> ## Documentation Index
> Fetch the complete documentation index at: https://docs.safefetch.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Create Action

> Creates an action and returns the full enriched action object.

If `Idempotency-Key` or `dedupe` matches an existing recent action, this returns that existing action with `deduplicated: true`.




## OpenAPI

````yaml POST /v1/actions
openapi: 3.1.0
info:
  title: SafeFetch API
  version: 0.1.0
  description: >
    SafeFetch HTTP API for managing actions.


    SafeFetch is a safety layer for AI actions that makes reliable HTTP requests
    to any URL you specify

    — API endpoints, internal services, third-party APIs — with retries, HMAC
    signatures,

    and stored results.


    Notes:

    - All response/request fields are snake_case.

    - IDs are prefixed strings (for example: act_xxx, acct_xxx), not UUIDs.

    - `/v1/*` routes require `Authorization: Bearer <api_key>`.

    - `X-Request-Id` is returned on every response.
servers:
  - url: /
security: []
tags:
  - name: System
  - name: Auth
  - name: Actions
paths:
  /v1/actions:
    post:
      tags:
        - Actions
      summary: Create action
      description: >
        Creates an action and returns the full enriched action object.


        If `Idempotency-Key` or `dedupe` matches an existing recent action, this
        returns that existing action with `deduplicated: true`.
      operationId: createAction
      parameters:
        - $ref: '#/components/parameters/XRequestId'
        - $ref: '#/components/parameters/IdempotencyKey'
        - $ref: '#/components/parameters/ContentTypeJson'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/CreateActionRequest'
      responses:
        '200':
          description: Existing deduplicated/idempotent action returned
          headers:
            X-Request-Id:
              $ref: '#/components/headers/XRequestId'
          content:
            application/json:
              schema:
                allOf:
                  - $ref: '#/components/schemas/Action'
                  - type: object
                    required:
                      - deduplicated
                    properties:
                      deduplicated:
                        type: boolean
                        const: true
        '201':
          description: Action created
          headers:
            X-Request-Id:
              $ref: '#/components/headers/XRequestId'
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Action'
        '400':
          $ref: '#/components/responses/ValidationError'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '405':
          $ref: '#/components/responses/MethodNotAllowed'
        '413':
          $ref: '#/components/responses/PayloadTooLarge'
        '429':
          $ref: '#/components/responses/RateLimited'
      security:
        - BearerAuth: []
components:
  parameters:
    XRequestId:
      name: X-Request-Id
      in: header
      required: false
      description: Optional client request ID. Echoed back on response.
      schema:
        type: string
    IdempotencyKey:
      name: Idempotency-Key
      in: header
      required: false
      description: Deduplicates create-action requests within a 24-hour window.
      schema:
        type: string
    ContentTypeJson:
      name: Content-Type
      in: header
      required: true
      schema:
        type: string
        pattern: ^application/json(;.*)?$
  schemas:
    CreateActionRequest:
      type: object
      required:
        - url
      additionalProperties: false
      properties:
        url:
          type: string
          format: uri
        method:
          $ref: '#/components/schemas/HttpMethod'
          default: POST
        body:
          type: object
          additionalProperties: true
        headers:
          type: object
          additionalProperties:
            type: string
        dedupe:
          type: string
        retries:
          type: integer
          minimum: 1
          maximum: 100
          default: 3
        approve:
          type: boolean
          default: false
        sync:
          type: boolean
          default: false
          description: >
            When true, the request blocks until the action reaches a terminal
            status (completed, failed, or cancelled) and returns the final
            action object. Default timeout is 30 seconds (max 120 seconds).
            Cannot be combined with `approve: true`.
        notify:
          type: object
          description: >
            Send a magic-link approval email when `approve: true`. The email
            contains approve and reject buttons. Requires `RESEND_API_KEY` to be
            configured.
          properties:
            email:
              type: string
              format: email
              description: Email address of the approver.
          required:
            - email
        callback:
          type: string
          format: uri
    Action:
      type: object
      required:
        - id
        - status
        - url
        - method
        - attempts
        - retries
        - created_at
        - approve
      properties:
        id:
          $ref: '#/components/schemas/ActionId'
        status:
          $ref: '#/components/schemas/ActionStatus'
        url:
          type: string
          format: uri
        method:
          $ref: '#/components/schemas/HttpMethod'
        body:
          oneOf:
            - type: object
              additionalProperties: true
            - type: 'null'
        headers:
          oneOf:
            - type: object
              additionalProperties:
                type: string
            - type: 'null'
        dedupe:
          type: string
          nullable: true
        attempts:
          type: integer
          minimum: 0
        retries:
          type: integer
          minimum: 1
          maximum: 100
        created_at:
          type: string
          format: date-time
        started_at:
          type: string
