Create or update agent (upsert)
PUT /v1/agents/{agent_id}
Accepts either an agent ID (e.g. agent_01933b5a...) or a
name (e.g. customer-support). If the agent exists, update it; if not,
create it. Returns 201 on create, 200 on update.
Parameters
Section titled “ Parameters ”Path Parameters
Section titled “Path Parameters ”Agent ID (prefixed) or name
Request Body required
Section titled “Request Body required ”Request to create a new agent
object
Capabilities to enable for this agent with per-agent configuration.
Each capability has a ref (capability ID) and optional config.
Per-agent capability configuration
Associates a capability with an agent, including optional per-agent configuration. The config field allows the same capability to behave differently per-agent.
object
Per-agent configuration for this capability (capability-specific)
Reference to the capability ID
Example
[ { "config": {}, "ref": "current_time" }, { "config": {}, "ref": "web_fetch" }]The ID of the default LLM model to use for this agent. If not specified, the system default model will be used.
Example
model_01933b5a00007000800000000000001A human-readable description of what the agent does.
Example
Handles customer inquiries and support ticketsHuman-readable display name shown in UI.
Falls back to name when absent.
Example
Customer Support AgentClient-supplied agent ID (format: agent_{32-hex}). If not provided, one is auto-generated.
Example
agent_01933b5a00007000800000000000001Starter files copied into each new session for this agent.
Starter file copied into a new session from an agent or harness.
object
File content: plain text or base64-encoded binary.
Content encoding: text or base64.
Prevent session-side edits or deletes when true.
Absolute path within the session workspace. /workspace prefix is accepted.
Maximum number of LLM iterations per turn for this agent.
Name, unique per org. Lowercase alphanumeric and hyphens. Format: lowercase alphanumeric and hyphens (e.g. “customer-support”).
Example
customer-supportNetwork access list controlling which hosts/URLs this agent’s sessions can reach. If set, merged with harness and session layers (allowed: intersect, blocked: union).
object
Allowed host patterns. If non-empty, only matching URLs are permitted. An empty list means “no restriction from this layer” (inherit parent).
Blocked host patterns. Always denied, even if matched by allowed.
The system prompt that defines the agent’s behavior and capabilities. This is sent as the first message in every conversation.
Example
You are a helpful customer support agent. Be polite and professional.Tags for organizing and filtering agents.
Example
[ "support", "customer-facing"]Client-side tools for this agent. These tools are sent to the LLM but executed by the client, not the server.
Built-in tool - executed by the worker via ToolRegistry
object
Category for tool_search namespace grouping (from parent capability)
Whether this tool’s schema can be deferred via tool_search
Tool description for LLM
Human-readable display name for UI rendering (e.g., “Get Current Time” for get_current_time)
Semantic hints describing the tool’s behavioral properties
object
Tool may irreversibly destroy or delete data. Subset of non-readonly — a tool can be non-readonly (writes) without being destructive (e.g., create/update operations).
Calling the tool repeatedly with the same arguments produces the same effect. Safe to retry on transient failures.
Tool may take significant time to complete (> ~5s typical). Useful for clients to show progress indicators and set timeouts.
Entity noun for operation-based narration (e.g. “agent”, “harness”).
When set, the narration system reads the operation argument and
produces verb-based narration like “Created agent: Neon Cartographer”
instead of the generic “Ran Manage Agents”.
Tool interacts with external entities beyond the local system (network calls, third-party APIs, cloud services).
Tool output should be persisted to session VFS before truncation.
When set, the tool_output_persistence capability (EVE-222, EVE-245) writes
stdout to /.outputs/{tool_call_id}.stdout and stderr to
/.outputs/{tool_call_id}.stderr, injecting full_output, total_lines,
and output_files into the result.
Tool does not modify any state (read-only queries, lookups). When true: safe to call speculatively, result can be cached.
Tool requires API keys, credentials, or other secrets to function. Useful for UI to show connection prompts and for LLMs to anticipate authentication failures.
Tool supports detached background execution via spawn_background.
When true, the tool may be executed asynchronously outside the current
foreground tool call and report status back later.
