Skip to content
Go To Dashboard

SDK & API Reference

This page is the complete reference for building and running Sapiom workflows. It covers two surfaces:

  1. Authoring lifecycle — MCP tools (@sapiom/mcp): the customer and agent-facing surface for every step of the workflow lifecycle, from scaffolding to inspection.
  2. Runtime invocation — HTTP API (apps/workflows-engine): the internal service-to-service surface used by the Sapiom platform to execute, signal, and resume workflows.

The @sapiom/mcp server is the primary surface for customers and agents. Point your coding agent (Claude Code, Cursor, etc.) at it:

// .mcp.json / Claude Code MCP config
{ "command": "npx", "args": ["-y", "@sapiom/mcp"] }

All tools below are served by this MCP server and delegate to the published @sapiom/* packages.

ToolPurposeKey inputs / outputs
sapiom_authenticateBrowser-based login. Caches the credential in ~/.sapiom/credentials.json for all subsequent tools.
sapiom_statusReports the current environment and authentication state.Returns env + auth status
sapiom_logoutClears the cached credential (sign out).
sapiom_dev_orchestrations_scaffoldInitialises a new workflow project with the published @sapiom/orchestration + @sapiom/tools packages.template: "default" | "coding-pause"
sapiom_dev_orchestrations_checkBundles index.ts, derives the manifest, and validates the step graph. Offline — no network, no spend.Returns validation result or errors
sapiom_dev_orchestrations_run_localRuns the full orchestration locally with every ctx.sapiom.* capability call served by stubs. Dispatched coding runs auto-resume with a stub result. Free — no real sandboxes, no spend.Optional stubs via .sapiom-dev/stubs.json
sapiom_dev_orchestrations_linkResolves or creates the hosted workflow definition by name (no-op if it already exists).name → definition id
sapiom_dev_orchestrations_deployMints push credentials, git pushes the current commit, triggers a cloud build, and polls until the build reaches ready. The billed unit is the execution (run), not the build.Polls build status
sapiom_dev_orchestrations_runStarts a real, billed cloud execution against the tenant API.input?executionId
sapiom_dev_orchestrations_inspectWatches a running or completed execution — status, logs, per-step output. Also watches in-progress builds.executionId or build id
sapiom_dev_orchestrations_signalResumes a paused execution (e.g. a coding-pause or human-in-the-loop gate).executionId, name, correlationId, payload?
authenticate → scaffold → check → run_local → link → deploy → run → inspect
signal (if paused)

check and run_local can be repeated freely during development. deploy + run are the cloud-execution pair.


The runtime API is mounted at /api/workflows/* in apps/workflows-engine. All routes below require the service-key identity headers unless noted otherwise.

Method + PathDTO inDTO outNotes
POST /api/workflows/:slug/executionsExecuteDefinitionDtoStartExecutionResponseDtoCanonical trigger. Resolves the definition by its tenant-unique slug and executes the active version. The x402 provider injects parentResumeToken for child/sub-workflow dispatch.
POST /api/workflows/workflows/:id/executeExecuteDefinitionDtoStartExecutionResponseDtoTrigger by definition id (M3e path). Superseded by the slug route once callers migrate.
POST /api/workflows/executionsStartExecutionDtoStartExecutionResponseDtoLegacy trigger by workflow name (build-catalog path). Superseded by the slug route.

ExecuteDefinitionDto fields (source: execute-definition.dto.ts):

FieldTypeRequiredDescription
inputRecord<string, unknown>NoPayload passed as the entry step’s input.
scopedApiKeyIdstringNoPer-tenant scoped-key id. Overrides the definition’s pinned key (set by the backend proxy at run time for admin-seeded definitions).
idempotencyKeystringNoIf an execution already exists with this key, the existing execution is returned instead of creating a duplicate.
parentResumeTokenstringNoHMAC-signed engine resume token forwarded by the x402 provider when this execution is a child of a parent step. Forged or expired tokens are rejected.

StartExecutionResponseDto fields (source: start-execution-response.dto.ts):

FieldTypeDescription
status"enqueued" | "already_exists"enqueued = new execution created; already_exists = idempotency-key collision.
executionIdstringThe execution’s id.
existingStatusstring (optional)Set only when status = "already_exists" — the existing execution’s current status.

Method + PathDTO inDTO outNotes
POST /api/workflows/executions/:id/signalsSendSignalDtoSendSignalResponseDtoResumes one or more paused executions waiting on (name, correlationId). :id frames the REST resource and scopes the lookup to the caller’s tenant.

SendSignalDto fields (source: signal.dto.ts):

FieldTypeRequiredDescription
namestringYesSignal name the paused execution declared in pauseUntilSignal.
correlationIdstringYesNarrows the match to the specific waiter.
payloadRecord<string, unknown>NoOpaque JSON threaded through as the resumed step’s input.

SendSignalResponseDto:

FieldTypeDescription
matchednumberCount of paused executions resumed. Normally 1 (correlation ids are expected unique per waiter) or 0 (nothing paused on that pair).

A step pauses by returning pauseUntilSignal({ signal, resumeStep, correlationId }). The engine holds the execution until a caller fires a matching (name, correlationId) pair via this endpoint. The payload becomes the resumed step’s input.

Routing is always tenant-scoped — untrusted step code chooses its own (name, correlationId), so that pair cannot cross tenant boundaries; the firer’s tenant is the boundary (source: signal.dto.ts comment, M4).


These endpoints are service-key-gated infrastructure routes used by the platform. They are documented here for completeness; customers do not call them directly.

Method + PathAuthPurpose
POST /api/workflows/capability-resumeServiceKeyGuardThe x402 gateway POSTs here when a dispatched capability (e.g. a coding run) finishes, echoing back the engine-minted resume token. The token carries the executionId; no :id param needed.
POST /api/workflows/step-eventsServiceKeyGuardAppend-only bridge: a dispatched capability forwards events it fired, correlated by the engine-minted step token. Saves events for debugging; never advances the workflow.
POST /api/workflows/dispatch/step-completionPer-run HMAC (x-sapiom-signature + x-sapiom-timestamp)Untrusted sandbox posts its step result here. Authenticated by a per-run HMAC over the raw body — the sandbox holds only its run’s signing secret, not the service key.
POST /api/workflows/dispatch/build-completionPer-run HMAC (x-sapiom-signature + x-sapiom-timestamp)Build worker posts its completion here. Same per-run HMAC auth as step-completion.