API Reference
Every endpoint on the PrivacyFlow public API — health, verify, poll, send — plus rate limiting and credential scoping.
The PrivacyFlow public API is one HTTPS host with four endpoints. Base URL: https://privacyflow.app. All request and response bodies are JSON. Version prefix is /api/v1 (the v1 URL segment is stable; package version may move independently).
| Endpoint | Method | Auth | Returns |
|---|---|---|---|
/api/v1/health | GET | none | {status, version} |
/api/v1/auth/verify | GET | required | {valid, appIds[]} |
/api/v1/messages/poll | GET | required | {messages[], count, queue} |
/api/v1/messages/send | POST | required | {successfulMessages[], failedMessages[], totalAccepted, totalFailed} |
Authentication
Three HTTP header methods, gated by credential type. Read Authentication for the full matrix, or Credentials for how credential types map to dashboard config.
Conventions
- Content type. All
POSTbodies useapplication/json.GETrequests have no body. - Timestamps. All timestamps are epoch milliseconds.
- Message IDs. 32-character lowercase hex generated server-side via
crypto.getRandomValues. - HTTPS only.
Strict-Transport-Securityis set on every response, including errors. - CORS. None. The API is server-to-server only.
- Timeouts. Credential lookups time out at 30 seconds against the key store. HTTP read uses
fetchdefaults.
Common error shape
Every error returns JSON of the form:
{ "error": "human-readable message" }
See Errors & Rate Limits for the full status-code table.
Last updated: