Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.actionlayer.dev/llms.txt

Use this file to discover all available pages before exploring further.

Every request to the ActionLayer API uses a Bearer token in the Authorization header. 
Authorization: Bearer YOUR_API_KEY
Sign-in to the dashboard is email + password only as of v0.26.2. Programmatic access is always API key.

API Key Format

ActionLayer keys look like: 
nc_live_<32 alphanumeric characters>
The full key is shown exactly once at creation time. Only a hashed copy is stored — there is no way to retrieve a key after it’s dismissed. If you lose it, revoke it and create a new one.

Getting Your First Key

  1. Sign in to app.actionlayer.dev.
  2. Open Settings → API Keys.
  3. Click Create API Key, give it a name (e.g. production-agent), and copy the value immediately.
Treat API keys like passwords. Never commit them to source control, never embed them in client-side code, never paste them into shared docs. Store them in a secrets manager or .env file.

Creating Additional Keys

curl -X POST https://api.actionlayer.dev/v1/api-keys \
  -H "Authorization: Bearer $ACTIONLAYER_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"name": "production-agent"}'
Response: 
{
  "id": "key_abc123",
  "name": "production-agent",
  "key": "nc_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
  "prefix": "nc_live_xxxx",
  "created_at": "2026-04-30T12:00:00Z"
}
The plaintext key field is present only on this initial response. Subsequent GET /v1/api-keys calls return only the prefix.

Revoking a Key

curl -X DELETE https://api.actionlayer.dev/v1/api-keys/{key_id} \
  -H "Authorization: Bearer $ACTIONLAYER_API_KEY"
Revocation is immediate and permanent. Any in-flight requests using the revoked key will fail with 401 unauthorized.

Scopes

Keys created in the dashboard have full workspace access. ActionLayer enforces scopes server-side on every request:
ScopeEndpoints
read:threadsGET /threads, GET /threads/{id}
write:draftsPOST /drafts, PATCH /drafts/{id}, POST /drafts/{id}/approve|reject
write:emailsPOST /emails/send, POST /emails/reply, POST /drafts/{id}/send
read:identities / write:identitiesIdentity CRUD
read:rules / write:rulesRule CRUD
read:billingGET /billing/subscription
A 401 with "error": "insufficient_scope" means the key isn’t permitted for that endpoint.

Rate Limits

Endpoint classLimit
Auth (/auth/*)5–60 requests/min depending on route
Read endpoints60/min
Write endpoints10–20/min
/drafts/{id}/notify (re-trigger notification)10/min
Exceeding a limit returns 429 with a Retry-After header in seconds.

Error Shape

All errors return a consistent JSON envelope: 
{
  "error": "unauthorized",
  "message": "Invalid or revoked API key"
}
Common codes:
HTTPerror codeMeaning
401unauthorizedMissing, malformed, or revoked key
401insufficient_scopeKey lacks the required scope
402plan_limit_reachedWorkspace exceeded its plan quota — response includes upgrade_url
404not_foundResource does not exist or is in another workspace
409stale_draftNewer inbound arrived after the draft was generated
422invalid_request / invalid_statusValidation error — message explains which field
429rate_limitedToo many requests — back off and retry