# Admin API Overview > Manage trunks, service accounts, certificates, and AI agent DAGs. The ClutchCall gateway exposes a second RPC surface — the **Admin API** — in addition to the call-control RPCs documented under [RPC](/rpc/overview). The Admin API is what tenants and operators use to configure the platform itself: provisioning SIP trunks, rotating service-account keys, swapping TLS certificates without a restart, and publishing AI agent DAGs. > **WARNING:** > **No SDK is provided for the Admin API.** The public-facing SDKs > (`clutchcall`, `@clutchcall/sdk`, `github.com/clutchcall/clutchcall-sdk/go`, …) cover > *call-control* RPCs only — they deliberately do not bundle admin > methods. Tenants and operators talk to the admin gateway directly using > the [raw RPC envelope](/rpc/envelope-format) over QUIC. The schemas on > the following pages give you everything you need to drive it from any > QUIC client. ## Endpoint ``` quic://admin.clutchcall.dev:9090 (ALPN: h3) ``` The admin gateway is a logically distinct service on the same QUIC port — it just terminates a different `service_name` (`admin_gateway` instead of `clutchcall`). Method IDs are CRC-derived from the admin namespace, so they will not collide with the public RPC table. ## Authentication Every admin request carries an `admin_token` field on the wire. The token is a JWT minted from a service account with the `admin` role, signed identically to the regular SDK JWTs (see [Authentication](/concepts/authentication)). `BootstrapOrg` is the only exception — it accepts a one-shot bootstrap secret instead, since it's the call you make to mint the very first admin service account for a brand-new tenant. ## What's covered - **[Trunks](/admin/trunks)** — `AddTrunk`, `UpdateTrunk`, `RemoveTrunk`, `GetTrunk`. Configure SIP/RTP addressing, codec preferences, inbound rules, and AI handoff URLs. - **[Service Accounts](/admin/service-accounts)** — `SessionAuth`, `PublishServiceAccount`, `RevokeServiceAccount`. Lifecycle for the JWT signing keys your SDKs use. - **[Certificates](/admin/certificates)** — `ReloadCertificates`. Hot-swap the gateway's TLS material without dropping in-flight QUIC connections. - **[Organisation](/admin/organisation)** — `BootstrapOrg`. One-shot setup for a new tenant. - **[Agent DAGs](/admin/agent-dags)** — `PublishAgentDag`, `GetAgentDag`, `ListAgentDags`, `DeleteAgentDag`. Define the AI orchestration graphs that calls bind to. ## Method table | Method | Request DTO | Response DTO | | ----------------------- | --------------------------------- | ----------------------------- | | `AddTrunk` | `AddTrunkRequest` | `Empty` | | `UpdateTrunk` | `UpdateTrunkRequest` | `Empty` | | `RemoveTrunk` | `RemoveTrunkRequest` | `Empty` | | `GetTrunk` | `GetTrunkRequest` | `GetTrunkResponse` | | `ReloadCertificates` | `ReloadCertificatesRequest` | `ReloadCertificatesResponse` | | `SessionAuth` | `SessionAuthRequest` | `SessionAuthResponse` | | `PublishServiceAccount` | `PublishServiceAccountRequest` | `Empty` | | `RevokeServiceAccount` | `RevokeServiceAccountRequest` | `Empty` | | `BootstrapOrg` | `BootstrapOrgRequest` | `BootstrapOrgResponse` | | `PublishAgentDag` | `PublishAgentDagRequest` | `PublishAgentDagResponse` | | `GetAgentDag` | `GetAgentDagRequest` | `GetAgentDagResponse` | | `ListAgentDags` | `ListAgentDagsRequest` | `ListAgentDagsResponse` | | `DeleteAgentDag` | `DeleteAgentDagRequest` | `Empty` | The wire envelope is identical to the public RPC — same `[u32 length][u32 method_id][serde body]` framing. See [Envelope Format](/rpc/envelope-format).