          format: date-time
          nullable: true
        finished_at:
          type: string
          format: date-time
          nullable: true
        next_retry_at:
          type: string
          format: date-time
          nullable: true
        last_error:
          type: string
          nullable: true
        response_code:
          type: integer
          nullable: true
        response_body:
          nullable: true
        duration_ms:
          type: integer
          nullable: true
        approve:
          type: boolean
        approved_at:
          type: string
          format: date-time
          nullable: true
        approved_by:
          type: string
          nullable: true
        callback:
          type: string
          format: uri
          nullable: true
        idempotency_key:
          type: string
          nullable: true
        retries_remaining:
          type: integer
          minimum: 0
        next_retry_in_seconds:
          type: integer
          minimum: 0
        actions:
          type: array
          items:
            type: string
            enum:
              - approve
              - cancel
              - retry
          description: Allowed operations for the current status.
        error:
          type: object
          nullable: true
          description: Structured error detail present when `status` is `failed`.
          required:
            - source
            - message
            - response_code
            - response_body
          properties:
            source:
              type: string
              enum:
                - target
                - dispatch
              description: >
                `target` — the target API returned a non-2xx response.
                `dispatch` — network error, DNS failure, or timeout.
            message:
              type: string
              description: Human-readable error message (same as `last_error`).
            response_code:
              type: integer
              nullable: true
              description: HTTP status code from the target (null for dispatch errors).
            response_body:
              nullable: true
              description: Response body from the target (null for dispatch errors).
        receipt_url:
          type: string
          format: uri-reference
          description: >
            Shareable URL for this action's receipt page (e.g. `/r/rcpt_...`).
            No authentication required — secured by the unguessable receipt
            token.
          nullable: true
        deduplicated:
          type: boolean
    HttpMethod:
      type: string
      enum:
        - GET
        - POST
        - PUT
        - PATCH
        - DELETE
    ActionId:
      type: string
      pattern: ^act_[A-Za-z0-9_-]+$
      example: act_M4qT8YH7xW2pL9nB
    ActionStatus:
      type: string
      enum:
        - pending
        - active
        - awaiting_approval
        - completed
        - failed
        - cancelled
    ErrorResponse:
      type: object
      required:
        - error
      properties:
        error:
          type: object
          required:
            - code
            - message
          properties:
            code:
              type: string
              enum:
                - missing_body
                - validation_error
                - missing_field
                - invalid_request
                - invalid_query
                - invalid_content_type
                - invalid_url
                - invalid_sync
                - unauthorized
                - rate_limited
                - payload_too_large
                - method_not_allowed
                - not_found
                - not_cancellable
                - not_approvable
                - not_retryable
                - email_taken
                - invalid_credentials
            message:
              type: string
            request_id:
              type: string
              pattern: ^req_[A-Za-z0-9_-]+$
            details:
              oneOf:
                - type: array
                  items:
                    $ref: '#/components/schemas/ValidationIssue'
                - type: object
                - type: string
    ValidationIssue:
      type: object
      required:
        - field
        - message
        - code
      properties:
        field:
          type: string
        message:
          type: string
        code:
          type: string
          const: invalid
  headers:
    XRequestId:
      description: Request identifier, echoed from request or generated server-side.
      schema:
        type: string
        pattern: ^req_[A-Za-z0-9_-]+$
  responses:
    ValidationError:
      description: Validation failed or malformed request body.
      headers:
        X-Request-Id:
          $ref: '#/components/headers/XRequestId'
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
    Unauthorized:
      description: Missing or invalid bearer token.
      headers:
        X-Request-Id:
          $ref: '#/components/headers/XRequestId'
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
    MethodNotAllowed:
      description: Method not allowed.
      headers:
        X-Request-Id:
          $ref: '#/components/headers/XRequestId'
        Allow:
          schema:
            type: string
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
    PayloadTooLarge:
      description: Request body exceeds 1MB.
      headers:
        X-Request-Id:
          $ref: '#/components/headers/XRequestId'
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
    RateLimited:
      description: Too many requests for current account.
      headers:
        X-Request-Id:
          $ref: '#/components/headers/XRequestId'
        Retry-After:
          schema:
            type: string
            const: '1'
          description: Seconds until the rate-limit window resets.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
  securitySchemes:
    BearerAuth:
      type: http
      scheme: bearer
      bearerFormat: API Key

````