Tool name (used by LLM and for registry lookup)
JSON schema for tool parameters
Tool policy (auto or requires_approval)
Client-side tool - executed by the client, not the server
object
Category for tool_search namespace grouping (from parent capability)
Whether this tool’s schema can be deferred via tool_search
Tool description for LLM
Human-readable display name for UI rendering
Semantic hints describing the tool’s behavioral properties
object
Tool may irreversibly destroy or delete data. Subset of non-readonly — a tool can be non-readonly (writes) without being destructive (e.g., create/update operations).
Calling the tool repeatedly with the same arguments produces the same effect. Safe to retry on transient failures.
Tool may take significant time to complete (> ~5s typical). Useful for clients to show progress indicators and set timeouts.
Entity noun for operation-based narration (e.g. “agent”, “harness”).
When set, the narration system reads the operation argument and
produces verb-based narration like “Created agent: Neon Cartographer”
instead of the generic “Ran Manage Agents”.
Tool interacts with external entities beyond the local system (network calls, third-party APIs, cloud services).
Tool output should be persisted to session VFS before truncation.
When set, the tool_output_persistence capability (EVE-222, EVE-245) writes
stdout to /.outputs/{tool_call_id}.stdout and stderr to
/.outputs/{tool_call_id}.stderr, injecting full_output, total_lines,
and output_files into the result.
Tool does not modify any state (read-only queries, lookups). When true: safe to call speculatively, result can be cached.
Tool requires API keys, credentials, or other secrets to function. Useful for UI to show connection prompts and for LLMs to anticipate authentication failures.
Tool supports detached background execution via spawn_background.
When true, the tool may be executed asynchronously outside the current
foreground tool call and report status back later.
Tool name (used by LLM and for correlation)
JSON schema for tool parameters
Responses
Section titled “ Responses ”Agent updated
Wrapper that adds self_url and view_url to a serialized resource.
Uses self_url (not url) for the API link to avoid collision with
resources that already have a url field (e.g. McpServer).
object
Timestamp when the agent was archived.
Capabilities enabled for this agent with per-agent configuration. Capabilities add tools and system prompt modifications.
Per-agent capability configuration
Associates a capability with an agent, including optional per-agent configuration. The config field allows the same capability to behave differently per-agent.
object
Per-agent configuration for this capability (capability-specific)
Reference to the capability ID
Timestamp when the agent was created.
Default LLM model ID for this agent. Can be overridden at the session level.
Example
model_01933b5a00007000800000000000001Timestamp when the agent was deleted.
Human-readable description of what the agent does.
Human-readable display name shown in UI (e.g. “Customer Support Agent”).
Falls back to name when absent.
External identifier (agent_<32-hex>). Shown as “id” in API. Client-supplied or auto-generated.
Example
agent_01933b5a000070008000000000000001Starter files copied into each new session for this agent.
Starter file copied into a new session from an agent or harness.
object
File content: plain text or base64-encoded binary.
Content encoding: text or base64.
Prevent session-side edits or deletes when true.
Absolute path within the session workspace. /workspace prefix is accepted.
Maximum number of LLM iterations per turn for this agent.
Name, unique per org (e.g. “customer-support”).
Network access list controlling which hosts/URLs agent sessions can reach. Merged with harness and session layers (allowed: intersect, blocked: union).
object
Allowed host patterns. If non-empty, only matching URLs are permitted. An empty list means “no restriction from this layer” (inherit parent).
Blocked host patterns. Always denied, even if matched by allowed.
Current lifecycle status of the agent.
System prompt that defines the agent’s behavior. Sent as the first message in every conversation.
Tags for organizing and filtering agents.
Client-side tools registered for this agent. These tools are executed by the client, not the server.
Built-in tool - executed by the worker via ToolRegistry
object
Category for tool_search namespace grouping (from parent capability)
Whether this tool’s schema can be deferred via tool_search
Tool description for LLM
Human-readable display name for UI rendering (e.g., “Get Current Time” for get_current_time)
Semantic hints describing the tool’s behavioral properties
object
Tool may irreversibly destroy or delete data. Subset of non-readonly — a tool can be non-readonly (writes) without being destructive (e.g., create/update operations).
Calling the tool repeatedly with the same arguments produces the same effect. Safe to retry on transient failures.
Tool may take significant time to complete (> ~5s typical). Useful for clients to show progress indicators and set timeouts.
Entity noun for operation-based narration (e.g. “agent”, “harness”).
When set, the narration system reads the operation argument and
produces verb-based narration like “Created agent: Neon Cartographer”
instead of the generic “Ran Manage Agents”.
