Credit REST API

The Credit API lets any agent — regardless of language or framework — access Floe's instant credit facilities via HTTP. It returns unsigned transaction calldata that agents sign and submit with their own wallet.

See also: API Keys | Webhooks | Developer Dashboard

Base URL: https://credit-api.floelabs.xyz

Token Decimals

All amounts in the API are in raw token base units (smallest unit for each token). Using the wrong decimal precision is the most common integration bug.

Try It Now

See live lender offers on Base — no auth required:

# WETH/USDC market
curl "https://credit-api.floelabs.xyz/v1/credit/offers?marketId=0xfe92656527bae8e6d37a9e0bb785383fbb33f1f0c7e29fdd733f5af7390c2930"

# Or browse all markets at once
curl "https://credit-api.floelabs.xyz/v1/credit/offers"

Markets

Market IDs are keccak256(abi.encode(loanToken, collateralToken)). Use GET /v1/markets to discover all available market IDs.

Token addresses (Base mainnet):

You can also discover markets programmatically via GET /v1/markets.

Public Endpoints

GET /v1/markets

List all active lending markets. Public — no auth required.

Response:

GET /v1/credit/offers

Query available lend intents. Public — no auth required.

Response:

GET /v1/markets/:marketId/cost-of-capital

Snapshot of the borrowing rate available in a market right now. Public — no auth required.

Without borrowAmount, returns the rate floor + total available liquidity ("what's the cheapest quote anyone is offering?"). With borrowAmount, walks the offer ladder to compute the actual weighted rate the caller would pay ("what would I actually pay if I borrowed N right now?").

Response (quote-only):

Response (with borrowAmount, fillable):

Insufficient-liquidity case: if borrowAmount > availableLiquidity, the response sets impliedRateBps: null and omits impliedFillBreakdown. bestRateBps and availableLiquidity still reflect what's there — use both to decide whether to wait or downsize the borrow.

Why bigint as string? Rates and amounts are returned as decimal strings to avoid JSON-number precision loss past 2^53. Parse with BigInt(...) in TypeScript or int(...) in Python.

GET /v1/health

Authentication

All endpoints below require authentication. The endpoints above are public.

Two distinct contexts call this API, and they use different credentials. Pick the row that matches what you're doing:

The two key prefixes are not interchangeable: a floe_live_* developer key sent to /proxy/fetch will 401, and a floe_* agent key sent to a management endpoint will 401. See API Keys for the canonical table and the rationale.

API Key Authentication

API keys use the Authorization: Bearer header. Generate developer keys through the Developer Dashboard at dev-dashboard.floelabs.xyz or via the developer endpoints below; agent keys are minted by POST /v1/developer/agents/:id/keys.

Keys are scoped to the wallet that created them. All actions performed with an API key are attributed to the owning wallet. See API Keys for key management, rotation, and security best practices.

Wallet Signature Authentication (EIP-191)

For the developer / management endpoints above, you can also authenticate with an EIP-191 / EIP-1271 signed message instead of a floe_live_* key. This is the same credential class — the agentkit SDKs use the signature path so users don't have to obtain a developer key first — and it lets any wallet authenticate without an explicit registration step. It does not unlock the agent runtime endpoints; those still require an agent's floe_* key.

How It Works

1. Sign the message Floe Credit API\nTimestamp: <unix_seconds> with your wallet

2. Include three headers in your request:

The timestamp must be within 5 minutes of the server time.

Python

TypeScript

Smart Contract Wallets (ERC-1271)

Giza agents, Olas agents, and Safe multisigs authenticate the same way. The API detects smart contract wallets automatically and calls isValidSignature() on your wallet contract to verify the signature.

Authenticated Endpoints

POST /v1/credit/instant-borrow

Build unsigned transactions for an instant borrow. The API selects the best available lender automatically and persists an attempt record so a partial flow (TX1 confirmed but TX2 not yet broadcast) is always recoverable.

