API: Agent tokens

• read_items allows reading items and inbox entries.
• update_workflow_status allows claim, release, done, and reopen updates.

Lists active tokens for the signed-in user. This route currently requires a signed-in web session and does not accept personal agent tokens as its own auth mechanism.

Creates a new personal token and returns the raw secret once. Store it immediately. The API acceptsname, scopes, and optional expires_in_days.

curl -X POST \
  "https://actupon.app/api/screenshotaction/agent-tokens" \
  -H "Authorization: Bearer <signed_in_session_token>" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Codex local",
    "scopes": ["read_items", "update_workflow_status"],
    "expires_in_days": "30"
  }'

Most public read and workflow endpoints use standard bearer auth. If the bearer token is not a signed-in user JWT, ActUpon checks whether it is a valid personal agent token with the required scope for that route.