{"success":true,"data":{"service":"apier.no","version":"1","rulebook_version":"pre-rulebook","locale":"nb-NO","capabilities":[{"id":"public.deadlines","name_en":"Norwegian business deadline calendar","name_nb":"Norsk forretningsfristkalender","description_en":"Use this to get the canonical list of universal Norwegian business deadlines for a calendar year (MVA terminer, A-melding, skattemelding, årsregnskap). Deterministic and already adjusted forward through weekends and Norwegian public holidays.","description_nb":"Hent den kanoniske listen over universelle norske forretningsfrister for et gitt kalenderår (MVA-terminer, A-melding, skattemelding, årsregnskap). Deterministisk og allerede justert fremover for helger og norske helligdager.","endpoint":{"method":"GET","path":"/api/v1/public/deadlines"},"auth":"none","tier_minimum":null,"category":"public-tool","openapi_operation_id":"getPublicDeadlines","example_request":"GET /api/v1/public/deadlines?year=2026","data_sources":["internal-static"],"freshness":"static"},{"id":"public.obligations","name_en":"Generic obligations by Norwegian entity type","name_nb":"Generelle obligasjoner per norsk selskapsform","description_en":"Use this to discover the universal obligations that apply to a given Norwegian entity type (AS, ENK, ANS, DA, NUF). Template layer only — call `getCompanyContext` plus `getPermissionState` when you need a per-company evaluation. Obligations with `tier_2_required: true` need a delegation before evaluation.","description_nb":"Oppdag de universelle obligasjonene som gjelder for en gitt norsk selskapsform (AS, ENK, ANS, DA, NUF). Kun mal-nivå — bruk `getCompanyContext` og `getPermissionState` for per-selskap-evaluering. Obligasjoner med `tier_2_required: true` krever delegering før evaluering.","endpoint":{"method":"GET","path":"/api/v1/public/obligations"},"auth":"none","tier_minimum":null,"category":"public-tool","openapi_operation_id":"getPublicObligations","example_request":"GET /api/v1/public/obligations?entity_type=AS","data_sources":["internal-static"],"freshness":"static"},{"id":"tools.exchange_rate","name_en":"Norges Bank NOK exchange rate","name_nb":"Valutakurs fra Norges Bank","description_en":"Use this to fetch the official NOK exchange rate for a currency and optional date. Weekends / holidays / pre-publication today fall back to the most recent prior business day; `data.date` is the actual publication date, `data.requested_date` is what you asked for.","description_nb":"Hent offisiell NOK-kurs fra Norges Bank for en valuta og en valgfri dato. Helger, helligdager og før publisering i dag faller tilbake til siste foregående virkedag; `data.date` er den faktiske publiseringsdatoen, `data.requested_date` er det du spurte om.","endpoint":{"method":"GET","path":"/api/v1/tools/exchange-rate"},"auth":"none","tier_minimum":null,"category":"public-tool","openapi_operation_id":"getExchangeRate","example_request":"GET /api/v1/tools/exchange-rate?currency=EUR&date=2026-04-10","data_sources":["norges-bank"],"freshness":"cached"},{"id":"tools.altinn_migration","name_en":"Altinn 2 → Altinn 3 migration lookup","name_nb":"Altinn 2 → Altinn 3 migrasjonsoppslag","description_en":"Use this to discover the Altinn 3 equivalent of an Altinn 2 service or role code before the 19 June 2026 deprecation deadline. Gate production migration actions on `verified === true`; unverified entries are convenience references only.","description_nb":"Finn Altinn 3-tilsvarende for en Altinn 2-tjeneste- eller rollekode før utfasingsfristen 19. juni 2026. Baser produksjonsmigreringer på `verified === true`; uverifiserte oppføringer er kun referanseinformasjon.","endpoint":{"method":"GET","path":"/api/v1/tools/altinn-migration"},"auth":"none","tier_minimum":null,"category":"public-tool","openapi_operation_id":"getAltinnMigration","example_request":"GET /api/v1/tools/altinn-migration?altinn2_code=A0208","data_sources":["digdir","internal-static"],"freshness":"static"},{"id":"company.context","name_en":"Company