Headers:

Response:

Broadcasting with attempt tracking

When you broadcast each signed transaction, pass the attempt_id and phase so the API can drive the attempt state machine forward:

Both fields are optional and must be provided together. When provided, the broadcast endpoint persists the txHash on the borrow-attempt row before awaiting waitForTransactionReceipt. This closes the receipt-wait timeout gap — if the receipt doesn't arrive within 60s, the row already has the hash and the reconciler can finish reconciliation on its next tick. Without attempt_id, the broadcast endpoint behaves exactly as before; the attempt row stays in pending_funding until the reconciler's expiry sweep terminates it.

Recovery endpoints

The borrow-attempt state machine is recoverable in two failure scenarios:

Scenario A — Client crash between TX1 and TX2. The register tx confirmed and the row is in pending_match, but the client process died (or lost the response) before broadcasting the match tx.

Persistence requirement: crash recovery only works if the client durably stored at least one of (attemptId, Idempotency-Key) before crashing. With the attemptId you can hit the recovery endpoints below directly. With the Idempotency-Key you can re-POST /v1/credit/instant-borrow and the API returns the cached attempt (reused: true) — read attemptId from that response and proceed to the recovery endpoints. If neither was persisted, the on-chain intent will simply expire on its own (5–10 min) and you'll need a fresh borrow.

Scenario B — Broadcast endpoint receipt timeout. The client called /v1/tx/broadcast with attempt_id+phase, but waitForTransactionReceipt hit the 60s cap and threw. The tx is live on-chain (it was sent before the wait), the row already has register_tx_hash (or match_tx_hash) thanks to the pre-receipt persist, and the reconciler's runOnce will fetch the receipt and resolve the row on its next tick (default poll interval 30s) — no client action required.

For Scenario A, three explicit endpoints let the client drive the recovery:

All three recovery endpoints share two common error codes:

GET /v1/credit/borrow-attempts/:attemptId — current state, all tx hashes, real loanId once active. The attemptId here is the pending:<uuid> placeholder you received from /v1/credit/instant-borrow — it stays the same for the life of the row, even after the loan goes active (the on-chain loanId is surfaced in the response's loanId field, separate from attemptId).

POST /v1/credit/borrow-attempts/:attemptId/resume — returns a fresh matchLoanIntents unsigned tx using the same registered borrow intent. Re-validates the lend offer on-chain; on conflict, returns 409 with one of:

POST /v1/credit/borrow-attempts/:attemptId/abandon — immediately marks the attempt abandoned and returns up to 2 unsigned txs:

1. revokeBorrowIntentByHash(borrowIntentHash) — required. Removes the dangling intent on-chain.

2. approve(collateralToken, matcher, 0) — optional (optional: true), only included when a non-zero allowance exists. Recommended to sign and broadcast for full hygiene.

Returns 409 with code: not_abandonable if the attempt is already in a terminal state.

The on-chain intent expires automatically 5–10 minutes after registration, so revoking is for cleanliness; the loan can never be matched after expiry regardless.

Lifecycle

The API drives a borrow-attempt state machine for every /v1/credit/instant-borrow call. When you broadcast each signed transaction with attempt_id + phase, the API persists the txHash before awaiting the receipt — so a 60s receipt-wait timeout never drops state on the floor.

Terminal branches (fired from any non-terminal status):

Terminal states for the borrow-attempt state machine (no further transitions within this flow): active, repaid, rolled_over, funding_failed, match_failed, abandoned, expired.

Note on active vs. the loan lifecycle. active is terminal for the borrow-attempt flow — once you reach it, the recovery endpoints stop driving the row. But the underlying on-chain loan continues its own lifecycle: it will eventually transition to repaid (when the borrower repays) or rolled_over (when the loan is renewed), both of which are tracked separately in the same row. For loan-level state, query GET /v1/credit/status/:loanId (using the on-chain loanId returned in GET /borrow-attempts/:attemptId) — that's the canonical surface for repayment terms, health factor, and accrued interest.

GET /v1/credit/status/:loanId

Get loan status including health metrics and early repayment terms.

Response:

GET /v1/positions/:wallet

Portfolio view for an address: every active borrower loan + a summary (total debt, weighted-average rate, worst health factor, next maturity).

