Secure Tool API Reference
Complete REST API contract for secure tool providers.
Authentication Model
Secure tools use a two-tier authentication model based on caller origin:
| Endpoint | Caller | Auth Method |
|---|---|---|
/install | ORC | X-Daisi-Auth shared secret header |
/uninstall | ORC | X-Daisi-Auth shared secret header |
/configure | Manager UI (direct) | Known installId (registered via /install) |
/execute | Consumer Host (direct) | sessionId validated via ORC callback |
/auth/status | Manager UI (direct) | Known installId (registered via /install) |
The installId is an opaque, unguessable identifier generated by the ORC on purchase. It serves as a bearer token for consumer-originated calls.
Reject requests with unknown installId values with HTTP 403.
POST /install
Called by the ORC when a user purchases the tool. Register the installation so subsequent configure/execute calls can be validated.
Request
POST {baseUrl}/install
Content-Type: application/json
X-Daisi-Auth: {sharedSecret}
{
"installId": "inst-260215143022-abcdef",
"toolId": "weather-lookup",
"bundleInstallId": "binst-260215143022-shared"
}
Request Fields
| Field | Type | Description |
|---|---|---|
installId | string | Opaque identifier for this installation. Store this to validate future requests. |
toolId | string | The tool ID as defined in the marketplace item. |
bundleInstallId | string? | Optional. Present when the tool is part of a Plugin bundle. All tools in the bundle share this ID. Use it to key OAuth tokens so users only authenticate once per bundle. |
Response
{ "success": true }
POST /uninstall
Called by the ORC when a purchase is deactivated (subscription expired, cancelled, etc.). Clean up stored data for this installation.
Request
POST {baseUrl}/uninstall
Content-Type: application/json
X-Daisi-Auth: {sharedSecret}
{
"installId": "inst-260215143022-abcdef"
}
Response
{ "success": true }
POST /configure
Called directly by the Manager UI when a user saves their setup data (API keys, credentials). No ORC relay.
Request
POST {baseUrl}/configure
Content-Type: application/json
{
"installId": "inst-260215143022-abcdef",
"toolId": "weather-lookup",
"setupValues": {
"apiKey": "sk-...",
"region": "US"
}
}
Request Fields
| Field | Type | Description |
|---|---|---|
installId | string | The installation identifier (registered via /install). Validate that this is known. |
toolId | string | The tool ID as defined in the marketplace item. |
setupValues | object | Key-value pairs matching the setup parameters defined in the marketplace item. |
Response
// Success
{ "success": true }
// Error
{ "success": false, "error": "Invalid API key format" }
POST /execute
Called directly by consumer hosts when the AI invokes the tool during inference. The request contains a sessionId instead of an installId. Your server must validate the session by calling the ORC validation endpoint before executing.
Request
POST {baseUrl}/execute
Content-Type: application/json
{
"sessionId": "sess-260218120000-xyz789",
"toolId": "weather-lookup",
"parameters": [
{ "name": "city", "value": "San Francisco" },
{ "name": "units", "value": "fahrenheit" }
]
}
Request Fields
| Field | Type | Description |
|---|---|---|
sessionId | string | Ephemeral session identifier provided by the consumer host. Validate this by calling the ORC validation endpoint to resolve the installId. |
toolId | string | The tool ID as defined in the marketplace item. |
parameters | array | Name/value pairs provided by the AI, matching the call parameters defined in the marketplace item. |
Response
// Success
{
"success": true,
"output": "72 F, Sunny with clear skies",
"outputFormat": "plaintext",
"outputMessage": "Current weather for San Francisco"
}
// Error
{
"success": false,
"errorMessage": "API rate limit exceeded. Please try again in 60 seconds."
}
Response Fields
| Field | Type | Description |
|---|---|---|
success | bool | Whether the tool executed successfully. |
output | string | The tool's output, returned to the AI. |
outputFormat | string | Format of the output: plaintext, json, markdown, html, or base64. |
outputMessage | string? | Optional message to accompany the output for additional context. |
errorMessage | string? | Error description when success is false. |
POST /auth/status
Called by the Manager UI to check whether an OAuth connection is active for a given installation and service. Only relevant for setup parameters with type oauth.