context (Tier 1 + Tier 2)","name_nb":"Selskapskontekst (Tier 1 + Tier 2)","description_en":"Use this as the canonical read on a Norwegian company: Tier 1 Brønnøysund fields plus the gated Tier 2 commercial metrics (employee count, turnover, balance-sheet total, MVA status) when the consumer has an active delegation. Response `data.data_tier` tells you which tier was served; `_meta.served_from` distinguishes cache vs live.","description_nb":"Kanonisk oppslag på et norsk selskap: Tier 1 Brønnøysund-felter og de lukkede Tier 2 kommersielle metrikkene (antall ansatte, omsetning, balansesum, MVA-status) når konsumenten har en aktiv delegering. `data.data_tier` viser hvilket nivå som ble levert; `_meta.served_from` skiller buffer fra live.","endpoint":{"method":"GET","path":"/api/v1/company/{org}/context"},"auth":"api_key","tier_minimum":"free","category":"company-data","openapi_operation_id":"getCompanyContext","example_request":"curl -H 'Authorization: Bearer <API_KEY>' https://apier.no/api/v1/company/123456789/context","data_sources":["brreg","internal-supabase"],"freshness":"cached"},{"id":"auth.permissions","name_en":"Check delegation status for an organisation","name_nb":"Sjekk delegasjonsstatus for en organisasjon","description_en":"Use this to poll whether the consumer already has an Altinn delegation for a given org. `data.status` is `full`, `partial`, or `none` — branch on it to decide whether to call `createSystemUserDelegation`.","description_nb":"Undersøk om konsumenten allerede har en Altinn-delegering for et gitt organisasjonsnummer. `data.status` er `full`, `partial` eller `none` — bruk den til å avgjøre om `createSystemUserDelegation` må kalles.","endpoint":{"method":"GET","path":"/api/v1/auth/permissions/{org}"},"auth":"api_key","tier_minimum":"free","category":"auth","openapi_operation_id":"getPermissionState","example_request":"curl -H 'Authorization: Bearer <API_KEY>' https://apier.no/api/v1/auth/permissions/123456789","data_sources":["altinn","internal-supabase"],"freshness":"live"},{"id":"auth.delegate","name_en":"Create an Altinn 3 System User delegation","name_nb":"Opprett en Altinn 3 System User-delegering","description_en":"Use this when `getPermissionState` returns `none` or `partial`. Altinn returns a `delegation_url` that the company's signing authority must visit before the delegation becomes `active`. Supports Idempotency-Key.","description_nb":"Kall når `getPermissionState` returnerer `none` eller `partial`. Altinn returnerer en `delegation_url` som selskapets signaturberettigede må besøke før delegeringen blir `active`. Støtter Idempotency-Key.","endpoint":{"method":"POST","path":"/api/v1/auth/system-user/delegate"},"auth":"api_key","tier_minimum":"free","category":"auth","openapi_operation_id":"createSystemUserDelegation","example_request":"curl -X POST -H 'Authorization: Bearer <API_KEY>' -H 'Content-Type: application/json' -d '{\"org_number\":\"123456789\",\"scopes\":[\"altinn:instances.read\"]}' https://apier.no/api/v1/auth/system-user/delegate","data_sources":["altinn"],"freshness":"live"},{"id":"auth.approval_token","name_en":"Mint a single-use approval token for a high-risk action","name_nb":"Generer et engangs-godkjenningstoken for en høyrisikohandling","description_en":"Use this ONLY after a human operator in the consumer's UI has explicitly confirmed the action. The plaintext token is returned exactly once and must be presented in `X-Approval-Token` on the subsequent write call — downstream endpoints treat it as proof-of-consent.","description_nb":"Kall kun etter at en menneskelig operatør i konsumentens UI eksplisitt har bekreftet handlingen. Klartekstverdien returneres nøyaktig én gang og må sendes i `X-Approval-Token` på det påfølgende skrivekallet — nedstrøms-endepunkter behandler det som