My MacBook",
"description": "Local development machine"
}{
"id": "inst_3c4d5e6f",
"type": "local",
"name": "My MacBook",
"status": "pending",
"activationCode": "TRPC-A1B2-C3D4"
}/instances/:userIdList instances
Returns all managed instances (EC2 and local) for the user.
[
{
"id": "inst_3c4d5e6f",
"type": "local",
"name": "My MacBook",
"status": "active",
"lastSeenAt": "2026-02-20T08:30:00.000Z"
},
{
"id": "inst_7g8h9i0j",
"type": "ec2",
"name": "Cloud VM",
"status": "running",
"instanceId": "i-0abc123def456"
}
]/instances/:userId/:idUpdate instance
Update an instance's name or description.
{
"name": "Work Laptop",
"description": "Office machine"
}{
"id": "inst_3c4d5e6f",
"name": "Work Laptop",
"description": "Office machine"
}/instances/:userId/:idRemove instance
Unregister a managed instance. For EC2 instances, this does not terminate the VM.
{ "success": true }Credentials
/credentials/:userId/claude-keySave Claude API key
Encrypt and store a Claude API key. The key is encrypted with AES-256-GCM before storage and synced to the VM on next start.
{
"apiKey": "sk-ant-api03-..."
}{ "success": true }/credentials/:userId/ssh-keyDownload SSH key
Download the SSH private key for the user's VM. Returns a .pem file. The key is only available once — store it securely.
-----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEA... -----END RSA PRIVATE KEY-----
Errors
All errors return a consistent JSON body with a status code, message, and error type.
{
"statusCode": 404,
"message": "Agent agt_7b2c1d3e not found",
"error": "Not Found"
}400Bad Request401Unauthorized403Forbidden404Not Found429Rate Limited500Server Error