Tool interacts with external entities beyond the local system (network calls, third-party APIs, cloud services).
Tool output should be persisted to session VFS before truncation.
When set, the tool_output_persistence capability (EVE-222, EVE-245) writes
stdout to /.outputs/{tool_call_id}.stdout and stderr to
/.outputs/{tool_call_id}.stderr, injecting full_output, total_lines,
and output_files into the result.
Tool does not modify any state (read-only queries, lookups). When true: safe to call speculatively, result can be cached.
Tool requires API keys, credentials, or other secrets to function. Useful for UI to show connection prompts and for LLMs to anticipate authentication failures.
Tool supports detached background execution via spawn_background.
When true, the tool may be executed asynchronously outside the current
foreground tool call and report status back later.
Tool name (used by LLM and for registry lookup)
JSON schema for tool parameters
Tool policy (auto or requires_approval)
Client-side tool - executed by the client, not the server
object
Category for tool_search namespace grouping (from parent capability)
Whether this tool’s schema can be deferred via tool_search
Tool description for LLM
Human-readable display name for UI rendering
Semantic hints describing the tool’s behavioral properties
object
Tool may irreversibly destroy or delete data. Subset of non-readonly — a tool can be non-readonly (writes) without being destructive (e.g., create/update operations).
Calling the tool repeatedly with the same arguments produces the same effect. Safe to retry on transient failures.
Tool may take significant time to complete (> ~5s typical). Useful for clients to show progress indicators and set timeouts.
Entity noun for operation-based narration (e.g. “agent”, “harness”).
When set, the narration system reads the operation argument and
produces verb-based narration like “Created agent: Neon Cartographer”
instead of the generic “Ran Manage Agents”.
Tool interacts with external entities beyond the local system (network calls, third-party APIs, cloud services).
Tool output should be persisted to session VFS before truncation.
When set, the tool_output_persistence capability (EVE-222, EVE-245) writes
stdout to /.outputs/{tool_call_id}.stdout and stderr to
/.outputs/{tool_call_id}.stderr, injecting full_output, total_lines,
and output_files into the result.
Tool does not modify any state (read-only queries, lookups). When true: safe to call speculatively, result can be cached.
Tool requires API keys, credentials, or other secrets to function. Useful for UI to show connection prompts and for LLMs to anticipate authentication failures.
Tool supports detached background execution via spawn_background.
When true, the tool may be executed asynchronously outside the current
foreground tool call and report status back later.
Tool name (used by LLM and for correlation)
JSON schema for tool parameters
Timestamp when the agent was last updated.
Cumulative token usage across all sessions for this agent.
object
Number of tokens written to cache (Anthropic-specific)
Number of tokens read from cache (reduces cost)
Number of input/prompt tokens
Number of output/completion tokens
Full API endpoint URL for this resource.
Full UI URL for viewing this resource.
Agent created
Wrapper that adds self_url and view_url to a serialized resource.
Uses self_url (not url) for the API link to avoid collision with
resources that already have a url field (e.g. McpServer).
object
Timestamp when the agent was archived.
Capabilities enabled for this agent with per-agent configuration. Capabilities add tools and system prompt modifications.
Per-agent capability configuration
Associates a capability with an agent, including optional per-agent configuration. The config field allows the same capability to behave differently per-agent.
object
Per-agent configuration for this capability (capability-specific)
Reference to the capability ID
Timestamp when the agent was created.
Default LLM model ID for this agent. Can be overridden at the session level.
Example
model_01933b5a00007000800000000000001Timestamp when the agent was deleted.
Human-readable description of what the agent does.
Human-readable display name shown in UI (e.g. “Customer Support Agent”).
Falls back to name when absent.
External identifier (agent_<32-hex>). Shown as “id” in API. Client-supplied or auto-generated.
Example
agent_01933b5a000070008000000000000001Starter files copied into each new session for this agent.
Starter file copied into a new session from an agent or harness.
object
File content: plain text or base64-encoded binary.
Content encoding: text or base64.
Prevent session-side edits or deletes when true.
Absolute path within the session workspace. /workspace prefix is accepted.
Maximum number of LLM iterations per turn for this agent.
Name, unique per org (e.g. “customer-support”).
