Developer Guide
Getting Started with ATF
From signup to your first verified receipt in five steps. No credit card required. Free tier includes 100 protect calls per day.
What is the Agent Transaction Firewall?
ATF is a zero-trust policy enforcement layer for autonomous trading bots and AI agents. Before your bot executes a swap, lending deposit, or perpetuals trade, ATF evaluates the intent against configurable policies and returns a deterministic, tamper-evident receipt.
- Protect - submit an intent, get an allow/deny decision with reasons
- Receipt - every decision produces a content-hashed receipt you can verify
- Verify - confirm receipt integrity anytime via API or CLI
- Fail-closed - if ATF can't evaluate, the trade is denied (never silently approved)
Currently supporting Solana (Jupiter, Raydium, Orca swaps & lending protocols). Base and Hyperliquid support is in development.
Step 1: Create Your Account
Sign up at trucore.xyz/signup or use the API directly:
bash
curl -sS https://api.trucore.xyz/auth/signup \
-H "Content-Type: application/json" \
-d '{"email": "you@example.com", "password": "your-secure-password"}'You'll receive a JWT token, your tenant ID, and your first API key:
json
{
"token": "eyJhbGciOiJIUzI1NiIs...",
"tenant_id": "cust_a1b2c3d4e5f6",
"api_key": "atf_live_...",
"email_verified": false
}Save your API key. The plaintext secret is shown only once. You can create additional keys in the developer portal.
Step 2: Verify Your Email
Check your inbox for a verification email and click the link, or confirm via API:
bash
curl -sS https://api.trucore.xyz/auth/verify-email/confirm \
-H "Content-Type: application/json" \
-d '{"token": "TOKEN_FROM_EMAIL"}'Verification tokens expire after 24 hours. You can request a new one from POST /auth/verify-email/request with your JWT.
Step 3: Run Your First Protected Trade
Submit a swap intent to the protect endpoint. ATF evaluates it against policies and returns a decision:
bash
curl -sS https://api.trucore.xyz/v1/bot/protect \
-H "Content-Type: application/json" \
-H "X-API-Key: atf_live_YOUR_KEY" \
-d '{
"chain_id": "solana",
"intent_type": "swap",
"intent": {
"type": "swap",
"in_mint": "So11111111111111111111111111111111111111112",
"out_mint": "EPjFWdd5AufqSSqeM2qN1xzybapC8G4wEGGkZwyTDt1v",
"amount_in": 1000000,
"slippage_bps": 50,
"agent_id": "my-bot-v1"
}
}'If the intent passes policy checks:
json
{
"allow": true,
"reason_codes": [],
"receipt": {
"decision": "approved",
"content_hash": "a1b2c3d4...64-char-hex",
"hash_version": "1",
"timestamp_utc": "2026-03-21T00:00:00+00:00",
"chain_id": "solana",
"intent_type": "swap"
},
"venue": "jupiter"
}Step 4: Verify the Receipt
Every decision (allow or deny) produces a content_hash. Verify it to confirm the receipt hasn't been tampered with:
bash
curl -sS https://api.trucore.xyz/v1/receipts/verify \
-H "Content-Type: application/json" \
-d '{"content_hash": "a1b2c3d4...64-char-hex"}'Or use the CLI: atf verify <receipt-id>
Step 5: Understand Mock vs Real Execution
Mock Mode
The onboarding flow and POST /onboarding/execute-sample use mock execution by default. Policies are evaluated, receipts are generated, but no on-chain transaction is sent.
Good for: testing integration, validating policy behavior, development.
Real Execution
When you connect a wallet and use the production protect endpoint, ATF evaluates real intents. If approved, your bot signs and sends the transaction on-chain. The finalization step records the on-chain tx hash in the receipt.
Good for: production bots, real trading, audit trails.
Next Steps
First Protected Trade →
HTTP, Python, TypeScript, CLI, and OpenClaw integration paths.
Integration Surfaces →
API, CLI, and OpenClaw plugin - what's available and what's coming.
Plans & Feature Tiers →
Free, Pro, and Enterprise - limits, features, and how to upgrade.
Auth & API Keys →
Key creation, rotation, revocation, and account recovery.