Response (indexer mode, default):

Response (live mode, ?live=true):

When to use live=true: any time you need an accurate health factor or LTV utilization. Indexer mode is faster and fine for "what do I owe" displays, but the LTV won't move with price. The route runs each loan's status query in parallel with bounded concurrency to keep RPC load sane.

Pagination: summary.activeLoanCount is the wallet's total loan count and stays constant across pages — don't gate pagination on it. Instead, paginate as long as positions.length === limit, advancing skip by limit each round, and stop when you receive fewer than limit results.

Auth scope (today): any authenticated caller can query any wallet's positions. Borrower addresses and loan IDs are public on-chain data. The signed request still uses your own wallet — only the :wallet path param identifies whose portfolio you're querying.

503 Service Unavailable: returned when the API instance was started without an Envio indexer endpoint configured. getPositions cannot run without indexer access (chain-only fallback would be too slow). Call the operations team or retry against another instance.

POST /v1/credit/repay

Build unsigned transactions to repay a loan in full.

POST /v1/credit/repay-and-reborrow

Repay an existing loan and instantly borrow again in one operation.

Response includes repayTransactions and reborrowTransactions arrays. If no liquidity is available for the reborrow, reborrowTransactions will be empty but repayTransactions are still valid.

Submitting Transactions

The API returns unsigned transaction calldata. Your agent signs and submits each transaction in order on Base (chain ID 8453).

Python (web3.py)

TypeScript (viem)

Important: Submit transactions in order. Each must confirm before sending the next. The approval transaction may be omitted if the allowance is already sufficient.

All amounts are in raw token units (e.g., "5000000000" = 5,000 USDC with 6 decimals).

Error Handling

Diagnosing NoLiquidityError

A 404 NoLiquidityError does not always mean the order book is empty. Most often it means your request parameters don't match any open offer — usually the LTV gap rule (borrower.minLtvBps + 800 ≤ lender.maxLtvBps), but it can also be rate, duration, amount, or minFillAmount. The response body tells you which.

primaryReason values

Worked example — the LTV gap rule

The protocol enforces borrower.minLtvBps + 800 ≤ lender.maxLtvBps (8 % buffer between origination and liquidation LTV — see Order book matching). A request that looks compatible on rate alone can still be rejected:

• Borrower posts: borrowAmount = 100,000 USDC, maxInterestRateBps = 500, minLtvBps = 8000

• Order book shows: 990,000,000 USDC available at 500 bps, maxLtvBps = 8500

• Result: 404 LTV_GAP_TOO_SMALL — 8000 + 800 = 8800 > 8500

Fix: lower minLtvBps to ≤ 7700, or wait for a lender at maxLtvBps ≥ 8800.

Transaction Failures

If a transaction in the sequence fails:

• Approval failed: No on-chain state changed. Safe to retry the entire sequence.

• Register borrow intent failed: Your approval is still valid. Retry from the register step.

• Match failed: Your borrow intent is registered on-chain. Call the API again — it will detect the existing intent and return only the match transaction.

Retry Strategy

For transient failures (network timeouts, 500s), retry with exponential backoff:

Developer Endpoints

These endpoints let you manage API keys, webhooks, and your developer profile programmatically. You can also manage these through the Developer Dashboard.

All developer endpoints require authentication (wallet signature or API key).

POST /v1/developer/keys

Create a new API key.

Response:

Important: The full key is only returned once at creation time. Store it securely.

GET /v1/developer/keys

List all API keys for your wallet.

Response:

DELETE /v1/developer/keys/:keyId

Revoke an API key. Takes effect immediately.

POST /v1/developer/webhooks

Register a webhook endpoint. See Webhooks for event types and payload format.

Response:

GET /v1/developer/webhooks

List all registered webhooks.

GET /v1/developer/profile

Get your developer profile, including wallet address, registration date, and usage stats.

Developer Agents

One developer account can own multiple agents (up to 5). Each agent has its own managed Privy wallet, its own credit line, and its own floe_* API key. These endpoints provision and manage agents and their keys.

