version90 DEVELOPERS

REST API

Plain REST. Boring on purpose.

JSON in, JSON out. UUIDs for ids, ISO-8601 timestamps, multipart for file uploads, standard status codes. Every endpoint below links to a full reference with request parameters, response shapes and error semantics; the machine-readable OpenAPI spec is served live at https://app.version90.com/docs.

the shape of every call
curl "https://app.version90.com/api/v1/" \
  -H "Authorization: Bearer $V90_TOKEN" \
  -H "Content-Type: application/json"   # JSON bodies; uploads use multipart -F

Reference

Authentication

Every request carries Authorization: Bearer v90_<secret>. Mint tokens in Settings → API tokens (admin). A token acts as its creator — same organization, same role, same per-user AI limits — and dies with their membership or on revocation. Store it like a password; we store only its hash.

The one hard rule

Tokens never modify document content. The five document-mutating endpoints (tracked edits, review apply, revisions apply, clause insert, suggestion apply) are therefore undocumented here and return 403 api_token_forbidden for token auth. Uploading new documents is ingestion, not editing — allowed and encouraged.

Errors

Errors are {"detail": …} — a string for simple cases, an object with a code for ones you should branch on:

  • 401 — bad, expired, or revoked token.
  • 402 allowance_exhausted — a plan allowance ran out (production only); the body includes the full usage meter.
  • 403 api_token_forbidden — a token hit a document-editing endpoint.
  • 403 user_ai_limit / user_ai_blocked — an admin capped the token creator's AI usage.
  • 403 insufficient_permissions — the creator's role doesn't allow it.
  • 409 duplicate_content — byte-identical document exists; resend with duplicate_action=retain to keep both.
  • 422 — validation failure; body says exactly what.

Async operations

Uploads and AI runs return immediately and process in the background (usually seconds). The pattern everywhere: the POST returns a resource with a status field — poll its GET until ready/complete (or failed, with an error). No webhooks yet — they're on the roadmap; tell us if you need them sooner.