ACX | DOCUMENTATION

> 01 // Getting Started

Authentication

ACX APIs use mutual TLS (mTLS) authentication for classified deployments and API key authentication for standard integrations. All requests must include a valid authorization header. Keys are scoped to specific platforms and environments.

API Key Authentication

Header	Authorization: Bearer <API_KEY>
Format	acx_live_xxxxxxxxxxxxxxxxxxxx
Rotation	Every 90 days (mandatory)
Scoping	Per-platform, per-environment

Request Example

curl -X POST https://api.acx.systems/v3/aic/query \
  -H "Authorization: Bearer acx_live_k7x..." \
  -H "Content-Type: application/json" \
  -H "X-ACX-Enclave: us-east-1" \
  -d '{"prompt": "Analyze Q4 risk exposure"}'

mTLS Authentication (Classified)

For deployments within JWICS, SIPRNet, or equivalent classified networks, ACX uses mutual TLS with client certificates issued by your organization's PKI. Certificate provisioning requires completion of the ACX-SEC-400 onboarding module. Contact your deployment administrator for certificate signing requests.

const client = new ACX.Client({
  cert: fs.readFileSync('/path/to/client.pem'),
  key:  fs.readFileSync('/path/to/client-key.pem'),
  ca:   fs.readFileSync('/path/to/acx-ca.pem'),
  enclave: 'SIPR-EAST-02'
});

> 02 // Governance

Rate Limits

Rate limits are enforced per API key and vary by platform tier. Exceeding limits returns HTTP 429 with a Retry-After header. Enterprise contracts may negotiate custom limits.

Tier	Requests/min	Burst	Concurrency
Standard	60	10	5
Professional	600	50	25
Enterprise	6,000	500	100
Sovereign	Unlimited	Unlimited	Dedicated

Response headers on rate-limited requests:

X-RateLimit-Limit: 600
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1711152000
Retry-After: 34

> 03 // Error Handling

Error Codes

All ACX API errors return a structured JSON response with a machine-readable error code and human-readable message. Use the code field for programmatic handling.

HTTP	Code	Description
400	INVALID_REQUEST	Malformed request body or missing required fields
401	AUTH_FAILED	Invalid or expired API key / certificate
403	ENCLAVE_DENIED	Key not authorized for requested enclave zone
403	CLASSIFICATION_BREACH	Request would cross classification boundaries
404	ENTITY_NOT_FOUND	Referenced ontology node does not exist
409	ONTOLOGY_CONFLICT	Concurrent modification to the same entity graph
429	RATE_EXCEEDED	Rate limit exhausted. Retry after specified interval
500	INTERNAL_FAULT	Unrecoverable internal error. Incident auto-reported
503	ENCLAVE_OFFLINE	Target enclave undergoing maintenance or failover

{
  "error": {
    "code": "ENCLAVE_DENIED",
    "message": "API key acx_live_k7x... is not authorized for enclave SIPR-EAST-02",
    "request_id": "req_8f2a1b3c4d5e6f7a",
    "timestamp": "2026-03-22T18:04:11.042Z"
  }
}

> 04 // Platform APIs

AIC — Artificial Intelligence Core

Secure LLM inference and ontological ingestion within air-gapped perimeters.

POST/v3/aic/query

Inference request

Parameters

prompt *	string	Input query or instruction
model	string	Model variant (aic-4, aic-4-turbo)
temperature	float	0.0–2.0, default 0.7
max_tokens	integer	Max output tokens (default 4096)
context_refs	array	Ontology node IDs for RAG context

Response 200

{
  "id": "resp_a1b2c3d4e5",
  "output": "Based on ingested data...",
  "tokens_used": 847,
  "model": "aic-4-turbo",
  "latency_ms": 142,
  "classification": "SECRET"
}

PUT/v3/aic/ontology/ingest

Data ingestion

Stream documents into the AIC ontological layer. Accepts PDF, DOCX, JSON, and raw text. Files are encrypted at rest using AES-256-GCM. Maximum batch size: 500MB. Processing is asynchronous — use the webhook endpoint to receive completion callbacks.

documents *	File[]	Multipart file uploads
namespace	string	Ontology partition namespace
classification	enum	UNCLASSIFIED \| SECRET \| TOP_SECRET

Nexus — Enterprise Ontology Fabric

Entity resolution, relationship mapping, and knowledge graph operations across organizational boundaries.

