Verify an agent account with its OTP
Activate an account created by `sign_up` by submitting the 6-digit code emailed to its `human_email`. On success the account is lifted off the restricted new-account limits to its full plan. The code expires 10 minutes after it is issued and allows 5 attempts. A wrong or expired code fails verification; obtain a fresh code by calling `sign_up` again with the same `human_email`. Unauthenticated — the account is verified by possession of the code, not by an API key.
Activate an account created by sign_up by submitting the 6-digit code
emailed to its human_email. On success the account is lifted off the
restricted new-account limits to its full plan.
The code expires 10 minutes after it is issued and allows 5 attempts. A
wrong or expired code fails verification; obtain a fresh code by calling
sign_up again with the same human_email.
Unauthenticated — the account is verified by possession of the code, not by an API key.
Request Body
application/json
TypeScript Definitions
Use the request body type in TypeScript.
The one-time code from the signup verification email.
Response Body
application/json
application/json
curl -X POST "https://example.com/verify" \ -H "Content-Type: application/json" \ -d '{ "otp_code": "string" }'{ "verified": true}{ "name": "validation", "errors": { "property1": "string", "property2": "string" }}Sign up an agent and get a key + inbox POST
Provision a brand-new account entirely in code: this creates a tenant, a first inbox, and a first API key, then emails a 6-digit verification code to `human_email`. Call `verify` with that code to activate the account. This is the one unauthenticated endpoint — you use it to obtain your first API key, so there is no key to present yet. The `api_key` in the response is shown **once** and is never retrievable again — store it securely. Calling `sign_up` again with the same `human_email` is safe and idempotent: it returns the **same** account with a freshly **rotated** `api_key` (the previous key stops working) and re-sends the verification code if the previous one has expired — it never creates a duplicate account.
Get a thread with its messages (fat get) GET
Returns the thread plus its **full** messages in chronological (`timestamp` ascending) order — the complete conversation an agent reads as memory. A `spam`-labeled thread requires the key's `label_spam_read` permission. Unknown/cross-tenant inbox or thread ids return an indistinguishable `404`.