MIR Policy — Enterprise API Reference

MIR Policy is a hosted service that uses participation history to help organizations make informed decisions. It does not require implementing MIR Protocol claims or signature verification.

Base URL

https://myinternetreputation.com/policy

Authentication

All requests require your API key in the x-api-key header:

x-api-key: your-api-key-here

Endpoints

POST /policy/evaluate

Evaluate whether an actor can perform an action. Returns allow/deny/step_up decision with reasons.

{
  "actor_id": "user-123",
  "action": "checkout.complete",
  "context": {
    "amount_usd": 500,
    "is_first_order": true
  }
}

Response:

{
  "decision": "step_up",
  "reasons": ["high_value_first_order"],
  "actor_tier": 1,
  "action_config": { ... }
}

POST /policy/evaluate/bulk

Evaluate up to 50 policy decisions in a single request. Each evaluation is processed independently — partial failures don’t fail the batch.

{
  "evaluations": [
    { "actor": { "id": "user-abc", "type": "human" }, "action": "data.export_pii" },
    { "actor": { "id": "user-xyz", "type": "human" }, "action": "finance.approve_payment" },
    { "actor": { "id": "svc-bot", "type": "service" }, "action": "credential.rotate" }
  ]
}

Response:

{
  "summary": { "total": 3, "allow": 1, "deny": 0, "step_up": 1, "limit": 1, "errors": 0 },
  "results": [
    { "index": 0, "status": "evaluated", "decision": "step_up", ... },
    { "index": 1, "status": "evaluated", "decision": "allow", ... },
    { "index": 2, "status": "evaluated", "decision": "limit", ... }
  ]
}

Supports ?debug=true or x-policy-debug: true header for debug output on all items.

GET /policy/health

Health check endpoint. Returns API status.

curl https://myinternetreputation.com/policy/health \
  -H "x-api-key: your-api-key"

GET /policy/actions

List all configured actions and their policies.

GET /policy/actions/:action

Get configuration for a specific action.

Actor Tiers

MIR Policy assigns tiers based on cross-platform participation history:

Tier	Description	Typical Treatment
0	No MIR history	Require verification, constrain access
1	≥10 events, ≥1 partner, ≥14 days	Standard flow, may step-up for high-risk
2	≥50 events, ≥2 partners, ≥30 days	Reduced friction
3	≥200 events, ≥3 partners, ≥90 days	Lowest friction, informed by policy

Decisions

Decision	Meaning	Your Action
`allow`	Action permitted	Proceed normally
`deny`	Action blocked	Show error, suggest alternatives
`step_up`	Needs verification	Request additional auth (2FA, ID, etc.)
`limit`	Allowed with restrictions	Apply limits from response

Default Actions

Common actions pre-configured for most use cases:

Action	Required Tier	Fail Behavior
`checkout.complete`	1	step_up
`payout.request`	2	deny
`data.export_pii`	2	step_up
`message.send`	0	limit
`review.post`	1	step_up

Custom Actions: Contact us to configure custom actions and policies for your organization's specific needs.

Pricing

MIR pricing reflects infrastructure capacity, data retention responsibility, and operational guarantees — not user access or feature tiers.

Integration Example

// Before processing a high-value action
const response = await fetch('https://myinternetreputation.com/policy/evaluate', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'x-api-key': process.env.MIR_API_KEY
  },
  body: JSON.stringify({
    actor_id: user.id,
    action: 'checkout.complete',
    context: { amount_usd: cart.total }
  })
});

const { decision, reasons } = await response.json();

if (decision === 'allow') {
  await processCheckout();
} else if (decision === 'step_up') {
  await requireTwoFactor();
} else {
  throw new Error('Action not permitted');
}

Agent Management API

Register and manage AI agents and service accounts programmatically. Agents get scoped permissions, event-type allowlists, and independent API keys — no portal access required.

All agent endpoints require partner authentication (x-api-key header) and an Enterprise plan. Requires OWNER or ADMIN membership role.

