API reference
Authentication
The PolicifyAI API uses API key authentication via the Authorization HTTP header. All requests must be made over HTTPS.
API keys
You can generate API keys from Dashboard → Integrations → API keys (agency workspaces: Agency Hub → API & Webhooks). All keys are prefixed with pak_live_. Store keys securely — they are shown in full only once at creation time.
Key format
pak_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Keys are 40+ characters of random hex after the prefix. They do not expire but can be revoked manually at any time.
Using the key
Pass the key as a Bearer token in the Authorization header of every request:
Authorization: Bearer pak_live_your_key_here
cURL example
curl https://policifyai.com/api/v1/policies \ -H "Authorization: Bearer pak_live_your_key_here" \ -H "Content-Type: application/json"
JavaScript / TypeScript
const response = await fetch('https://policifyai.com/api/v1/policies', {
headers: {
'Authorization': `Bearer ${process.env.POLICIFY_API_KEY}`,
'Content-Type': 'application/json',
},
})Python
import httpx
client = httpx.Client(
base_url="https://policifyai.com/api/v1",
headers={"Authorization": f"Bearer {api_key}"},
)
response = client.get("/policies")Scopes
Each API key can be restricted to specific permission scopes. A request that requires a scope not granted to the key returns 403 Forbidden. See available scopes.
Rate limits
The API enforces rate limits per API key:
| Plan | Requests / minute | Requests / day |
|---|---|---|
| Agency Starter | 60 | 5,000 |
| Agency Pro | 120 | 20,000 |
| Agency Scale | 300 | Unlimited |
When you exceed the rate limit the API responds with 429 Too Many Requests and a Retry-After header indicating how many seconds to wait.
Rate limit headers
Every response includes rate limit headers:
X-RateLimit-LimitMaximum requests allowed per minute for your key
X-RateLimit-RemainingRequests remaining in the current window
X-RateLimit-ResetUnix timestamp when the window resets
Retry-AfterSeconds to wait before retrying (only on 429 responses)
Authentication errors
Unauthorized
Missing or malformed Authorization header.
Invalid key
The key does not exist or has been revoked.
Insufficient scope
The key does not have the required scope for this endpoint.
Rate limited
Too many requests. Check the Retry-After header.
error.code field in the response body for a machine-readable error code alongside the HTTP status.