API reference
Secure contractThe public API contract returns install payloads, generated config, verification metadata, and safe errors. It must not return private repository URLs, storage keys, creator secrets, or hidden prompts.
/api/v1/syncValidates access token, buyer entitlement, package status, version, target compatibility, and returns safe install payload plus adapter config.
/api/v1/integrations/configGenerates client-specific connector config for CLI, MCP, Claude Desktop, Cursor, Windsurf, Codex, OpenClaw, workflow, and agent targets.
/api/v1/runtime/runPrepared protected runtime bridge surface. Validates entitlement, client allowance, signed runtime request, usage metering, and safe output filtering.
/api/v1/access/statusChecks entitlement and token status for a buyer/package pair without exposing private package metadata.
/api/healthOperational health surface for app, database, storage, rate limit, billing, runtime, and install health checks.
{
"token": "oly_sk_...",
"target": "cursor",
"version": "1.0.0",
"verifyOnly": false,
"client": {
"name": "oly-cli",
"version": "1.0.0",
"platform": "local",
"os": "darwin",
"arch": "arm64",
"deviceId": "hashed-device-id"
}
}The CLI sends client metadata so installs can be audited and compatibility warnings can be generated.
{
"error": "Access token expired",
"code": "expired_token",
"message": "This install token is expired.",
"remediation": "Open Library and rotate access.",
"docsUrl": "/docs/troubleshooting"
}Errors should be specific, safe, and actionable. Never include private object keys or source URLs.
Production rule