samtykkebevis.","endpoint":{"method":"POST","path":"/api/v1/auth/approval-token"},"auth":"api_key","tier_minimum":"free","category":"auth","openapi_operation_id":"mintApprovalToken","example_request":"curl -X POST -H 'Authorization: Bearer <API_KEY>' -H 'Content-Type: application/json' -d '{\"org_number\":\"123456789\",\"action_id\":\"filing.submit\"}' https://apier.no/api/v1/auth/approval-token","data_sources":["internal-supabase"],"freshness":"live"},{"id":"company.audit","name_en":"Read consumer's own audit trail for a company","name_nb":"Les egen sporingslogg for en virksomhet","description_en":"Use this to read the slice of the immutable Sporingslogg (audit_log) that THIS consumer wrote against a single org_number — keyset-paginated, time-ordered, with optional filters on action / initiated_by / since / until. Cross-consumer visibility is structurally impossible: the auth boundary is consumer_id (resolved from your API key), and the URL org_number is a within-namespace filter. Each row carries correlation_id (joins to provenance_log / evaluation_snapshots / compliance_state_events from the same request), initiated_by (human / agent / cron / system / unknown), and schema_version. Sensitive keys in `details` are auto-redacted at write AND read time. Empty result returns 200 with `data: []` (NEVER 404 — that would leak existence across consumers). Requires API key with read:audit scope.","description_nb":"Les den delen av den uforanderlige Sporingsloggen (audit_log) som DENNE konsumenten har skrevet mot et bestemt organisasjonsnummer — markørbasert paginering, sortert etter tid, med valgfrie filtre på action / initiated_by / since / until. Det er strukturelt umulig å se andre konsumenters rader: autentiseringsgrensen er consumer_id (utledet fra API-nøkkelen din), og URL-ens org_number er et filter innenfor ditt eget navnerom. Hver rad bærer correlation_id (forener med provenance_log / evaluation_snapshots / compliance_state_events fra samme forespørsel), initiated_by (human / agent / cron / system / unknown) og schema_version. Sensitive nøkler i `details` redigeres automatisk både ved skriving og lesing. Tomt resultat returnerer 200 med `data: []` (ALDRI 404 — det ville lekke eksistens på tvers av konsumenter). Krever API-nøkkel med read:audit-scope.","endpoint":{"method":"GET","path":"/api/v1/company/{org}/audit"},"auth":"api_key","tier_minimum":"free","category":"company-data","openapi_operation_id":"readCompanyAuditTrail","example_request":"curl -H 'Authorization: Bearer <API_KEY>' 'https://apier.no/api/v1/company/123456789/audit?limit=50&initiated_by=agent'","data_sources":["internal-supabase"],"freshness":"live"},{"id":"changes.query","name_en":"Query the cross-source change archive","name_nb":"Søk på endringsarkivet på tvers av kilder","description_en":"Paginated, filterable read over every detected created/updated/deleted event in Apier's change archive — Brreg ingestion (PR-023b) plus the multi-source pollers for Altinn schemas, DigDir policies, and Norges Bank rates (PR-023c). Filterable by source / entity_type / entity_id / change_type / from–to date range. Cursor-paginated with HMAC-signed cursors so consumers can't tamper with keyset offsets. Requires API key with read:changes scope.","description_nb":"Paginert, filtrerbart oppslag mot endringsarkivet — Brreg-ingestjon (PR-023b) og multi-kilde-pollerne for Altinn-skjemaer, DigDir-policyer og Norges Bank-kurser (PR-023c). Filtrerbart på source / entity_type / entity_id / change_type / fra–til-dato. Markørbasert paginering med HMAC-signerte markører. Krever API-nøkkel med read:changes-scope.","endpoint":{"method":"GET","path":"/api/v1/changes"},"auth":"api_key","tier_minimum":"starter","category":"company-data","openapi_operation_id":"queryChanges","example_request":"curl -H 'Authorization: Bearer <API_KEY>' 'https://apier.no/api/v1/changes?source=brreg&entity_id=998877665&from=2026-01-01T00:00:00Z'","data_sources":["internal-supabase"],"freshness":"live"},{"id":"subscriptions.create","name_en":"Subscribe to change-archive deltas via webhook","name_nb":"Abonner på endringsarkiv-deltaer via webhook","description_en":"Create a subscription that pushes filtered change-archive events to your webhook URL. Apier signs every delivery with HMAC-SHA256 over `<timestamp>.