REST API
Plain REST. Boring on purpose.
JSON in, JSON out. UUIDs for ids, ISO-8601 timestamps, multipart for file uploads,
standard status codes. Every endpoint below links to a full reference with request
parameters, response shapes and error semantics; the machine-readable OpenAPI spec is
served live at https://app.version90.com/docs.
curl "https://app.version90.com/api/v1/" \ -H "Authorization: Bearer $V90_TOKEN" \ -H "Content-Type: application/json" # JSON bodies; uploads use multipart -F
Reference
Contract Archive
Upload executed agreements, search on extracted facts, read full extractions (key terms, clauses, risks), download originals.
POST /archive · GET /archive · GET /archive/{id} · download · reanalyze · DELETE
Full reference →
Contracts & documents
Workspaces, upload-first batch creation, document uploads with idempotency, immutable version chains, tracked-change listing.
GET/POST /workspaces · POST /uploads/batch · documents · versions · revisions
Full reference →
AI
Run grounded reviews, read findings with verified citations and extracted metadata, explain any tracked change in whole-document context.
POST /analyze · GET /analysis · POST /changes:explain
Full reference →
Account
The always-visible usage meter and API token management.
GET /usage · POST/GET/DELETE /api-tokens
Full reference →
Authentication
Every request carries Authorization: Bearer v90_<secret>.
Mint tokens in Settings → API tokens (admin). A token acts as its
creator — same organization, same role, same per-user AI limits — and dies with their
membership or on revocation. Store it like a password; we store only its hash.
The one hard rule
Tokens never modify document content. The five document-mutating endpoints (tracked
edits, review apply, revisions apply, clause insert, suggestion apply) are therefore
undocumented here and return
403 api_token_forbidden for token auth.
Uploading new documents is ingestion, not editing — allowed and encouraged.
Errors
Errors are {"detail": …} — a string for
simple cases, an object with a code for ones
you should branch on:
401— bad, expired, or revoked token.402 allowance_exhausted— a plan allowance ran out (production only); the body includes the full usage meter.403 api_token_forbidden— a token hit a document-editing endpoint.403 user_ai_limit / user_ai_blocked— an admin capped the token creator's AI usage.403 insufficient_permissions— the creator's role doesn't allow it.409 duplicate_content— byte-identical document exists; resend withduplicate_action=retainto keep both.422— validation failure; body says exactly what.
Async operations
Uploads and AI runs return immediately and process in the background (usually seconds).
The pattern everywhere: the POST returns a resource with a
status field — poll its GET until
ready/complete
(or failed, with an error).
No webhooks yet — they're on the roadmap; tell us if you need them sooner.