Documentation Index
Fetch the complete documentation index at: https://glide-9da73dea.mintlify.app/llms.txt
Use this file to discover all available pages before exploring further.
Issue a new bearer grant for this agent with a narrowed scope set. Always requires principal step-up — the first call returns a step-up URL; the second call (with the redeemed sigil) issues the grant.
| Field | Value |
|---|
| Name | agent.grant.issue |
| Category | treasury |
| Required scope | agent:budget:create |
| Idempotency key required | no |
Annotations
| Annotation | Value |
|---|
| Title | Issue Grant |
| Read-only | no |
| Destructive | no |
| Idempotent | no |
| Open-world | no |
| Requires human approval | yes (step-up) |
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"type": "object",
"properties": {
"scope": {
"minItems": 1,
"type": "array",
"items": {
"type": "string",
"enum": [
"accounts:read",
"agents:read",
"payments:initiate",
"payments:simulate",
"cards:manage",
"agent:budget:create",
"agent:budget:revoke",
"beneficiary:read",
"beneficiary:write",
"kyc:start",
"x402:pay",
"x402:receive",
"audit:stream",
"treasury:rotate-signer",
"treasury:yield-allocate"
]
}
},
"ttl_seconds": {
"type": "integer",
"exclusiveMinimum": 0,
"maximum": 3600
},
"step_up_sigil": {
"type": "string",
"minLength": 1
}
},
"required": [
"scope",
"ttl_seconds"
],
"additionalProperties": false
}
Output schema
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"type": "object",
"properties": {
"grant_id": {
"type": "string",
"format": "uuid",
"pattern": "^([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-8][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}|00000000-0000-0000-0000-000000000000|ffffffff-ffff-ffff-ffff-ffffffffffff)$"
},
"bearer_token": {
"type": "string",
"minLength": 1
},
"expires_at": {
"type": "string",
"format": "date-time",
"pattern": "^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$"
},
"scope": {
"type": "array",
"items": {
"type": "string",
"enum": [
"accounts:read",
"agents:read",
"payments:initiate",
"payments:simulate",
"cards:manage",
"agent:budget:create",
"agent:budget:revoke",
"beneficiary:read",
"beneficiary:write",
"kyc:start",
"x402:pay",
"x402:receive",
"audit:stream",
"treasury:rotate-signer",
"treasury:yield-allocate"
]
}
},
"policy_version": {
"type": "integer",
"minimum": 0,
"maximum": 9007199254740991
}
},
"required": [
"grant_id",
"bearer_token",
"expires_at",
"scope",
"policy_version"
],
"additionalProperties": false
}
Request examples
This tool always requires a two-call pattern. The first call (without step_up_sigil) returns -32003 with a step_up_url. After the principal completes biometric approval, the second call supplies the redeemed step_up_sigil and receives the new grant.
# Step 1 — trigger step-up (no sigil)
curl -X POST https://mcp.glide.co/mcp/treasury \
-H "Authorization: Bearer $GLIDE_GRANT_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"jsonrpc": "2.0",
"id": 1,
"method": "agent.grant.issue",
"params": {
"scope": ["accounts:read", "payments:initiate"],
"ttl_seconds": 3600
}
}'
# → error -32003 with step_up_url + sigil in data
# Redirect principal to step_up_url, collect the redeemed sigil
# Step 2 — supply redeemed sigil
curl -X POST https://mcp.glide.co/mcp/treasury \
-H "Authorization: Bearer $GLIDE_GRANT_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"jsonrpc": "2.0",
"id": 2,
"method": "agent.grant.issue",
"params": {
"scope": ["accounts:read", "payments:initiate"],
"ttl_seconds": 3600,
"step_up_sigil": "su_01HWXYZ_abc123def456"
}
}'
Response examples
Step 1 — step-up required (first call without sigil always returns this):
{
"jsonrpc": "2.0",
"id": 1,
"error": {
"code": -32003,
"message": "issuing a new grant requires principal biometric approval",
"data": {
"reason_id": "step_up_required",
"step_up_url": "https://app.glide.co/step-up?token=eyJhbGciOiJIUzI1NiJ9.eyJyZWFzb24iOiJncmFudF9pc3N1ZSJ9.sig"
}
}
}
{
"jsonrpc": "2.0",
"id": 2,
"result": {
"grant_id": "f7a8b9c0-d1e2-3456-f012-456789012345",
"bearer_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJkNGU1ZjZhNyIsInNjb3BlIjpbImFjY291bnRzOnJlYWQiLCJwYXltZW50czppbml0aWF0ZSJdfQ.signature",
"expires_at": "2026-05-04T13:00:00Z",
"scope": ["accounts:read", "payments:initiate"],
"policy_version": 3
}
}
{
"jsonrpc": "2.0",
"id": 1,
"error": {
"code": -32602,
"message": "requested scope 'treasury:yield-allocate' not in current grant; cannot self-escalate",
"data": {
"reason_id": "scope_escalation"
}
}
}
{
"jsonrpc": "2.0",
"id": 2,
"error": {
"code": -32602,
"message": "step-up sigil was not valid, already redeemed, expired, or minted for a different reason",
"data": {
"reason_id": "step_up_sigil_invalid"
}
}
}
Errors
| Code | Name | Cause | Remediation |
|---|
-32600 | Invalid request | Malformed JSON-RPC envelope | Check method, jsonrpc, and id fields |
-32602 | Invalid params | Requested scope not present in current grant (scope escalation); ttl_seconds exceeds 3600; invalid sigil | Validate params; use step-up to acquire broader scope if needed |
-32000 | Unauthenticated | Missing Authorization header | Supply a valid Bearer token |
-32001 | Unauthorized | Grant token expired or revoked | Refresh token via agent.grant.refresh |
-32002 | Insufficient scope | Grant missing agent:budget:create scope | Issue new grant with agent:budget:create scope |
-32003 | Step-up required | First call without step_up_sigil; payload includes step_up_url | Redirect principal to step_up_url, then retry with the returned sigil |
-32603 | Internal error | Server-side error | Retry with backoff; contact support |
Step-up flow
agent.grant.issue unconditionally requires principal biometric approval. Every call without a valid step_up_sigil returns -32003. Here is the full two-call sequence:
Call 1 — trigger step-up
Send the request without step_up_sigil. The server mints a step-up session and returns -32003 with data.step_up_url.
Redirect principal
Open or redirect the principal’s browser to step_up_url. Glide’s step-up sheet prompts the principal to approve the scope + TTL using their registered Privy passkey or biometric. On approval the sheet redirects back to your redirect_uri with a sigil query parameter.
Call 2 — supply the redeemed sigil
Repeat the exact same call (same scope, same ttl_seconds) and include step_up_sigil from the redirect callback. The sigil is single-use; replaying it, or using a sigil minted for a different reason (e.g., rotate_signer), returns -32602 step_up_sigil_invalid.
For more detail on the step-up redirect flow, session lifecycle, and sigil expiry, see Step-up authentication.
Auth
Caller’s grant must include the agent:budget:create scope. Grants whose scope set is a superset of the required scope are accepted.
