POST /v1/login sets httpOnly session cookies. For server-to-server calls you can read the access-token cookie and send it as a Bearer credential. See Authentication.
Base URL
Conventions
- Content-Type is
application/jsonunless an endpoint takes a file (then it’smultipart/form-data). - Authentication is cookie-based, or
Authorization: Bearer <token>using the access-token cookie value. See Authentication. - IDs are opaque strings. Many entities are prefixed by type (
usr_for users,cmp_for companies,whk_for webhooks, etc.). - Timestamps are ISO 8601 UTC, e.g.
2026-05-12T09:14:00Z. - Pagination uses
pageandlimitquery params on list endpoints. Paginated responses return apaginationobject —{ page, limit, total, totalPages, hasNext, hasPrev }. There is no top-leveltotaland nohasMore. - Errors use HTTP status codes and a consistent body. See Errors.
Successful responses
Most success responses carrysuccess: true. The key the payload sits under is not uniform — it varies by endpoint. Some endpoints nest data under data, others under a resource name such as wallet, rates, transactions, or chat. Read each endpoint’s reference page for its exact shape; don’t assume a single envelope.
Error responses
Errors use a consistent base shape:message is human-readable. See Errors for status codes, validation error details, and the few endpoints that add an error code field.
Rate limits
Limits are applied per IP viaexpress-rate-limit, with different windows and ceilings per surface. See Rate limits for the exact numbers and the RateLimit-* / Retry-After header semantics.
