# Set your API key
export API_KEY="your-api-key-here"
export BASE_URL="https://halm-mvp.abacusai.app"Submit a proposal for policy evaluation. Returns ALLOW, DENY, or HELD_FOR_VETO.
# Submit a proposal for policy evaluation
curl -X POST $BASE_URL/api/authorize \
-H "Content-Type: application/json" \
-H "X-API-Key: $API_KEY" \
-d '{
"proposalId": "prop-001",
"action": "data:write",
"resource": "users",
"context": { "agentId": "agent-1" }
}'
# Response:
# { "status": "ALLOW", "allowed": true, "rule": "default-allow", ... }Execute an authorized action. Idempotent: duplicate calls return 409.
# Execute the authorized action (idempotent)
curl -X POST $BASE_URL/api/execute \
-H "Content-Type: application/json" \
-H "X-API-Key: $API_KEY" \
-d '{ "proposalId": "prop-001", "payload": {} }'
# Response:
# { "success": true, "executedAt": "2026-02-25T12:00:00Z", ... }Get proof packets for auditors. Verify webhook signatures with HMAC-SHA256.
# Get integrity proof for auditors
curl "$BASE_URL/api/proof/packet?proposalId=prop-001" \
-H "X-API-Key: $API_KEY"
# Response includes:
# - Decision hash + execution hash
# - Merkle proof + anchor reference
# - Config snapshot + replay gradeX-RateLimit-Limit — Requests allowed per windowX-RateLimit-Remaining — Requests remainingX-RateLimit-Reset — Window reset time (Unix)Retry-After — Seconds to wait (on 429)On 429 (rate limited) or 503 (service unavailable), use exponential backoff: wait 1s, 2s, 4s, 8s. Max 3 retries. Respect Retry-After header when present.
| Code | Meaning | Action |
|---|---|---|
| 401 | Missing/invalid API key | Check X-API-Key header |
| 403 | Policy denied | Proposal not authorized |
| 404 | Not found | Check proposal ID |
| 409 | Already executed | Idempotency guard |
| 429 | Rate limited | Retry with backoff |
| 503 | Maintenance mode | Retry after Retry-After |