Scan an agent tool invocation before executing it

curl --request POST \ --url https://api.antidote.example.com/api/runtime-security/scan/tool-call \ --header 'Content-Type: application/json' \ --header 'X-API-Key: <api-key>' \ --data ' { "tool_name": "http_get", "arguments": { "url": "http://169.254.169.254/latest/meta-data/iam" } } '

{ "uuid": "<string>", "reasons": [ { "detail": "<string>" } ], "redacted_arguments": "<unknown>", "pii": { "count": 123, "categories": [ "<string>" ], "findings": [ { "type": "<string>", "subtype": "<string>", "score": 0.5, "snippet": "<string>", "start": 1, "end": 1, "extra": {} } ] }, "arg_bytes": 123, "latency_ms": 123, "blocked_reason": "<string>" }

Authorizations

X-API-Key

string

header

required

Antidote workspace API key (ak_live_…). Use this header for the scan API and the OpenAI proxy routes. The required permission scope is runtime_security.scan for scan endpoints, runtime_security.view for read-only analytics, and runtime_security.manage for configuration changes.

Body

application/json

tool_name

string

required

Maximum string length: 200

arguments

any

Tool arguments — any JSON value (dict / list / string / number).

source_app

string

Maximum string length: 128

provider

string

Maximum string length: 32

model

string

Maximum string length: 128

metadata

object

Response

Verdict + reasons

uuid

string

required

verdict

enum<string>

required

Available options:

allow,

redact,

block

reasons

object[]

required

Show child attributes

redacted_arguments

any

required

Original arguments with PII string leaves masked.

pii

object

required

Show child attributes

arg_bytes

integer

required

JSON-serialised size of the arguments.

latency_ms

integer

required

blocked_reason

string | null