ACCESS PROTOCOL
// LEGAL · AGENT POLICY

Agent Policy

Effective May 27, 2026 Version v1.4 Applies to autonomous AI access

What This Covers

This policy applies whenever an AI agent, rather than a human, originates the call to the BRIDGE API. This includes agentic assistants (Claude Desktop, Cursor, ChatGPT, custom LangChain / LlamaIndex agents), autonomous workflows, and any system where decisions to call BRIDGE are made by an LLM.

The companion to this policy is the Agent Access spec, which defines the technical contract (auth, headers, attribution fields).

Operator Accountability

Every agent calling BRIDGE has a human or organizational operator — the account holder whose API key is used. The operator is responsible for the agent's behavior. "The agent did it" is not an excuse under this policy.

Operators must (a) be able to demonstrate, on request, what prompt or decision logic caused a given verification request; (b) maintain a kill-switch capable of halting agent activity within 5 minutes; (c) review aggregate agent activity at least monthly.

Agent Identity

Agent calls must identify themselves via the X-BRIDGE-Agent header. The header must include: agent name, agent version, and a stable agent identifier. Spoofing this header to disguise an agent as a human user is a material breach.

// EXAMPLE HEADER

X-BRIDGE-Agent: my-research-agent/1.4.0; id=ag_8c3d91b4; runner=langgraph

Permitted Actions

Agents may: invoke POST /v1/verify, POST /v1/ask, query their own consensus history, retrieve public leaderboard data, and operate on data the operator owns.

Agents may not: change billing, create or revoke API keys, modify webhook destinations, change account email, or take any action that affects the operator's billing exposure without explicit per-action human confirmation.

Rate & Concurrency

Agents inherit the operator's plan rate limits, with the following additional caps:

  • Maximum 10 concurrent agent calls per operator (any tier).
  • Maximum 1,000 agent-originated verifications per hour without Enterprise approval.
  • Tier 3 (adversarial debate) requests from agents require X-BRIDGE-Agent-Confirm: true on each call.

Attribution Requirements

When an agent surfaces a BRIDGE consensus to a human end-user, the agent must attribute the result. Attribution must include: (a) "Verified by BRIDGE", (b) confidence score, (c) link to the consensus audit page. Stripping or obscuring attribution before surfacing is a material breach.

Anti-Loop Provisions

An agent may not call BRIDGE recursively to verify its own previous verification result, nor establish a verification chain longer than 3 hops without operator review. Loop detection is implemented server-side; offending requests return 429 BRIDGE_LOOP_DETECTED.

Enforcement

Violations result in (a) agent identifier suspension while the operator account remains active, (b) escalation to operator account suspension on repeat violation, (c) public listing of suspended agent identifiers at getbridge.dev/legal/agent-suspensions.

// BUILDING AN AGENT?

Start with the technical spec.

Agent Access spec →