Documentation

Quickstart

Give your agent one key and a safe path to real-world actions. Discover tools, get a quote, approve, execute, and verify with a signed receipt.

1 · Get an API key

Request early access at toolcallstore.com/signup or email hello@toolcallstore.com and we'll provision one. Keys look like this:

tc_live_xxxxxxxxxxxxxxxxxxxx   # production
tc_test_xxxxxxxxxxxxxxxxxxxx   # sandbox (mocked providers)

Send it as a bearer token on every request:

Authorization: Bearer tc_live_xxxxxxxxxxxx

2 · Try your first tool call

Ask the store which tools fit your intent. No charge, no approval — just discovery.

POST /v1/tools/searchcurl
curl https://toolcallstore.com/v1/tools/search \
  -H "Authorization: Bearer tc_live_xxxxxxxxxxxx" \
  -H "Content-Type: application/json" \
  -d '{"intent": "register a domain and set up business email"}'

 {
  "tools": ["domains.search", "domains.register",
            "email.create_mailbox", "dns.apply_template"],
  "next": "POST /v1/quotes"
}

3 · The quote → approve → execute loop

Every billable action follows the same three steps. Here's registering a domain end to end.

a. Get a quote

POST /v1/quotes
curl https://toolcallstore.com/v1/quotes \
  -H "Authorization: Bearer tc_live_xxxxxxxxxxxx" \
  -d '{"items": ["domain:mysaas.com"]}'

 { "quote_id": "q_abc", "total_estimate_usd": 7.30,
    "requires_approval": true, "expires_at": "2026-06-28T18:30:00Z" }

b. Request approval

POST /v1/approvals
curl https://toolcallstore.com/v1/approvals \
  -H "Authorization: Bearer tc_live_xxxxxxxxxxxx" \
  -d '{"quote_id": "q_abc", "reason": "New SaaS onboarding flow"}'

 { "approval_id": "appr_xyz", "status": "pending" }
# An email (or webhook) goes to the account owner. The agent polls until approved.

c. Execute

POST /v1/execute
curl https://toolcallstore.com/v1/execute \
  -H "Authorization: Bearer tc_live_xxxxxxxxxxxx" \
  -H "Idempotency-Key: 7c1f...uuid" \
  -d '{"approval_id": "appr_xyz"}'

 { "receipt_id": "rcpt_123", "status": "processing" }

4 · Understanding receipts

Poll GET /v1/receipts/<id> until status is completed. Every receipt is a verifiable record of what happened.

FieldTypeMeaning
receipt_idstringStable ID for this action.
actionstringe.g. domains.register.
statusstringprocessing · completed · failed · rolled_back.
provider_idstringThe provider's own reference (e.g. OP-29793388).
cost_usdnumberWhat it cost you.
sell_usdnumberWhat you charged downstream (if set).
timestampstringISO-8601 completion time.
dns_verifiedbooleanFor domains: A record resolved and confirmed.
rollback_hintstringHow to reverse this action (or why it's terminal).
proof[]arrayRaw provider responses / DNS lookups backing the receipt.

Scopes

Keys carry only the scopes you grant. A missing scope returns 403 — it never silently no-ops.

ScopeGrantsApproval?
domains:readSearch domain availability
domains:buyRegister / renew domainsyes
dns:writeApply DNS records / templatesyes
email:writeCreate / delete mailboxesyes
llm:callRoute LLM requests
media:generateGenerate images / video
approvals:createOpen approval requests
receipts:readFetch receipts and proof
providers:readList providers and status
providers:keysManage your BYOK provider keys

Error codes

CodeMeaningWhat to do
400Bad requestMalformed body — fix and resend.
401No / invalid authCheck your bearer token.
402Insufficient balanceAdd funds — see add_funds_url.
403Scope missingGrant the scope to this key.
404Not foundBad ID or path.
409Duplicate idempotency keyAlready processed — read the original receipt.
422Validation errorField-level issue — see errors[].
429Rate limitedBack off 60s, then retry.
500Provider errorRetry with exponential backoff.

Idempotency

Send an Idempotency-Key: <uuid> header on every POST /v1/execute and POST /v1/domains/register call. If the network drops, retry with the same key — you'll get the original receipt back instead of a second charge. Reusing a key with a different body returns 409.

Idempotency-Key: 7c1f9b2e-3a44-4d10-8c2e-9f0b1a2c3d4e

Webhooks

Register a webhook_url on your key to get notified when an approval changes state — no polling required.

POST → your webhook_url
{
  "approval_id": "appr_xyz",
  "status": "approved",
  "quote_id": "q_abc",
  "timestamp": "2026-06-28T18:12:04Z"
}

We also emit events on execute and receipt completion. Verify the X-TCS-Signature header against your signing secret.

BYOK — bring your own keys

Already have provider accounts? Register your own keys and pay only an orchestration + safety fee — provider charges go straight to your account.

POST /v1/providers/keys
curl https://toolcallstore.com/v1/providers/keys \
  -H "Authorization: Bearer tc_live_xxxxxxxxxxxx" \
  -d '{"provider": "stability", "api_key": "sk-..."}'

 { "provider": "stability", "status": "active", "key_id": "pk_9f2" }

Your provider keys are encrypted at rest. We never store them in plaintext and never return them after registration.

Read the full worked example →