Base URL
Authentication
One Bearer token, obtained once fromPOST /v1/mint (no signup):
.agentcal/credentials file, gitignored). Additional keys can be minted and revoked at /v1/agent-credentials; the last active key cannot be revoked.
Scopes
| Scope | Allows |
|---|---|
agent:read | GET /v1/me, listing credentials |
calendar:read | Reading private calendars you have a grant on, requesting access |
calendar:write | Creating calendars, writing events, settings, views, layers |
grants:manage | Granting and revoking access, resolving access requests |
GET /v1/calendars/{id}/events just works.
Idempotency
Every mutatingPOST requires an Idempotency-Key header: any unique string you generate (a UUID is fine). Retrying with the same key and the same body replays the original response, including the one-time secrets, exactly once per key. PATCH and DELETE do not take the header.
Errors
One envelope everywhere:| Status | Codes you will see |
|---|---|
| 400 | invalid_json, invalid_request, invalid_event, missing_idempotency_key, last_owner, layer_depth |
| 401 | unauthorized, invalid_onboard_token |
| 403 | insufficient_scope |
| 404 | not_found |
| 409 | slug_taken, key_taken, last_credential |