All /v1/developer/agents* endpoints accept any of three credentials interchangeably — pick whichever fits your client:

• Dashboard session cookie — set by /v1/developer/auth/verify after wallet sign-in. Used by the web dashboard.

• Developer key — Authorization: Bearer floe_live_<base62>. Convenient for backend services.

• Wallet signature — X-Wallet-Address + X-Signature + X-Timestamp headers, signing the message "Floe Credit API\nTimestamp: <unix>". Used by the agentkit SDKs (no developer key needed).

POST /v1/developer/agents

Provision a new managed agent. Floe creates a Privy wallet for the agent, delegates the facilitator on-chain server-side, and returns the agent record. Mint an API key in a second call (see below).

Request body:

Response (201):

Returns 409 limit_exceeded if the developer is already at the 5-agent cap, 409 name_conflict for a duplicate name, or 503 agent_creation_unavailable if Privy or the delegation service is not configured.

GET /v1/developer/agents

List the developer's agents.

Response:

GET /v1/developer/agents/:agentId

Per-agent detail with credit utilization and recent activity.

Response:

The keyPrefix field on list/mint responses is returned with three literal trailing dots (e.g. "keyPrefix": "a1b2c3d4..."). The dots are part of the value, not a truncation in this documentation.

Returns 404 if the agent does not exist OR belongs to another developer (cross-tenant probes can't distinguish the two).

POST /v1/developer/agents/:agentId/close

Wind down an agent — repay all facility loans, sweep residual USDC. Requires WinddownService to be configured; otherwise returns 503 when active loans exist.

POST /v1/developer/agents/:agentId/keys

Mint an API key for an agent. The full key is shown once in the response; only its prefix is persisted server-side.

Response (201):

Returns 409 limit_exceeded if the agent already has an active key — revoke or rotate it first.

GET /v1/developer/agents/:agentId/keys

List keys for an agent (prefixes only; the full key is never returned after creation).

DELETE /v1/developer/agents/:agentId/keys/:keyId

Revoke a specific key. Requests using the revoked key fail with 401 immediately.

POST /v1/developer/agents/:agentId/keys/:keyId/rotate

Atomically revoke keyId and mint a new key for the same agent. Response shape is identical to POST /keys. Use this to rotate an active key without a window where neither key works.

POST /v1/developer/agents/:agentId/open-credit-line

Open the agent's USDC/USDC credit line. Provisioning (POST /v1/developer/agents) creates a Privy wallet and delegates the facilitator on-chain, but does not open a credit line — the agent has creditLimit but creditIn = 0 until you call this endpoint with a USDC deposit.

The agent's Privy wallet must already hold at least depositRaw USDC. Fund it via the dashboard's Coinbase on-ramp (credit card / bank transfer) or by transferring USDC on-chain.

Floe server-signs the borrow intent from the agent's Privy wallet — no on-chain transaction is sent from the developer's local wallet. The borrow intent is posted asynchronously; the existing reconciler advances the row to pending_match once the receipt confirms, and the solver matches it against an open lend offer. Spendable credit (creditIn) becomes non-zero once status flips to active (usually a few seconds).

Request body:

Response (201):

• borrowIntentHash is null on initial return — the reconciler fills it in after parsing LogBorrowerOfferPosted from the receipt.

• approveTxHash is null if the Privy wallet's existing allowance to the matcher was already ≥ depositRaw (no approve tx needed).

Error codes:

The endpoint accepts an optional Idempotency-Key header (Stripe-style). With it, repeated calls within the idempotency window return the same row instead of double-borrowing.

Agent Endpoints

These endpoints are called by an agent (using its floe_* key) to manage itself.

GET /v1/agents/balance

Check your agent's credit balance, active loans, and delegation status.

Response:

Every USDC amount field is a raw 6-decimal string — divide by 1,000,000 for dollars. "4000000000" is 4,000 USDC, not $4 billion. (Non-amount fields aren't USDC — e.g. operatorExpiry is a Unix timestamp.) This is the single most common integration bug; see Token Decimals.