Network access list controlling which hosts/URLs agent sessions can reach. Merged with harness and session layers (allowed: intersect, blocked: union).
object
Allowed host patterns. If non-empty, only matching URLs are permitted. An empty list means “no restriction from this layer” (inherit parent).
Blocked host patterns. Always denied, even if matched by allowed.
Current lifecycle status of the agent.
System prompt that defines the agent’s behavior. Sent as the first message in every conversation.
Tags for organizing and filtering agents.
Client-side tools registered for this agent. These tools are executed by the client, not the server.
Built-in tool - executed by the worker via ToolRegistry
object
Category for tool_search namespace grouping (from parent capability)
Whether this tool’s schema can be deferred via tool_search
Tool description for LLM
Human-readable display name for UI rendering (e.g., “Get Current Time” for get_current_time)
Semantic hints describing the tool’s behavioral properties
object
Tool may irreversibly destroy or delete data. Subset of non-readonly — a tool can be non-readonly (writes) without being destructive (e.g., create/update operations).
Calling the tool repeatedly with the same arguments produces the same effect. Safe to retry on transient failures.
Tool may take significant time to complete (> ~5s typical). Useful for clients to show progress indicators and set timeouts.
Entity noun for operation-based narration (e.g. “agent”, “harness”).
When set, the narration system reads the operation argument and
produces verb-based narration like “Created agent: Neon Cartographer”
instead of the generic “Ran Manage Agents”.
Tool interacts with external entities beyond the local system (network calls, third-party APIs, cloud services).
Tool output should be persisted to session VFS before truncation.
When set, the tool_output_persistence capability (EVE-222, EVE-245) writes
stdout to /.outputs/{tool_call_id}.stdout and stderr to
/.outputs/{tool_call_id}.stderr, injecting full_output, total_lines,
and output_files into the result.
Tool does not modify any state (read-only queries, lookups). When true: safe to call speculatively, result can be cached.
Tool requires API keys, credentials, or other secrets to function. Useful for UI to show connection prompts and for LLMs to anticipate authentication failures.
Tool supports detached background execution via spawn_background.
When true, the tool may be executed asynchronously outside the current
foreground tool call and report status back later.
Tool name (used by LLM and for registry lookup)
JSON schema for tool parameters
Tool policy (auto or requires_approval)
Client-side tool - executed by the client, not the server
object
Category for tool_search namespace grouping (from parent capability)
Whether this tool’s schema can be deferred via tool_search
Tool description for LLM
Human-readable display name for UI rendering
Semantic hints describing the tool’s behavioral properties
object
Tool may irreversibly destroy or delete data. Subset of non-readonly — a tool can be non-readonly (writes) without being destructive (e.g., create/update operations).
Calling the tool repeatedly with the same arguments produces the same effect. Safe to retry on transient failures.
Tool may take significant time to complete (> ~5s typical). Useful for clients to show progress indicators and set timeouts.
Entity noun for operation-based narration (e.g. “agent”, “harness”).
When set, the narration system reads the operation argument and
produces verb-based narration like “Created agent: Neon Cartographer”
instead of the generic “Ran Manage Agents”.
Tool interacts with external entities beyond the local system (network calls, third-party APIs, cloud services).
Tool output should be persisted to session VFS before truncation.
When set, the tool_output_persistence capability (EVE-222, EVE-245) writes
stdout to /.outputs/{tool_call_id}.stdout and stderr to
/.outputs/{tool_call_id}.stderr, injecting full_output, total_lines,
and output_files into the result.
Tool does not modify any state (read-only queries, lookups). When true: safe to call speculatively, result can be cached.
Tool requires API keys, credentials, or other secrets to function. Useful for UI to show connection prompts and for LLMs to anticipate authentication failures.
Tool supports detached background execution via spawn_background.
When true, the tool may be executed asynchronously outside the current
foreground tool call and report status back later.
Tool name (used by LLM and for correlation)
JSON schema for tool parameters
Timestamp when the agent was last updated.
Cumulative token usage across all sessions for this agent.
object
Number of tokens written to cache (Anthropic-specific)
Number of tokens read from cache (reduces cost)
Number of input/prompt tokens
Number of output/completion tokens
Full API endpoint URL for this resource.
Full UI URL for viewing this resource.
Invalid input
Standard error response for API endpoints.
object
Error message describing what went wrong.
Internal server error
Standard error response for API endpoints.
object
Error message describing what went wrong.