# Agent Operations API Reference

Canonical: https://docs.flowrelay.app/reference/api/
Markdown: https://docs.flowrelay.app/reference/api.md

Agent Operations API as the canonical machine access contract for scoped reads and governed action intents.

## Start with the manifest
Use the manifest before authenticated calls. It identifies the Shopify Flow edition, capability URLs, safety boundaries, OpenAPI location, docs index, CLI reference, MCP reference, and current public docs pointers.

- Route: GET /agent/v1/manifest; Use it for: Edition identity, capability metadata, docs URLs, and safety boundaries.
- Route: https://docs.flowrelay.app/llms.txt; Use it for: Canonical human and Markdown docs discovery.
- Route: https://docs.flowrelay.app/reference/openapi/agent-operations.openapi.json; Use it for: Exact request and response contract discovery.

## Authentication model
Authenticated Agent Operations use merchant-authorized grant tokens. Public examples must never include real bearer tokens, grant tokens, auth headers, Shopify tokens, sessions, or private endpoint material.

- Signal: scope; How to use it: Confirms whether the grant permits the read, preview, or execution.
- Signal: actor; How to use it: Preserves human or authorized-agent attribution.
- Signal: refusal; How to use it: Explains why an action is outside authority or unsafe.

## Reads
Read routes return safe setup, event history, receipt, diagnostics, plan, and grant facts without exposing raw private material unless the product explicitly authorizes that surface.

- Read area: Setup and endpoints; Purpose: Explain how the sender, event type, auth mode, and Shopify Flow trigger are configured.
- Read area: Events and receipts; Purpose: Find what FlowRelay accepted, where the handoff stopped, and what recovery options exist.
- Read area: Diagnostics and plan state; Purpose: Prepare support-safe collaboration and understand usage limits.

## Action intents
Side-effecting operations use preview, confirmation, idempotency, metering, audit, and refusal semantics. Use the action-intents reference before replay, diagnostics share, endpoint edit, rotation, delete, or test execution.

## Errors and schemas
Use stable error codes and generated schemas for exact fields. The prose docs explain product meaning; the generated OpenAPI contract explains exact request and response shape.

## Example Surface
- `GET /agent/v1/manifest`
- `GET /agent/v1/events`
- `POST /agent/v1/events/{eventId}/replay-intents`

## Safety Boundary
Do not include raw payloads, endpoint secrets, auth headers, HMAC values, Shopify tokens, Shopify sessions, database URLs, customer data, merchant incidents, or copied private logs in public examples.