<body>` (Stripe-style). The plaintext webhook secret is returned ONCE on create — store it client-side. URLs are SSRF-validated at create AND at every delivery; private CIDRs / metadata-endpoint hosts / .local suffixes are rejected. Requires API key with subscribe:webhooks scope.","description_nb":"Opprett et abonnement som sender filtrerte endringsarkiv-hendelser til din webhook-URL. Apier signerer hver leveranse med HMAC-SHA256 over `<tidsstempel>.<kropp>` (Stripe-stil). Klartekst-hemmeligheten returneres ÉN GANG ved opprettelse — lagre den klient-side. URLer SSRF-valideres ved opprettelse OG ved hver leveranse; private CIDR-er / metadata-endepunkter / .local-suffikser avvises. Krever API-nøkkel med subscribe:webhooks-scope.","endpoint":{"method":"POST","path":"/api/v1/subscriptions"},"auth":"api_key","tier_minimum":"professional","category":"company-data","openapi_operation_id":"createSubscription","example_request":"curl -X POST -H 'Authorization: Bearer <API_KEY>' -H 'Content-Type: application/json' -d '{\"webhook_url\":\"https://yourapp.example/hooks\",\"filter\":{\"source\":\"brreg\"}}' https://apier.no/api/v1/subscriptions","data_sources":["internal-supabase"],"freshness":"live"},{"id":"subscriptions.list","name_en":"List your active webhook subscriptions","name_nb":"Vis dine aktive webhook-abonnementer","description_en":"Lists active subscriptions belonging to the calling consumer. Secret material is NEVER returned — only metadata. Inactive subscriptions are not included.","description_nb":"Lister aktive abonnementer som tilhører den kallende konsumenten. Hemmelighet returneres ALDRI — kun metadata. Inaktive abonnementer er ikke inkludert.","endpoint":{"method":"GET","path":"/api/v1/subscriptions"},"auth":"api_key","tier_minimum":"professional","category":"company-data","openapi_operation_id":"listSubscriptions","example_request":"curl -H 'Authorization: Bearer <API_KEY>' https://apier.no/api/v1/subscriptions","data_sources":["internal-supabase"],"freshness":"live"},{"id":"subscriptions.delete","name_en":"Delete a webhook subscription","name_nb":"Slett et webhook-abonnement","description_en":"Soft-deletes a subscription (active=false). Idempotent. Cross-consumer access returns 404 to prevent existence leaks.","description_nb":"Soft-sletter et abonnement (active=false). Idempotent. Tilgang på tvers av konsumenter returnerer 404 for å hindre eksistens-lekkasje.","endpoint":{"method":"DELETE","path":"/api/v1/subscriptions/{id}"},"auth":"api_key","tier_minimum":"professional","category":"company-data","openapi_operation_id":"deleteSubscription","example_request":"curl -X DELETE -H 'Authorization: Bearer <API_KEY>' https://apier.no/api/v1/subscriptions/550e8400-e29b-41d4-a716-446655440000","data_sources":["internal-supabase"],"freshness":"live"},{"id":"admin.keys.create","name_en":"Create an API key for a consumer (admin)","name_nb":"Opprett en API-nøkkel for en konsument (admin)","description_en":"Operator-only — requires the ADMIN_API_KEY bearer secret. Returns the plaintext key exactly once; only the SHA-256 hash is stored. Maximum three active keys per consumer.","description_nb":"Kun operatør — krever ADMIN_API_KEY som Bearer-hemmelighet. Returnerer klartekstnøkkelen nøyaktig én gang; kun SHA-256-hashen lagres. Maksimalt tre aktive nøkler per konsument.","endpoint":{"method":"POST","path":"/api/v1/admin/keys"},"auth":"admin_api_key","tier_minimum":null,"category":"admin","openapi_operation_id":"createApiKey","example_request":"curl -X POST -H 'Authorization: Bearer <ADMIN_API_KEY>' -H 'Content-Type: application/json' -d '{\"consumer_id\":\"uuid...