Concepts
API
Lelu exposes two HTTP APIs: the Engine API for runtime authorization and tokens, and the Platform API for policies and audit operations.
Base URLs
Use the Engine API for agent and human authorization decisions, and the Platform API for policy and audit management.
Engine APIDefault: http://localhost:8082
Runtime endpoints for authorization, queue approvals, token lifecycle, and health.
Platform APIDefault: http://localhost:9090
Control-plane endpoints for policy CRUD, audit queries, and ingest.
Authentication
Most endpoints require Authorization: Bearer <API_KEY>. Health endpoints are public.
Engine authorize example
curl -X POST http://localhost:8082/v1/authorize -H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"tenant_id": "default",
"user_id": "user_123",
"action": "view_invoices",
"resource": {"type": "invoice", "id": "42"}
}'Engine Routes
| Method | Path | Purpose |
|---|---|---|
| POST | /v1/authorize | Authorize human user action. |
| POST | /v1/agent/authorize | Authorize AI agent action with confidence gates. |
| POST | /v1/tokens/mint | Mint short-lived scoped token. |
| DELETE | /v1/tokens/{tokenID} | Revoke token by ID. |
| GET | /v1/queue/pending | List pending human-review items. |
| GET | /v1/queue/{id} | Get one queue item. |
| POST | /v1/queue/{id}/approve | Approve queued action. |
| POST | /v1/queue/{id}/deny | Deny queued action. |
| GET | /healthz | Engine health check. |
| GET | /metrics | Prometheus metrics. |
Platform Routes
| Method | Path | Purpose |
|---|---|---|
| GET | /api/v1/policies | List policies. |
| GET | /api/v1/policies/{name} | Get one policy. |
| PUT | /api/v1/policies/{name} | Create or update policy. |
| DELETE | /api/v1/policies/{name} | Delete policy. |
| GET | /api/v1/audit | Query audit events. |
| GET | /api/v1/audit/trace/{traceID} | Get events by trace ID. |
| POST | /api/v1/audit/ingest | Append audit event (engine ingestion). |
| GET | /healthz | Platform health check. |
Standard Response Format
Lelu APIs return JSON responses. Successful requests return 2xx. Errors return 4xx/5xx with an error payload.
Error Response (400 Bad Request)
{
"error": "confidence: confidence out of range"
}