Base URL & versioning
All endpoints use the /v1/ prefix (rewritten to internal routes). Example: POST https://api.hardalion.com/v1/agents/execute.
Authentication
Send Authorization: Bearer hdl_live_… or hdl_test_…. Keys are scoped; missing scope returns insufficient_scope.
Errors
Errors use a Stripe-style object: error.code, error.message, optional error.param, and error.doc_url pointing at stable anchor IDs on this site.
Agents API
POST /v1/agents/execute — sync or streamed agent runs with tool calling. See the dashboard code samples for TypeScript.
Financial tools
POST /v1/tools/… — AML, risk, payments, documents. Path segments map to the tool registry (aml/screen, risk/calculate-var, etc.).
MFA API
Passkey registration and authentication under /v1/mfa/passkey/…. Behavioral endpoints return 501 until enabled. Manage credentials with GET/DELETE /v1/mfa/credentials/:id.
Triggers API
/v1/triggers — create cron/signal triggers with webhook actions; pause, resume, fire, and fetch logs per trigger.
Nexus public compliance API
These routes live on Nexus web (/api/v1/public/…) and accept Authorization: Bearer hnx_live_… workspace keys with api or compliance:read scope. Responses use a stable envelope: success, data, meta.requestId, meta.latencyMs.
Stateless MiFID II pre-trade checks (client category, suitability/appropriateness signals, best execution, leverage, optional LEI/ISIN). Returns compliancePassed and per-rule ComplianceResult objects.
DORA Art. 18 style ICT incident classification (MAJOR / SIGNIFICANT / STANDARD) with remediation copy.
ISO 17442 LEI format and MOD 97-10 checksum validation (no external registry lookup).
SDKs
NPM packages: @hardalion/sdk (unified), @hardalion/agents, @hardalion/tools, @hardalion/mfa, @hardalion/triggers, and @hardalion/sdk-core. Paths default to /v1/….
import { Hardalion } from '@hardalion/sdk'
const client = new Hardalion({ apiKey: process.env.HARDALION_API_KEY! })
await client.agents.execute({ ... })