The ARGUS Runtime Security API lets you analyze prompts and LLM responses against guardrail policies in real time, verify API keys and assets, and record agentic trace events for observability.
Base URL
All requests are made to:
https://argusapi.repello.ai
Versioning
Every endpoint is namespaced under the /sdk/v1 path prefix. The full path for a request is the base URL plus the versioned endpoint path, for example:
https://argusapi.repello.ai/sdk/v1/analyze/prompt
Authentication
All endpoints require an API key, passed in the X-API-Key request header:
X-API-Key: <your-api-key>
Your ARGUS API key. A request with a missing key returns 401 with
{"error": "API key is missing"}. A request with an invalid or inactive key
returns 401 with {"error": "Invalid or inactive API key"}.
Request conventions
- Send request bodies as JSON with
Content-Type: application/json.
- The
POST endpoints (analyze/prompt, analyze/response, events/record) take a JSON body.
GET endpoints (verify/api-key, verify/asset) take query parameters where applicable.- A body that fails schema validation returns
400 with the validation error.
Rate limits
Rate limits are enforced per API key, on a fixed window.
| Endpoint group | Limit | Window |
|---|
POST /sdk/v1/analyze/prompt | 500 | 60 s |
POST /sdk/v1/analyze/response | 500 | 60 s |
POST /sdk/v1/events/record | 500 | 60 s |
GET /sdk/v1/verify/api-key | 50 | 60 s |
GET /sdk/v1/verify/asset | 50 | 60 s |
POST /scan/analyze-prompt (platform) | 50 | 60 s |
POST /scan/analyze-response (platform) | 50 | 60 s |
429 with {"error": "Rate limit exceeded"}. The platform
/scan endpoints carry no dedicated override and fall under the default limit.
The API has two surfaces:
- SDK API (
/sdk/v1/*) — the public surface for direct integrations. Analyze endpoints
accept an inline policies array so callers can override the asset’s configured policies
per request.
- Platform API (
/scan/*) — the internal endpoints used by the ARGUS platform’s tracing
and guardrail system. They apply the asset’s configured policies and do not accept an
inline policies array. Use these only if you are integrating with the platform tracing
flow; otherwise prefer the SDK API.
Both surfaces share the same X-API-Key authentication and the same verdict-based response
shape (request_id, verdict, policies_violated).
Endpoints
SDK API
| Method | Path | Description |
|---|
| POST | /sdk/v1/analyze/prompt | Analyze a user prompt against guardrail policies. |
| POST | /sdk/v1/analyze/response | Analyze an LLM response against guardrail policies. |
| GET | /sdk/v1/verify/api-key | Validate the API key and return its access level. |
| GET | /sdk/v1/verify/asset | Check whether an asset exists for the calling organization. |
| POST | /sdk/v1/events/record | Record an agentic trace event, optionally evaluating content. |
| Method | Path | Description |
|---|
| POST | /scan/analyze-prompt | Platform tracing: analyze a prompt against an asset’s policies. |
| POST | /scan/analyze-response | Platform tracing: analyze a response against an asset’s policies. |
Policy semantics
Guardrail policy names, verdicts, and the shape of policies_applied / policies_violated
are defined in the SDK reference. See Enumerations for the
canonical PolicyName, Verdict, and Action values, and Types
for the Policy, AppliedPolicyInfo, and ViolatedPolicyInfo structures.
A machine-readable OpenAPI 3.1 contract for these endpoints ships alongside this
documentation as api-reference/openapi.json. 