Authentication Modes

Agents authenticate in one of two ways:

Mode	Header	Description
Agent key	`x-api-key: mir_agent_<key>`	Agent uses its own API key (recommended)
Partner key + header	`x-api-key: mir_<key>` + `x-mir-agent-id: <id>`	Partner key with agent external ID header

Permissions

Permission	Description
`events:write`	Submit events
`events:read`	Read events
`claims:write`	Submit claims
`claims:read`	Read claims
`users:resolve`	Resolve user handle to ID (minimal fields)
`users:read`	Full user read (rare, sensitive)
`policy:read`	Access policy evaluation
`webhooks:manage`	Configure webhooks
`audit:read`	Access audit logs

Presets

Presets are predefined permission bundles. Use a preset or specify permissions explicitly.

Preset	Permissions	Description
`event_emitter`	events:write	Submit events (restrict to allowed event types)
`verifier`	users:resolve, claims:write	Resolve users, submit claims
`reconciler`	events:read, events:write	Read and retry events (idempotent workflows)
`admin`	All permissions	Full API access — blocked for AI_AGENT type

AI Agent Guardrails: Agents with type AI_AGENT automatically enforce idempotency, cap bulk operations at 25 items, block the admin preset, and require at least one allowed event type or pattern.

POST /v1/agents

Create a new agent. Returns the agent record and a plaintext API key (shown once).

Request:

{
  "name": "Checkout Bot",
  "type": "AI_AGENT",
  "preset": "event_emitter",
  "allowedEventTypes": ["transaction.completed", "transaction.refunded"],
  "allowedEventPatterns": ["review.*"],
  "rateLimitPerMinute": 100
}

Field	Type	Required	Description
`name`	string	Yes	Agent name (max 100 chars)
`type`	string	Yes	`AI_AGENT` or `SERVICE_ACCOUNT`
`description`	string	No	Optional description
`preset`	string	No	Permission preset (see above)
`permissions`	string[]	No	Explicit permission list (alternative to preset)
`allowedEventTypes`	string[]	AI_AGENT: Yes	Event types this agent can submit
`allowedEventPatterns`	string[]	No	Trailing wildcard patterns (e.g., `transaction.*`)
`rateLimitPerMinute`	number	No	Per-agent rate limit (1–10,000). Null inherits partner limit
`maxBulkItems`	number	No	Max items per bulk request
`agentExternalId`	string	No	Your ID for header-mode auth (max 100 chars)
`generateKey`	boolean	No	Generate API key (default: true)

Response (201):

{
  "id": "agent_abc123",
  "name": "Checkout Bot",
  "type": "AI_AGENT",
  "status": "ACTIVE",
  "preset": "event_emitter",
  "permissions": ["events:write"],
  "allowedEventTypes": ["transaction.completed", "transaction.refunded"],
  "allowedEventPatterns": ["review.*"],
  "requireIdempotency": true,
  "maxBulkItems": 25,
  "rateLimitPerMinute": 100,
  "agentExternalId": null,
  "createdAt": "2026-02-22T12:00:00Z",
  "apiKey": "mir_agent_aBcDeFgHiJkLmNoPqRsT...",
  "message": "Save this API key now. It cannot be retrieved again."
}

GET /v1/agents

List all agents for your organization.

Query Param	Type	Description
`includeRevoked`	boolean	Include permanently revoked agents (default: false)

Response:

{
  "agents": [
    {
      "id": "agent_abc123",
      "name": "Checkout Bot",
      "type": "AI_AGENT",
      "status": "ACTIVE",
      "permissions": ["events:write"],
      "authMode": "agent_key",
      "lastUsedAt": "2026-02-22T11:45:00Z"
    }
  ]
}

GET /v1/agents/me

Self-info for the currently authenticated agent. Use this from agent code to verify permissions and configuration. Requires an agent API key.

GET /v1/agents/:id

Get full details for a specific agent.

