REST API reference
Authenticate, submit a check, and read findings.
In beta. The public /v1 API is available to beta participants — email support@preflightdocs.com to request access (include your workspace name; enablement is same-day).
Authentication
Every request carries an API key (pfk_…, created in your workspace) as a bearer token:
curl -X POST https://api.preflightdocs.com/v1/checks \ -H "Authorization: Bearer pfk_…" \ -F file=@statement.pdf
Endpoints
POST /v1/checks— Submit a PDF or AFP for a check (multipart `file`). Returns the check id + status.GET /v1/checks/{id}— Retrieve a check: status, the deterministic findings, and module results.POST /v1/batches— Submit a batch of documents for a regression-diff run.GET /v1/batches/{id}— Retrieve a batch + its per-candidate findings + the diff.GET /v1/usage— Current-period usage, included-pool limits, and cost per check.POST /v1/webhooks— Register a signed webhook endpoint; rotate its secret at /v1/webhooks/{id}/rotate-secret.GET /v1/openapi.json— The full OpenAPI 3.1 contract — generate a typed client in any language.
Conventions
- Versioned at
/v1; described by OpenAPI 3.1 (/v1/openapi.json). - Rate limited per API key (token bucket; the plan sets the sustained rate).
X-RateLimit-*+Retry-Afterheaders. - Webhooks are signed (HMAC-SHA256), retried, and idempotent (
Preflight-Event-Id). - Standard errors — every failure returns
{ error: { code, message, documentation_url } }. - Findings are deterministic + carry a versioned rule trail (the same evidence the app shows). Regulatory thresholds are advisory/attested, not a legal ruling.