\"}' https://apier.no/api/v1/admin/keys","data_sources":["internal-supabase"],"freshness":"live"},{"id":"admin.keys.list","name_en":"List active API keys for a consumer (admin)","name_nb":"List aktive API-nøkler for en konsument (admin)","description_en":"Operator-only. Lists active (non-revoked) keys for a consumer. Never returns plaintext — only key metadata (id, label, created_at).","description_nb":"Kun operatør. Lister aktive (ikke tilbakekalte) nøkler for en konsument. Returnerer aldri klartekst — kun nøkkelmetadata (id, label, created_at).","endpoint":{"method":"GET","path":"/api/v1/admin/keys"},"auth":"admin_api_key","tier_minimum":null,"category":"admin","openapi_operation_id":"listApiKeys","example_request":"curl -H 'Authorization: Bearer <ADMIN_API_KEY>' 'https://apier.no/api/v1/admin/keys?consumer_id=<UUID>'","data_sources":["internal-supabase"],"freshness":"live"},{"id":"admin.keys.revoke","name_en":"Revoke an API key (admin)","name_nb":"Tilbakekall en API-nøkkel (admin)","description_en":"Operator-only. Soft-revokes a key by setting `is_revoked=true` and `revoked_at=now()`. Irreversible.","description_nb":"Kun operatør. Myk tilbakekalling av en nøkkel ved å sette `is_revoked=true` og `revoked_at=now()`. Irreversibel.","endpoint":{"method":"DELETE","path":"/api/v1/admin/keys/{id}"},"auth":"admin_api_key","tier_minimum":null,"category":"admin","openapi_operation_id":"revokeApiKey","example_request":"curl -X DELETE -H 'Authorization: Bearer <ADMIN_API_KEY>' https://apier.no/api/v1/admin/keys/<KEY_UUID>","data_sources":["internal-supabase"],"freshness":"live"},{"id":"discovery.recipes","name_en":"Human-readable workflow recipes page","name_nb":"Menneskelesbare oppskrifter for arbeidsflyter","description_en":"Use this as the human-readable counterpart to /workflows.json. SSR HTML page that renders one section per canonical workflow: intent, steps, failure modes, agent_instructions, and a copy-paste cURL example. Content is derived from the same manifest /workflows.json serves — update the manifest and this page updates with it. Not a JSON API; intended for developers and as a crawlable page for AI agents that prefer HTML.","description_nb":"Bruk denne som menneskelesbar motpart til /workflows.json. SSR HTML-side som viser én seksjon per kanoniske arbeidsflyt: intensjon, trinn, feilmoduser, agent_instructions og et klipp-og-lim cURL-eksempel. Innholdet er avledet fra samme manifest som /workflows.json — endringer i manifestet reflekteres her automatisk. Ikke et JSON-API; ment for utviklere og som en crawlbar side for AI-agenter som foretrekker HTML.","endpoint":{"method":"GET","path":"/recipes"},"auth":"none","tier_minimum":null,"category":"discovery","openapi_operation_id":"getRecipesPage","example_request":"curl https://apier.no/recipes","data_sources":["internal-static"],"freshness":"static"},{"id":"discovery.comparison.direct-integration","name_en":"Apier vs direct integration comparison","name_nb":"Apier mot direkteintegrasjon — sammenligning","description_en":"Use this to fetch the structured Apier-vs-alternative comparison matrix (direct Altinn / Brønnøysund / Skatteetaten integration vs HTML scraping vs Apier). Machine-readable, not marketing — nulls on competitor metrics are intentional honesty markers. Agents planning a build-vs-buy decision read this once and branch on `recommendation` + the feature booleans.","description_nb":"Hent den strukturerte matrisen som sammenligner Apier med alternativer (direkteintegrasjon mot Altinn / Brønnøysund / Skatteetaten, HTML-skraping, Apier). Maskinlesbar, ikke markedsføring — null-verdiene på konkurrentmålepunkter er bevisste markører for hva Apier ikke måler. Agenter som planlegger bygg-eller-kjøp leser dette én gang og forgrener på `recommendation` + de booleske kapabilitetene.","endpoint":{"method":"GET","path":"/api/v1/comparison/direct-integration"},"auth":"none","tier_minimum":null,"category":"discovery","openapi_operation_id":"getComparisonDirectIntegration","example_request":"curl https://apier.no/api/v1/comparison/direct-integration","data_sources":["internal-static"],"freshness":"static"},{"id":"actions.execute_dry_run","name_en":"Validate (dry-run) or submit (live) a filing action","name_nb":"Valider (dry-run) eller send inn (live) en innleveringshandling","description_en":"Two discriminated behaviours on the same endpoint, selected by the `?dry_run=true` query parameter.