App-Only Actions#
Agent API v1 executes actions inside a lane that a human configured in the Hightop app. It does not let agents widen that lane.
Agents cannot:
- create agents
- rotate their own API key
- disable their own agent
- change permissions or limits
- create recurring recipients
- add (create) a brand-new trusted destination
- cancel active one-off payments
- pass arbitrary user, wallet, or account filters
- read other agents' operations
- read other agents' balances
- read account-wide Activity outside the authenticated wallet scope
Owner-only setup stays in the app so human control and onchain rule changes remain separate from agent execution.
Creating a brand-new trusted destination stays in the app. Agents with agent:trusted_destinations:write can confirm, cancel, and remove trusted destinations through the public v1 routes — see Endpoints. For service or vendor funding, configure a recurring-payment recipient in the app and have the agent call POST /v1/agent/payments; do not use a trusted-destination withdrawal path unless the destination is actually one of your own high-trust transfer targets.
