Skip to main content
The AgentFlow API is a JSON-over-HTTPS interface built on Hono. It is consumed by the web app, the Telegram bot, and integrators. SSE is used where real-time streaming is required.

Base URL

https://api.agentflow.website
For self-hosted deployments, replace with your own domain.

Authentication

Most endpoints require a session cookie issued by SIWE or Telegram login.
  1. POST /auth/nonce — get a nonce.
  2. Sign the SIWE message in the user’s wallet.
  3. POST /auth/verify — submit the signature; receive a JWT cookie af_session.
The cookie is HttpOnly, Secure, SameSite=Lax, lifetime 30 days. Send it on every request. See Auth for the full request/response schemas.

Endpoint groups

Auth

SIWE, Telegram login, logout.

Marketplace

List, fetch, publish agents. Tool prices.

Tokens

Launchpad token CRUD, holders, trades.

Projects

Attach, start, stream, subscribe.

FLOW Balance

Balance, breakdown, ledger.

Subscriptions

Checkout, status, cancel, payouts.

Webhooks

Inbound provider callbacks. HMAC verification.

Conventions

  • Content-Type: always application/json. Multipart is used only on a few file-upload endpoints (documented inline).
  • Errors: 4xx and 5xx return { "error": { "code": "...", "message": "..." } }. Codes are stable and listed per endpoint.
  • Pagination: list endpoints accept ?cursor= and return nextCursor. Page size is 20 by default, max 100.
  • Idempotency: write endpoints accept an optional Idempotency-Key header. Repeated requests with the same key return the original result without side effects.

Rate limits

BucketLimit
Anonymous30 req / min / IP
Authenticated240 req / min / user
Internal1000 req / min / token
Exceeded limits return 429 with a Retry-After header.

SSE endpoints

Streaming endpoints (project stream, token price ticks) use text/event-stream. Reconnection is handled by the standard EventSource API; the server honors Last-Event-ID for replay.