PATCH /v1/agents/:id

Update an agent's name, description, permissions, allowed event types, patterns, or rate limits.

{
  "permissions": ["events:write", "events:read"],
  "allowedEventTypes": ["transaction.completed"],
  "rateLimitPerMinute": 200
}

POST /v1/agents/:id/suspend

Temporarily suspend an agent. The agent's key is preserved and can be reactivated.

{ "reason": "Investigating anomalous activity" }

POST /v1/agents/:id/reactivate

Reactivate a suspended agent. No request body required.

POST /v1/agents/:id/revoke

Permanently revoke an agent. The API key hash is deleted and cannot be recovered.

{ "reason": "Agent decommissioned" }

POST /v1/agents/:id/key/rotate

Generate a new API key. The old key is invalidated immediately.

Response:

{
  "apiKey": "mir_agent_xYzAbCdEfGhIjKlMnO...",
  "message": "New API key generated. Your old key has been invalidated. Save this key now — it cannot be retrieved again."
}

Enforce Agent Auth

Once your agents are configured, enforce agent-only API access across your organization. When enabled, all API calls must include agent context — partner key alone is rejected.

PATCH /portal/api/settings
{ "enforceAgentAuth": true }

Requires OWNER role.

Integration Example

// Register an agent programmatically
const response = await fetch('https://mir.events/v1/agents', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'x-api-key': process.env.MIR_PARTNER_KEY
  },
  body: JSON.stringify({
    name: 'Checkout Bot',
    type: 'AI_AGENT',
    preset: 'event_emitter',
    allowedEventTypes: ['transaction.completed']
  })
});

const { apiKey } = await response.json();
// Store apiKey securely — it is shown only once

// Agent submits events with its own key
await fetch('https://mir.events/v1/events', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'x-api-key': apiKey,
    'Idempotency-Key': 'txn-abc-123'
  },
  body: JSON.stringify({
    type: 'transaction.completed',
    userId: 'user-456',
    data: { amount: 99.99, currency: 'USD' }
  })
});

Member Management API

Import and manage organization members programmatically. Members are auto-linked when they sign up with a matching email.

POST /enterprise/api/members/import

Bulk import member email addresses. Users with existing MIR accounts are auto-linked immediately. Others are linked when they sign up.

Request:

{
  "members": [
    "alice@company.com",
    "bob@company.com"
  ],
  "analysts": [
    "data-team@company.com"
  ],
  "admins": [
    "admin@company.com"
  ]
}

Field	Role Assigned	Description
`members` or `emails`	MEMBER	Standard organization members
`analysts`	ANALYST	Can view reports and analytics
`admins`	ADMIN	Can manage team and settings

Response:

{
  "message": "Import completed",
  "results": {
    "imported": 4,
    "alreadyImported": 0,
    "autoLinked": 1,
    "invalid": 0,
    "byRole": { "members": 2, "analysts": 1, "admins": 1 },
    "errors": []
  }
}

Maximum 500 emails per request. Requires OWNER or ADMIN role.

GET /enterprise/api/members/invites

List all imported email invites and their status.

Response:

{
  "invites": [
    {
      "id": "inv_abc123",
      "email": "alice@company.com",
      "status": "CLAIMED",
      "createdAt": "2025-01-06T12:00:00Z",
      "claimedAt": "2025-01-06T14:30:00Z",
      "importSource": "api"
    },
    {
      "id": "inv_def456",
      "email": "bob@company.com",
      "status": "PENDING",
      "createdAt": "2025-01-06T12:00:00Z",
      "claimedAt": null,
      "importSource": "api"
    }
  ]
}

Status	Description
`PENDING`	Awaiting user signup/verification
`CLAIMED`	User signed up and was auto-linked
`REMOVED`	Removed by admin

Auto-Linking: When a user verifies their email address, they are automatically added as a member to any organization that imported their email. No additional action required.

Support

Status: /status
Standard API: https://myinternetreputation.com/api
Contact: enterprise@myinternetreputation.com