Dashboard
API Reference

API reference

Authentication

The PolicifyAI API uses API key authentication via the Authorization HTTP header. All requests must be made over HTTPS.

API keys

You can generate API keys from Dashboard → Integrations → API keys (agency workspaces: Agency Hub → API & Webhooks). All keys are prefixed with pak_live_. Store keys securely — they are shown in full only once at creation time.

Key format

pak_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxx

Keys are 40+ characters of random hex after the prefix. They do not expire but can be revoked manually at any time.

Using the key

Pass the key as a Bearer token in the Authorization header of every request:

Authorization: Bearer pak_live_your_key_here

cURL example

curl https://policifyai.com/api/v1/policies \
  -H "Authorization: Bearer pak_live_your_key_here" \
  -H "Content-Type: application/json"

JavaScript / TypeScript

const response = await fetch('https://policifyai.com/api/v1/policies', {
  headers: {
    'Authorization': `Bearer ${process.env.POLICIFY_API_KEY}`,
    'Content-Type': 'application/json',
  },
})

Python

import httpx

client = httpx.Client(
    base_url="https://policifyai.com/api/v1",
    headers={"Authorization": f"Bearer {api_key}"},
)
response = client.get("/policies")
⚠️ Never expose your API key in client-side code, browser JavaScript, or public repositories. Use environment variables or a secrets manager.

Scopes

Each API key can be restricted to specific permission scopes. A request that requires a scope not granted to the key returns 403 Forbidden. See available scopes.

Rate limits

The API enforces rate limits per API key:

PlanRequests / minuteRequests / day
Agency Starter605,000
Agency Pro12020,000
Agency Scale300Unlimited

When you exceed the rate limit the API responds with 429 Too Many Requests and a Retry-After header indicating how many seconds to wait.

Rate limit headers

Every response includes rate limit headers:

X-RateLimit-Limit

Maximum requests allowed per minute for your key

X-RateLimit-Remaining

Requests remaining in the current window

X-RateLimit-Reset

Unix timestamp when the window resets

Retry-After

Seconds to wait before retrying (only on 429 responses)

Authentication errors

401

Unauthorized

Missing or malformed Authorization header.

401

Invalid key

The key does not exist or has been revoked.

403

Insufficient scope

The key does not have the required scope for this endpoint.

429

Rate limited

Too many requests. Check the Retry-After header.

💡 Always check the error.code field in the response body for a machine-readable error code alongside the HTTP status.