The shipped HTTP surface — chat, documents, config, webhooks. Auth via X-API-Key.
VeriCite exposes a versioned HTTP API under `/api/v1/`. Every request authenticates with an `X-API-Key` header carrying a public (`pk_`) or secret (`sk_`) key minted on the API keys page. This reference documents only the surface that is actually shipped and served by the gateway — chat, documents, config, an improvements export, and webhook management.
What this covers
The endpoints below are the live, gateway-mounted routes. All paths are prefixed with `/api/v1`. Requests are scoped to the tenant that owns the API key — you never pass a tenant id.
Authentication
Send your key on every request. The gateway resolves the tenant from the key; there is no separate tenant parameter.
A pk_ public key or sk_ secret key. Missing or invalid keys return 401 (API key required. Provide X-API-Key header.). Mint and revoke keys on the API keys page.
Public key (`pk_`)prefix
Intended for browser/widget-side use; lower-trust surface.
Secret key (`sk_`)prefix
Server-side, full-trust. Keep out of client bundles.
Chat
post/api/v1/chat/query
post/api/v1/chat/stream
post/api/v1/chat/feedback
get/api/v1/chat/suggestions
get/api/v1/chat/sessions
get/api/v1/chat/sessions/:id
POST /chat/querychat
Ask a question; returns a single cited answer payload.
POST /chat/streamchat
Same as query but streams the answer as server-sent events.
Fetch one document, including its processing state.
GET /documentsdocuments
List documents; also /documents/summary, /documents/reprocess-estimate, and /documents/:id/pipeline for processing detail.
Terminal status is `ready` — A successfully processed document ends at status `ready` — there is no `completed` state. Poll `/documents/:id` (or `/documents/:id/pipeline`) for `ready` rather than waiting on a status string the API never emits. DOCX uploads are accepted at the gateway but rejected by the text-extraction pipeline (only PDF, plain text/Markdown, and images are extractable); convert to a supported format first.
Config
get/api/v1/config/ratelimits
get/api/v1/config/widget
get/api/v1/config/guardrails
GET /config/ratelimitsconfig
Effective per-minute rate limit for your tenant (plan tier plus any override).
GET /config/fallbackconfig
Fallback / escalation configuration.
GET /config/embeddingsconfig
Embedding configuration.
GET /config/widgetconfig
Widget configuration the embed loads.
GET /config/guardrailsconfig
Guardrail configuration. The PUT /config/guardrails save is superadmin-only — tenant keys can read but not write (403).
GET /config/:type/versionsconfig
Version history for a config block.
Improvements export
get/api/v1/improvements/export
`GET /improvements/export` returns the answer-improvement queue for offline review. The same router also serves `GET /improvements`, `GET /improvements/:id`, and `POST /improvements/:id/approve`.
Register a webhook. Requires eventType and url; the gateway generates a signing secret on create.
PATCH /webhooks/:idwebhooks
Update a webhook (e.g. eventType, url, active).
DELETE /webhooks/:idwebhooks
Remove a webhook.
GET /webhooks/:id/deliverieswebhooks
List delivery attempts for a webhook.
POST /webhooks/:id/triggerwebhooks
Manually fire a delivery for the webhook.
POST /webhooks/:id/deliveries/:deliveryId/retrywebhooks
Re-attempt a specific past delivery.
Deliveries are HMAC-signed: VeriCite sends an `x-webhook-signature` header (computed from the webhook's secret over the payload) plus `x-webhook-event`, and an SSRF guard rejects internal/private hosts and non-HTTPS URLs at delivery time. Verify the signature on your receiver.
Webhooks do not auto-fan-out — There is no automatic event dispatch. Deliveries fire only when you call `POST /webhooks/:id/trigger` or retry a past delivery — registering a webhook does not subscribe it to a live event stream. Treat the event-name field as metadata: the names offered in the console UI, the schema's documented set, and the set actually emitted do not currently line up.
Rate limits
Limits are per tenant, per minute, by plan tier.
Starterplan
60 requests / minute.
Professionalplan
300 requests / minute.
Enterpriseplan
1000 requests / minute.
Tenant overridebehavior
A configured per-tenant override takes precedence over the plan-tier limit when set.
Exceeding the limitbehavior
Returns 429 with error code RATE_LIMIT_EXCEEDED.
Per-key rate_limit is ignored — The per-key `rate_limit` column has no effect — the gateway enforces only the tenant's plan-tier limit (or the tenant override). Do not rely on setting a limit on an individual key; it is never read at request time.
Not shipped — do not integrate against these
Phantom surface — Some marketing material references endpoints and tools that do not exist in the product. They are not served and will not work.
`/v1/answer` is not a real endpoint — use `POST /api/v1/chat/query`.
There are no official TypeScript, Python, Go, or Ruby SDKs. Call the HTTP API directly.
No Confluence, SharePoint, or Notion connectors ship — ingest sources via `POST /api/v1/documents`.