# CertLocker Agent API

CertLocker exposes agent-oriented HTTPS APIs for scoped MCP sessions, certificate
fetching, secret lookup and retrieval, SSH session creation, host discovery,
approval requests, probes, and audit event submission.

Primary documentation:
- OpenAPI JSON: https://docs.certlocker.io/public-agent-openapi.json
- Interactive API docs: https://docs.certlocker.io/
- Production API base URL: https://trust.certlocker.io

Authentication:
- Send a CertLocker token in the `x-api-token` HTTP header.
- Agent integrations should use scoped MCP tokens with short lifetimes.
- Do not embed tokens in source code, prompts, browser clients, or logs.

Important paths:
- `/api/agent/session/start`
- `/api/agent/session/end`
- `/api/agent/secrets`
- `/api/agent/secrets/{id}`
- `/api/agent/certificates/{id}`
- `/api/agent/ssh/session`
- `/api/agent/probes`
- `/api/agent/approval/request`
- `/api/agent/audit/event`

Sensitive operations:
- Secret fetch endpoints can return raw secret values.
- Certificate bundle fetch endpoints can include private keys.
- Treat all returned material as confidential and store it only in approved
  runtime secret stores.