GPAI Pack
The GPAI Pack API generates the EU AI Act Article 53
provider-side documentation pack for a registered GPAI (General-
Purpose AI) agent in one synchronous call. Article 53 imposes
four documentation obligations on providers of GPAI models
placed on the EU market: technical documentation under
§ 1(a), downstream-provider information under § 1(b),
copyright-compliance policy under § 1(c), and a sufficiently
detailed training-data summary under § 1(d). The endpoint
returns a JSON envelope containing the six artefacts that
together satisfy the obligations — the ML-BOM, the
technical document, the downstream info sheet, the copyright
policy, the training summary, and a manifest with per-artefact
SHA-256 digests. Tested against API version v1. Mounted at
/api/v1/gpai. JWT auth; plan-gated by gpaiPack
(Enterprise+).
When this endpoint applies
The pack is for organisations operating as GPAI providers in the EU AI Act sense (Art. 3(63)) — entities that develop, place on the market, or put into service a general-purpose AI model. Most Adjudon customers are deployers, not providers, and do not need this resource; the deployer-side artefacts live on the Deployer Profile API. Providers re-using upstream models from a third party (e.g. a deployer fine-tuning a public foundation model) inherit certain Art. 53 obligations only when fine-tuning crosses the "significant modification" threshold — the legal determination is the operator's, not Adjudon's.
Endpoint
GET /api/v1/gpai/pack/:agentId
Returns the full pack as a JSON envelope with every artefact
inline. Adjudon does not stream a ZIP today — the JSON pack
is what the dashboard renders inline, and ZIP assembly is the
client's responsibility (a lightweight worker or browser-side
archiver is enough). Pulling in archiver server-side would
add a dependency for a feature most consumers handle better
client-side.
curl https://api.adjudon.com/api/v1/gpai/pack/customer-support-bot \
-H "Authorization: Bearer $ADJUDON_JWT" \
-o gpai-pack.json
The six artefacts
| Artefact | Filename in the pack | Article 53 paragraph |
|---|---|---|
| ML-BOM (CycloneDX 1.7) | modelCard.json | (cross-cutting — informs all four sub-paragraphs) |
| Annex XI technical documentation | technicalDoc.md | § 1(a) |
| Downstream-provider information | downstreamInfo.md | § 1(b) |
| Copyright-opt-out / TDM-exception evidence | copyrightPolicy.md | § 1(c) |
| Sufficiently-detailed training-data summary | trainingSummary.md | § 1(d) |
| Pack manifest with content digests | manifest.json | (cross-cutting) |
The ML-BOM is re-used from the
mlBomService that
attaches a CycloneDX 1.7 bundle per trace; the GPAI pack pulls
the latest BOM for the agent and inlines it. The Annex XI
technical document is generated server-side from the agent's
metadata (provider name, model name, version, intended purpose,
training-data summary fields if recorded). The training-data
summary is generated from the agent's meta.trainingDataSummary
field if populated; otherwise the artefact contains a placeholder
narrative pointing at the upstream provider's published summary
— the AI Office's Art. 53(1)(d) template prescribes the
shape, not the source, so a downstream provider can legitimately
reference the upstream's summary.
Pack manifest
The manifest.json artefact is the auditor's first read. It
carries:
| Field | Description |
|---|---|
agentId | Target agent identifier |
generatedAt | ISO 8601 timestamp |
articles | Map of art-53-1-a → <artefact-filename> → <sha256-hex> |
bomDigest | SHA-256 of the embedded CycloneDX BOM |
provider | Provider organisation name (snapshot at generation time) |
The digests are computed over the canonicalised content of each
artefact, so an auditor can re-fetch the pack months later and
confirm the artefact text has not drifted. A pack stored to S3
or a Git repository can be cross-checked against the
manifest.json digest set in seconds.
Common gotchas
- Plan-gated. The whole resource requires
gpaiPack(Enterprise+). Sandbox / Scale / Governance / Custom-without- the-feature receive403 UPGRADE_REQUIRED. - Provider, not deployer. Customers operating as deployers rather than providers should use the Deployer Profile API instead. Generating a GPAI pack for a system you do not provide is a category error and a regulator-readable mismatch.
- Training-data summary placeholder. When the agent's
meta.trainingDataSummaryfield is empty, the pack inlines a placeholder narrative pointing at the upstream provider's published summary. Providers must populate the field before the pack is regulator-ready. - Synchronous generation. The pack is built on every call — no caching, no background job. Repeated calls for the same agent regenerate from the latest ML-BOM and Agent metadata, so a freshly-recorded training-summary edit appears in the next pack without a TTL window.
- No ZIP server-side today. The endpoint returns JSON;
ZIP assembly is the client's job. The dashboard ships a
Web-Worker-based ZIP builder; non-dashboard consumers can
use any standard library (
zipin Python,JSZipin Node). - Idempotency. Read-only endpoint; nothing to replay.
Repeated calls produce equivalent packs (
generatedAtdiffers, content digests do not change unless the underlying Agent metadata or BOM changed).
See also
- Deployer Profile API — the deployer-side companion under EU AI Act Art. 26
- EU AI Act Compliance — the regulator-specific evidence pack covering Art. 53 in context
- Agents API — where the agent's metadata fields populated for the pack live
- Plans & Features —
the
gpaiPackandmlBomfeature gates - Error Codes — the broader error taxonomy