Request
POST {baseUrl}/auth/status
Content-Type: application/json
{
"installId": "inst-260215143022-abcdef",
"service": "office365"
}
Request Fields
| Field | Type | Description |
|---|---|---|
installId | string | The installation identifier (registered via /install). |
service | string | The service name matching the OAuth setup parameter name. |
Response
{
"connected": true,
"serviceName": "office365",
"userLabel": "Connected"
}
Response Fields
| Field | Type | Description |
|---|---|---|
connected | bool | Whether the OAuth connection is active. |
serviceName | string? | The service name echoed back. |
userLabel | string? | Optional display label (e.g. the connected user's email). |
POST /api/secure-tools/validate ORC Endpoint
This is an ORC endpoint that your provider server calls to validate a session before executing a tool. It resolves the ephemeral sessionId to the permanent installId associated with the purchase.
Request
POST {OrcValidationUrl}/api/secure-tools/validate
Content-Type: application/json
X-Daisi-Auth: {sharedSecret}
{
"sessionId": "sess-260218120000-xyz789",
"toolId": "weather-lookup"
}
Request Fields
| Field | Type | Description |
|---|---|---|
sessionId | string | The session identifier received from the consumer host in the /execute request. |
toolId | string | The tool ID being executed. The ORC verifies that this tool is part of the session's entitled tools. |
Request Headers
| Header | Description |
|---|---|
X-Daisi-Auth | Your shared secret, the same one used by the ORC for /install and /uninstall calls. This authenticates your server to the ORC. |
Response
// Valid session
{
"valid": true,
"installId": "inst-260215143022-abcdef",
"bundleInstallId": "binst-260215143022-shared"
}
// Invalid session
{
"valid": false,
"error": "Session not found or expired"
}
Response Fields
| Field | Type | Description |
|---|---|---|
valid | bool | Whether the session is valid and the tool is entitled. |
installId | string? | The permanent installation identifier. Only present when valid is true. Use this to look up stored configuration. |
bundleInstallId | string? | The shared bundle installation identifier. Only present when the tool is part of a Plugin bundle. |
error | string? | Error description when valid is false. |
sessionId without ORC confirmation.
If validation fails, return an error to the consumer host. Do not execute the tool.
ExecutionCreditCost on MarketplaceItemInfo
Marketplace items that charge per execution include an ExecutionCreditCost field in their item metadata.
This value represents the number of credits deducted from the consumer each time the tool is invoked.
| Field | Type | Description |
|---|---|---|
ExecutionCreditCost | decimal? | Credits charged per execution. null or 0 means no per-execution cost. The cost is snapshotted at execution time so that subsequent price changes do not retroactively affect past records. |
Consumers can check this field before invoking a tool to understand the cost. Hosts include this information when presenting available tools to the AI.
Error Handling
Providers should handle errors gracefully:
| Scenario | Recommended Response |
|---|---|
Missing or invalid X-Daisi-Auth (install/uninstall) | HTTP 401 Unauthorized |
Unknown installId (configure/execute) | HTTP 403 Forbidden with descriptive error |
| Installation not configured | HTTP 200 with success: false and descriptive error message |
| Invalid parameters | HTTP 200 with success: false and descriptive error message |
| External API failure | HTTP 200 with success: false and error message. Do not return HTTP 500 for expected failures. |
| Unexpected server error | HTTP 500 (the host will return a generic "Provider returned HTTP 500" error) |
Setup Parameter Types
When defining setup parameters in the marketplace item, choose the appropriate type for the Manager UI:
| Type | UI Rendering | Use Case |
|---|---|---|
text | Standard text input | Region names, identifiers, non-sensitive strings |
password | Password input (masked) | Passwords, tokens |
apikey | Password input (masked) | API keys, secret keys |
url | URL text input | Endpoint URLs, webhook URLs |
json | Multiline textarea (monospace) | JSON configuration objects |
oauth | "Connect to [ServiceLabel]" button | OAuth connections (Office 365, Google, X). Triggers popup-based OAuth flow instead of manual input. |
OAuth-Specific Fields
When using the oauth type, two additional fields are required on the setup parameter:
| Field | Type | Description |
|---|---|---|
AuthUrl | string | The provider's OAuth initiation URL. The Manager opens this in a popup with installId, returnUrl, and service as query parameters. |
ServiceLabel | string | Display label for the service (e.g. "Office 365", "Google"). Shown on the Connect button and status badge. |