Overview

The supported external contract is /api/v1.

Use it for:

• API key exchange and rotation
• Custom domain management
• Programmatic URL creation with custom slugs
• Tenant-scoped analytics and usage pulls
• Webhook management

Do not build new integrations against legacy /api/** routes. Those routes remain internal and can use different auth assumptions.

Tenant model

Each API key belongs to exactly one organization.

• acme.com and example.io should live under the same customer organization when they are managed by the same tenant admin team.
• Every public API read and write is scoped by organizationId from the exchanged bearer token.
• Object IDs from another tenant return 404 or 403 based on the route policy.

Workflow split

Use dashboard settings for:

• Custom domain onboarding and verification
• API key create, rotate, and revoke workflows
• Day-to-day tenant-scoped operational setup

Use the partner dashboard for:

• Billing and admin controls
• Governance and support review
• API key inventory, traffic review, and audit visibility

Use the public API for:

• Most end-user URL creation
• Custom slug assignment on approved domains
• Pulling traffic, error, and latency data into vendor systems
• Webhook automation

Rate limiting

Public API limits are centralized and Redis-backed.

• Token exchange: 10/min
• Read endpoints: 120/min
• Write endpoints: 60/min
• Usage endpoints: 30/min

Every limited route returns:

• X-RateLimit-Limit
• X-RateLimit-Remaining
• X-RateLimit-Reset
• Retry-After on 429