Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.truthlocks.com/llms.txt

Use this file to discover all available pages before exploring further.

Reports a behavioral anomaly detected in an AI agent’s activity. Anomalies are flagged observations that indicate an agent may be operating outside its expected behavioral envelope — such as sudden rate spikes, scope violations, trust score drops, or geographic access anomalies. Anomaly reports create actionable alerts for security teams and can trigger automated response policies (e.g., throttling, session revocation, or agent suspension) depending on severity and tenant configuration.

Anomaly Types

TypeDescription
rate_spikeAgent’s request rate significantly exceeds historical baseline
scope_violationAgent attempted to access a resource outside its granted scopes
trust_dropAgent’s computed trust score dropped below threshold
pattern_deviationAgent’s behavioral pattern deviates from its trained baseline
geographic_anomalyAgent accessed from an unexpected geographic location or IP range

Severity Levels

SeveritySLAAuto-Response
low24h reviewLogged only
medium4h reviewAgent throttled
high1h reviewSessions suspended
critical15min reviewAgent revoked pending investigation

Authentication

X-API-Key
string
required
API key with anomalies:write scope. Alternatively, pass a Bearer JWT token in the Authorization header.
X-Tenant-ID
string
required
Tenant identifier for multi-tenant isolation.

Request

agent_id
string
required
MAIP agent identifier exhibiting the anomalous behavior.
anomaly_type
string
required
Type of anomaly detected. Must be one of: rate_spike, scope_violation, trust_drop, pattern_deviation, geographic_anomaly.
severity
string
required
Severity level. Must be one of: low, medium, high, critical.
description
string
Human-readable description of the anomaly and its potential impact.
evidence
object
Structured evidence supporting the anomaly report. Contents vary by anomaly type: - For rate_spike: baseline_rps, observed_rps, window_seconds - For scope_violation: attempted_scope, granted_scopes, resource_id - For trust_drop: previous_score, current_score, threshold - For pattern_deviation: expected_pattern, observed_pattern, deviation_score
  • For geographic_anomaly: expected_regions, observed_ip, observed_country

Response

id
string
Unique anomaly identifier in MAIP format (maip-anom:ULID).
agent_id
string
The agent associated with the anomaly.
anomaly_type
string
Type of anomaly reported.
severity
string
Severity level.
status
string
Anomaly status. Always open on creation.
auto_response
string
Automated response action taken (if any), based on severity and tenant policy.
created_at
string
ISO 8601 timestamp of creation.