API Reference

The PolicifyAI REST API lets you generate and retrieve compliance policies programmatically. Use it to automate policy creation for your clients, embed live policy content in your applications, or integrate into your CI/CD pipeline.

Base URL: https://policifyai.com/api/v1Agency plan required

Authentication

All API endpoints require a Bearer token in the Authorization header. Two key formats are supported:

pak_live_*Named API key (recommended)

Create named keys from Dashboard → Agency → API & Webhooks. Each key has configurable scopes (read, write, webhooks) and can optionally be scoped to a single client.

pk_*Legacy site key (deprecated)

The original embed key. Still supported but will be removed in a future version. Migrate to named API keys.

Authorization: Bearer pak_live_abc123def456...

Endpoints

POST/api/v1/policies/generate

Generate a compliance policy for a client. Policies are generated by AI, scored for quality, and saved to your account.

Request body (JSON)

policy_typerequired

stringPolicy slug. E.g. privacy-policy, terms-of-service, cookie-policy, data-processing-agreement

jurisdictionrequired

stringISO country / region code. E.g. GB, US-CA, EU, DE, AU

language

stringISO 639-1 language code (default: en). E.g. de, fr, es, nl

business_name

stringClient business name to embed in the policy.

domain

stringClient website URL, e.g. https://acme.com

industry

stringIndustry category, e.g. e-commerce, saas, healthcare

business_type

stringLegal structure, e.g. limited-company, corporation, gmbh

Response

{
  "id": "3f4a9b12-...",
  "policy_type": "privacy-policy",
  "jurisdiction": "GB",
  "language": "en",
  "content": "## Privacy Policy\n\nThis Privacy Policy...",
  "created_at": "2026-05-26T14:30:00.000Z"
}

Example request

curl -X POST https://policifyai.com/api/v1/policies/generate \
  -H "Authorization: Bearer pak_live_YOUR_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "policy_type": "privacy-policy",
    "jurisdiction": "GB",
    "language": "en",
    "business_name": "Acme Corp",
    "domain": "https://acme.com",
    "industry": "e-commerce",
    "business_type": "limited-company"
  }'

Embed API

The embed API allows you to fetch live policy content for display on client websites. Responses are cached at the CDN edge for 5 minutes.

GET/api/embed/policy

Fetch a live policy by site key and type. No auth required — use from client-side JS.

Query parameters

siteKeyrequired

stringYour site key (pk_*) from Dashboard → API & Webhooks.

typerequired

stringPolicy type slug. Use hub to list all policies.

GET /api/embed/policy?siteKey=pk_abc123&type=privacy-policy

Embed widget (recommended)

For most use cases, use the embed script instead of calling the API directly. It auto-detects the policy type from the page URL and handles rendering.

<!-- Add once in your <head> or at the bottom of <body> -->
<script
  src="https://policifyai.com/embed.js"
  data-site-key="pk_YOUR_KEY"
></script>

<!-- Or force a specific policy type -->
<script
  src="https://policifyai.com/embed.js"
  data-site-key="pk_YOUR_KEY"
  data-policy="privacy-policy"
  data-theme="light"
  data-container="my-policy-div"
></script>

Webhooks

Configure webhooks to receive real-time events when policies are created, updated, or deleted, and when regulatory changes affect your jurisdictions.

Available events

policy.createdFired when a new policy is generated

policy.updatedFired when a policy is regenerated or edited

policy.deletedFired when a policy is deleted

law.changedFired when a regulatory change affects your jurisdictions

client.addedFired when a new client site is added

client.updatedFired when a client site is modified

Payload format

{
  "event": "policy.created",
  "policy_id": "3f4a9b12-...",
  "policy_type": "privacy-policy",
  "brand_name": "Acme Corp",
  "jurisdiction": "GB",
  "language": "en",
  "user_id": "user_id_here",
  "timestamp": "2026-05-26T14:30:00.000Z"
}

Signature verification

Every webhook request includes an X-PolicifyAI-Signature header. Verify it to ensure requests are from PolicifyAI:

// Node.js / Express
const crypto = require('crypto');

app.post('/webhook', (req, res) => {
  const payload = JSON.stringify(req.body);
  const expected = 'sha256=' + crypto
    .createHmac('sha256', process.env.WEBHOOK_SECRET)
    .update(payload)
    .digest('hex');

  if (req.headers['x-policifyai-signature'] !== expected) {
    return res.status(401).send('Unauthorized');
  }

  // Process event
  const { event, policy_id } = req.body;
  console.log('Received:', event, policy_id);
  res.status(200).send('ok');
});

Supported policy types

These are the most common slugs. The full list of 120+ policy types is available in the dashboard policy generator.

privacy-policy

cookie-policy

terms-of-service

terms-and-conditions

data-processing-agreement

imprint

return-policy

refund-policy

disclaimer

acceptable-use-policy

end-user-license-agreement

shipping-policy

ccpa-notice

gdpr-policy

dsar-policy

Jurisdiction codes

Use standard ISO 3166-1 alpha-2 country codes, or ISO 3166-2 for US states. The API supports 180+ jurisdictions.

GBUnited Kingdom

USUnited States (federal)

US-CACalifornia (CCPA)

EUEuropean Union (GDPR)

DEGermany

FRFrance

AUAustralia

CACanada

NLNetherlands

SESweden

NONorway

SGSingapore

Error codes

400

Bad Request

Missing or invalid request parameters

401

Unauthorized

Missing, invalid, or revoked API key

402

Payment Required

Subscription expired or inactive

403

Forbidden

API key lacks required scope, or plan does not include API access

404

Not Found

Policy, client, or resource not found

429

Too Many Requests

Rate limit exceeded — wait and retry

500

Server Error

Internal error — generation may be retried

Support

Need help with the API? Contact us at [email protected] or open a request from your dashboard.