\n\nDRY-RUN MODE (`?dry_run=true`) — validates a filing-action payload (mva_melding OR a_melding — both are accepted on dry-run) against five preflight checks WITHOUT submitting anything to Altinn / Skatteetaten / NAV. Returns 200 with a structured DryRunOutcome listing each check's pass/fail. The disclaimer reminds agents that a passing dry-run is NOT a guarantee of submission success.\n\nLIVE-EXECUTE MODE (?dry_run omitted or any value other than 'true') — when Maskinporten production approval is enabled, submits the filing to Altinn 3 (which routes to the Skatteetaten / NAV service owner). UNTIL THAT GATE CLEARS, the endpoint contract is shipped but the submitter is mock-backed (ALTINN_MODE=mock — the default; the per-integration switch per CLAUDE.md Rule 12, distinct from MASKINPORTEN_MODE which gates the Maskinporten auth layer): the route runs end-to-end through receipt signing + persistence + audit chain, but the upstream `altinn_receipt_id` is the deterministic SHA-256-derived MOCK-ALT-* value from the mock submitter. Production rollout requires Maskinporten production credentials + Skatteetaten MVA-melding service-owner approval + a live submitter implementation in src/lib/altinn/live-submitter.ts + DECISIONS.md sign-off (see DECISIONS.md PR-077 §1 for the full activation checklist). v1 supports mva_melding only on the LIVE path; a_melding live submission is gated on the live NAV integration and returns 403 PLAN_INSUFFICIENT in live mode (a_melding dry-run validation IS supported — only live submission is blocked).\n\nThree additional contracts on top of dry-run: (1) Idempotency-Key REQUIRED — a missing key returns 400 IDEMPOTENCY_KEY_REQUIRED. (2) X-Approval-Token REQUIRED — a single-use token minted via auth.approval_token, atomically consumed via the migration 033 RPC; rejected tokens map to APPROVAL_TOKEN_INVALID/USED/EXPIRED/MISMATCH. (3) Preconditions MUST pass — the same five dry-run checks run as a precondition gate; failures return 422 with the failed check list and do NOT consume the approval token (the agent can fix inputs and retry). Success returns 200 with a HMAC-SHA256-signed receipt envelope (mock or live mode). Audit chain: successful submission → `submit_mva` row; authorisation failure → `execute_authorization_failed`; post-consume submission failure → `submit_mva_failed`.","description_nb":"To diskriminerte oppførsler på samme endepunkt, valgt med `?dry_run=true`-spørringsparameteren.\n\nTØRRKJØRING (`?dry_run=true`) — valider en innleveringshandling (mva_melding ELLER a_melding — begge støttes på dry-run) mot fem forhåndssjekker UTEN å sende noe til Altinn / Skatteetaten / NAV. Returnerer 200 med et strukturert DryRunOutcome som lister hver sjekks pass/fail. Disclaimer-feltet minner om at en bestått tørrkjøring IKKE garanterer at den faktiske innleveringen lykkes.\n\nLIVE-UTFØRELSE (?dry_run utelatt eller noe annet enn 'true') — når Maskinporten produksjonsgodkjenning er aktivert, send innleveringen til Altinn 3 (videre til Skatteetaten / NAV). INNTIL DEN PORTEN ER ÅPNET er endepunktets kontrakt levert, men innsenderen er mock-basert (ALTINN_MODE=mock — default; per-integrasjons-bryteren per CLAUDE.md Rule 12, atskilt fra MASKINPORTEN_MODE som styrer Maskinporten-auth-laget): ruten kjører ende-til-ende gjennom kvitteringssignering + persistens + sporingslogg, men oppstrøms `altinn_receipt_id` er den deterministiske SHA-256-utledede MOCK-ALT-*-verdien fra mock-innsenderen. Produksjons-utrulling krever Maskinporten produksjonscredentials + Skatteetaten MVA-melding service-owner-godkjenning + en live submitter-implementasjon i src/lib/altinn/live-submitter.ts + DECISIONS.md sign-off (se DECISIONS.md PR-077 §1 for full aktiveringssjekkliste). v1 støtter kun mva_melding på LIVE-stien; a_melding live-innsending er sperret bak live NAV-integrasjonen og returnerer 403 PLAN_INSUFFICIENT i live-modus (a_melding dry-run-validering støttes — kun live-innsending er blokkert).