POST/v3/nexus/entities/resolve

Entity resolution

entity *	object	Entity attributes for matching
threshold	float	Match confidence threshold (0.0–1.0)
graph_depth	integer	Relationship traversal depth (max 6)

{
  "matches": [
    {
      "entity_id": "nxs_e7f8a9b0",
      "confidence": 0.94,
      "relationships": 147
    }
  ],
  "graph_nodes_traversed": 12847
}

GET/v3/nexus/graph/{entity_id}

Graph traversal

Returns the full relationship graph for a resolved entity. Supports depth-limited traversals and filtered edge types. Response is streamed for graphs exceeding 10,000 nodes.

Vanguard — Tactical Edge Defense

Threat detection, anomaly classification, and perimeter defense at the infrastructure edge.

POST/v3/vanguard/scan

Threat scan

target *	string	IP range, domain, or asset ID
scan_type	enum	PASSIVE \| ACTIVE \| DEEP
threat_model	string	Custom threat model ID or "default"

{
  "scan_id": "vgd_scan_9x8y7z",
  "threats_detected": 3,
  "severity": "HIGH",
  "vectors": [
    "CVE-2026-1847",
    "ANOMALOUS_EGRESS",
    "LATERAL_MOVEMENT"
  ]
}

Horizon — Autonomous Fleet Deployment

Fleet telemetry ingestion, autonomous routing, and deployment orchestration.

POST/v3/horizon/fleet/deploy

Fleet deployment

fleet_id *	string	Registered fleet identifier
mission	object	Mission parameters and waypoints
autonomy_level	integer	1–5 (human-in-loop to full autonomy)
telemetry_freq	integer	Reporting interval in milliseconds

{
  "deployment_id": "hrz_d3p_4f5a6b",
  "status": "DEPLOYING",
  "units_active": 24,
  "eta_minutes": 47,
  "telemetry_stream": "wss://..."
}

> 08 // Advanced

Webhooks

ACX sends webhook events for asynchronous operations including ontology ingestion completion, threat alerts, fleet status changes, and entity resolution batches. All payloads are signed with HMAC-SHA256 using your webhook secret.

Event Types

aic.ingestion.completeOntology batch processed

vanguard.threat.detectedReal-time threat alert

horizon.fleet.status_changeUnit state transition

nexus.entity.resolvedBatch entity matching complete

system.enclave.failoverEnclave health event

Signature Verification

const crypto = require('crypto');

function verifyWebhook(payload, signature, secret) {
  const expected = crypto
    .createHmac('sha256', secret)
    .update(payload)
    .digest('hex');
  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expected)
  );
}

SDKs

Official client libraries for ACX platform integration. All SDKs handle authentication, retry logic, rate limit backoff, and enclave routing automatically.

⬢

Node.js

npm i @acx/sdk

v3.2.1 — Stable

🐍

Python

pip install acx-sdk

v3.2.1 — Stable

🦀

Rust

cargo add acx-sdk

v3.2.0 — Stable

☕

Java

com.acx:sdk:3.2.1

v3.2.1 — Stable

Environments

ACX operates isolated environments for development, staging, and production. Classified enclaves are physically isolated with no cross-environment data paths.

Environment	Base URL	Auth
Development	https://dev.api.acx.systems/v3	API Key (test)
Staging	https://staging.api.acx.systems/v3	API Key (live)
Production	https://api.acx.systems/v3	API Key / mTLS
Classified	Provisioned per-enclave	mTLS only