Field guide — spendableRaw and creditAvailableRaw are two different numbers and confusing them is a common bug:

activeLoans[].borrowAmount is also raw USDC. balance and creditAvailable are legacy raw-USDC aliases of spendableRaw and creditAvailableRaw — prefer the explicit *Raw names. creditLimit and creditUsed have no *Raw suffix but are raw USDC all the same.

GET /v1/agents/reservations/{nonce}

Look up a single reservation by its nonce — typically the nonce returned in the reservation.nonce field of a 502 upstream_paid_request_failed_ambiguous response from the proxy. Used by the SDK's awaitSettlement / await_settlement helpers to poll until a pending_settlement reaches a terminal state.

Response (200):

state is one of reserved | sent | pending_settlement | settled | expired_unsettled | payment_rejected. terminal is true for the last three. Returns 404 if the nonce doesn't exist or isn't owned by the caller (no cross-tenant enumeration).

GET /v1/agents/transactions

Paginated history of x402 payments made through the proxy.

Agent Awareness Endpoints

These five primitives let an agent reason about its own credit before committing capital. They answer the three rational-agent questions:

1. Do I have enough credit to make this call? → GET /v1/agents/credit-remaining

2. Is this call worth its cost? → POST /v1/x402/estimate

3. Where am I in the loan lifecycle? → GET /v1/agents/loan-state

Plus operator controls (/spend-limit) and event subscriptions (/credit-thresholds) for long-running agents that want webhook-based alerts.

GET /v1/agents/credit-remaining

Decision-grade headroom view. Use BEFORE every paid call to gate against the agent's available USDC.

Response:

GET /v1/agents/loan-state

Coarse state-machine view. Useful for gating actions that only make sense in specific states.

Response:

State values (precedence: borrowing > repaying > at_limit > idle):

GET / PUT / DELETE /v1/agents/spend-limit

Operator-defined soft cap, enforced off-chain in the proxy paid-request flow. Distinct from the on-chain creditLimit — lets an agent self-bound to a session budget.

PUT resets the session window — anything spent before this call no longer counts.

PUT request body:

GET response:

When the cap is hit, POST /v1/proxy/fetch returns:

GET / POST /v1/agents/credit-thresholds, DELETE /v1/agents/credit-thresholds/:id

Webhook subscriptions that fire when the agent's utilizationBps crosses a threshold. Three event names are emitted via the existing developer webhook stack:

• credit.warning — utilization crossed thresholdBps from below (threshold < 9500 bps)

• credit.at_limit — same, but emitted when threshold ≥ 9500 bps so urgent vs informational can be routed separately

• credit.recovered — utilization dropped back below threshold

Hysteresis guarantees exactly-once delivery per edge crossing — an agent oscillating around the boundary won't be spammed. Cap of 20 thresholds per agent.

POST request body:

Webhook payload:

Subscribe a webhook to credit events using the events array on POST /v1/developer/webhooks. The credit.* and * wildcards are supported.

Polling alternative for serverless agents: ephemeral runners that can't receive webhooks should poll GET /v1/agents/credit-remaining and compare utilizationBps locally. No threshold subscription needed.

POST /v1/x402/estimate

Preflight an x402-protected URL and return its USDC cost without paying. The response also reflects against the calling agent's available and sessionSpendRemaining so the agent can decide gating in one round-trip — the unique value vs the agent doing its own preflight.

Response (URL is x402-protected):

When the URL is not x402-protected, the response is:

Decision pattern:

Results are cached in-memory for ~30s, keyed by (method, url, ssrfPolicy). SSRF policies do NOT leak across tenants — the cache key includes a fingerprint of (domainAllowlist, allowLocalhost).

POST /v1/agents/close

Initiate wind-down. Repays all active loans, transfers remaining USDC to your wallet, and closes the account.

Response:

x402 Proxy Endpoints

These endpoints power the x402 payment proxy. Use them to check if a URL requires payment and to make paid API calls using your agent's credit balance.

GET /v1/proxy/check

Check if a URL requires x402 payment. Public -- no auth required.

Response:

POST /v1/proxy/fetch

Proxy a request to a target URL. If the target returns HTTP 402, the facilitator pays automatically from your credit balance and retries the request.