\n\nTre ekstra kontrakter utover dry-run: (1) Idempotency-Key PÅKREVD — manglende nøkkel returnerer 400 IDEMPOTENCY_KEY_REQUIRED. (2) X-Approval-Token PÅKREVD — engangstoken generert via auth.approval_token, atomisk forbrukt via migrasjon 033 RPC. (3) Forhåndssjekkene MÅ passere — samme fem dry-run-sjekker kjøres som gate; feil returnerer 422 og forbruker IKKE tokenet (agenten kan rette opp og prøve igjen). Suksess returnerer 200 med HMAC-SHA256-signert kvitteringspakke (mock eller live modus). Sporingskjede: vellykket → `submit_mva`-rad; autorisasjonsfeil → `execute_authorization_failed`; innsending-feil-etter-token-forbruk → `submit_mva_failed`.","endpoint":{"method":"POST","path":"/api/v1/actions/execute"},"auth":"api_key","tier_minimum":"free","category":"actions","openapi_operation_id":"dryRunExecuteAction","example_request":"Dry-run: POST /api/v1/actions/execute?dry_run=true with headers { Authorization: Bearer <KEY> } and body { org_number, action_type, period, payload }. Live-execute: POST /api/v1/actions/execute with headers { Authorization: Bearer <KEY>, Idempotency-Key: <UUID>, X-Approval-Token: <token> } and body { org_number, action_type: \"mva_melding\", period, payload }. Both modes require API-key auth via Authorization header (round 5 manifest fix — was previously omitted from the dry-run half).","data_sources":["brreg","internal-rulebook","delegations","altinn","internal-supabase"],"freshness":"live"}],"available_scopes":["read:brreg","read:altinn","read:digdir","read:norgesbank","read:changes","read:audit","read:actions","read:rulebook","subscribe:webhooks","admin:keys"],"actions":{"dry_run_supported":true,"execute_supported":false,"action_types":["mva_melding","a_melding"]},"sandbox":{"available":true,"base_url":"https://www.apier.no/api/v1/sandbox","reserved_test_org_numbers":["999000001","999000002","999000003","999000004","999000005"],"reserved_error_org_numbers":{"999000901":"AUTH_MISSING_DELEGATION","999000902":"AUTH_EXPIRED_TOKEN","999000903":"VALIDATION_FAILED","999000904":"SCOPE_MISSING"},"simulate_error_param":"?simulate_error=<missing_delegation|invalid_token|validation_error|scope_missing>","supported_error_codes":["missing_delegation","invalid_token","validation_error","scope_missing"],"cors":"open","determinism":"byte-equivalent except _meta.response_timestamp"},"mcp":{"available":true,"server_url":"https://www.apier.no/api/mcp","schema_version":"2026.5.0","protocol":"json-rpc-2.0","tools_count_initial":3,"tools_count_active":12,"tools_count_planned":12,"deferred_tool_prs":[]},"multi_agent_safety":{"write_conflict_detection":true,"conflict_lock_ttls":{"mva_filing":600,"amelding_filing":300,"skattemelding_filing":1200,"aarsregnskap_filing":1800,"maskinporten_delegate":60}},"discovery":{"openapi":"/openapi.json","llms_txt":"/llms.txt","llms_full_txt":"/llms-full.txt","mcp_manifest":"/.well-known/mcp.json","ai_plugin_manifest":"/.well-known/ai-plugin.json","security_txt":"/.well-known/security.txt","data_sovereignty":"/.well-known/data-sovereignty","workflows":"/workflows.json","mcp_endpoint":"/api/mcp"}},"_meta":{"rulebook_version":"1.0.0","data_freshness":"2026-04-29T00:00:00.000Z","last_verified":"2026-05-21T17:28:50.655Z","source":"apier.no internal manifest","schema_version":"1.1.0","response_timestamp":"2026-05-21T17:28:50.655Z","served_from":"static","response_hash":"sha256:4dfbb03e004bc27e88660528241549522bf0e5345eabe68de2c28626e7c07a60"}}