Skip to content
Wicket

REST API reference

The REST API powers the Wicket dashboard and is available for automation. It is distinct from the MCP proxy endpoint (/mcp, Bearer member key) — REST calls authenticate with your dashboard session cookie (magic-link sign-in, plus MFA where required).

Agents

MethodPathDescription
GET/api/agentsList agents (owned and member-of). Supports search, status, role, sortBy, sortDir, limit, offset
POST/api/agentsCreate an agent
GET/api/agents/:idAgent detail
PUT/api/agents/:idUpdate name/tags (owner)
DELETE/api/agents/:idDelete the agent (owner)
PUT/api/agents/:id/statusToggle active/disabled (owner) — disabling blocks all proxy calls immediately
PUT/api/agents/:id/servicesSet enabled connectors (owner)

Members and keys

MethodPathDescription
POST/api/agents/:id/inviteCreate a signed invite link (7-day validity; owner)
POST/api/agents/:id/joinJoin with an invite token (invited email must match)
GET/api/agents/:id/membersList members with status
PUT/api/agents/:id/members/:memberId/statusApprove a pending member (owner)
POST/api/agents/:id/members/:memberId/rejectReject a pending member (owner)
DELETE/api/agents/:id/members/:memberIdRemove a member — invalidates their key (owner)
PUT/api/agents/:id/members/:memberId/keyGenerate or rotate the member key (self)
DELETE/api/agents/:id/members/:memberId/keyRevoke the key
POST/api/agents/:id/members/:memberId/key/reset-lostReset a lost key — clears connections that can no longer be decrypted so the member can reconnect
GET/api/agents/:id/members/:memberId/connectionsThe member’s service connections (metadata only — never tokens)
GET/api/agents/:id/onboardingMember onboarding status (connections, key state)

Connectors and credentials

MethodPathDescription
GET/api/connectors/metaDisplay metadata for all connectors
GET/api/tools/catalogAggregated tool catalog; filter per service
PUT/api/agents/:id/services/:service/credentialsSet the agent’s OAuth app credentials for a connector (owner). Slack, Linear, Stripe, and Hugging Face also accept a webhookSecret, or a clearWebhookSecret: true flag to remove a stored secret
GET/api/agents/:id/services/credentialsWhich connectors have credentials configured
DELETE/api/agents/:id/services/:service/credentialsRemove credentials
DELETE/api/agents/:id/connect/:serviceDisconnect your own OAuth connection for a service
GET/api/agents/:id/entities/:service/:typeHarvested entities (repos, channels, teams, …) for policy pickers

Policies

All policy routes are agent-scoped:

MethodPathDescription
GET/api/agents/:id/policiesList policies. Supports search, service, effect, enabled, sorting, pagination
POST/api/agents/:id/policiesCreate a policy
PUT/api/agents/:id/policies/:policyIdUpdate a policy
DELETE/api/agents/:id/policies/:policyIdDelete a policy
POST/api/agents/:id/policies/:policyId/toggleEnable/disable without deleting
GET/api/agents/:id/policies/:policyId/versionsVersion history with snapshots
POST/api/agents/:id/policies/previewCompile a draft to Cedar without saving
POST/api/agents/:id/policies/simulateReplay recent audit traffic against a draft — see Preview and simulation

Audit

MethodPathDescription
GET/api/auditQuery audit entries — see Audit event schema for parameters
GET/api/audit/exportCSV export. Same filters, plus exportAll and max (cap 500 per request)
GET/api/audit/membersMember identities appearing in your audit data (for filter dropdowns)

Sessions

MethodPathDescription
GET/api/agents/:id/sessionsTool sessions for the agent (owner)
GET/api/agents/:id/my-sessionsYour own tool sessions
GET/api/agents/:id/sessions/:sessionId/activityPer-session tool usage and policy hit counts
POST/api/agents/:id/sessions/:sessionId/resetTerminate a session — session-condition counters start fresh

Dashboard and account

MethodPathDescription
GET/api/dashboard/statsAggregate counters (calls, allow/deny, agents, policies)
GET/api/dashboard/member-statsPer-member activity breakdown
GET/api/auth/statusCurrent session state
POST/api/auth/logoutEnd the session
GET/api/users/me/sessionsActive dashboard sessions for your account
GET/api/statusService health

Examples

List your agents:

GET /api/agents?status=active&role=owner&limit=20
{
  "agents": [
    {
      "id": "a1b2c3d4-…",
      "name": "my-first-agent",
      "tags": ["eng"],
      "type": "trusted",
      "status": "active",
      "allowedServices": ["github", "slack"],
      "key": { "displaySuffix": "…k4Qz", "lastUsedAt": "2026-06-12T14:02:11.000Z" },
      "membership": { "id": "m9z8…", "role": "owner", "status": "approved", "memberCount": 4 },
      "connections": [{ "service": "github", "identityInfo": { "login": "alice" } }],
      "policyCount": 6,
      "createdAt": "2026-05-02T09:12:00.000Z"
    }
  ],
  "total": 1
}

List an agent’s policies (filtered):

GET /api/agents/a1b2c3d4-…/policies?service=github&effect=forbid&enabled=true
{
  "policies": [
    {
      "id": "p_31xy…",
      "policyKey": "block-github-destructive-tools",
      "name": "Block GitHub destructive tools",
      "service": "github",
      "effect": "forbid",
      "tools": ["delete_file", "merge_pull_request"],
      "principal": { "type": "all_members" },
      "enabled": true,
      "triggerCount": 17,
      "lastTriggered": "2026-06-11T22:40:09.000Z",
      "denyMessage": "Destructive GitHub operations are blocked."
    }
  ],
  "total": 1
}

Query denied audit entries:

GET /api/audit?result=DENY&service=github&limit=50
{
  "entries": [
    {
      "timestamp": "2026-06-12T15:21:43.000Z",
      "agentName": "my-first-agent",
      "user": "bob@example.com",
      "service": "github",
      "tool": "delete_file",
      "decision": "DENY",
      "reason": "Destructive GitHub operations are blocked.",
      "matchedPolicyNames": ["Block GitHub destructive tools"],
      "durationMs": 12
    }
  ],
  "total": 1
}

See Audit event schema for every entry field.