Authenticate against Alloy using HTTP Basic Auth with YOUR_WORKFLOW_TOKEN:YOUR_WORKFLOW_SECRET encoded as Base64 in the Authorization header
POST https://sandbox.alloy.co/v1/journeys/{journey_token}/applications with body {entity_type:'business', name_business:'Acme LLC', ein:'YOUR_EIN', address_line1, address_city, address_state, address_postal_code}
Receive response with application_token and outcome ('approved', 'denied', 'manual_review')
If outcome is 'manual_review', poll GET /v1/journeys/{journey_token}/applications/{application_token} or subscribe to webhook events for final decision
Use GET /v1/entities/{entity_token}/evaluations to retrieve per-datasource results including SOS registration, watchlist, and UBO checks
For UBO sub-evaluations, inspect the persons array in the response to see individual owner verification outcomes
Known gotchas
Alloy uses separate workflow tokens per journey/use-case; using the wrong token returns a 401 even with valid credentials
Journey configuration (which data sources to call, decisioning rules) is managed in the Alloy dashboard, not via API; changes there affect all API callers immediately
Production and sandbox environments use different base URLs (sandbox.alloy.co vs api.alloy.co); test tokens are not valid in production
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp