REST API ​

The Agio Platform exposes REST endpoints for authentication, document generation, webhook ingestion, and static assets. These complement the GraphQL API and Hasura API.

Base URLs ​

Authentication ​

Endpoints use one of four authentication methods depending on the context:

JWT Bearer Token ​

Most user-facing endpoints accept a JWT issued by Auth0. Include it in the Authorization header:

Authorization: Bearer <token>

Session Cookie ​

Browser-based clients can authenticate via an HTTP-only session cookie set by the /auth/token-exchange endpoint. Subsequent requests on the same domain are authenticated automatically.

API Key Header ​

Server-to-server integrations authenticate with an API key passed in one of two headers:

X-API-Key: <key>

or

x-agio-api-token: <key>

Webhook Signatures ​

External services (BitGo, Rain, Sumsub) sign their payloads. Each service uses its own verification scheme documented in the Webhooks reference.

Common Headers ​

Error Response Format ​

All error responses follow a consistent JSON structure:

{
  "error": {
    "code": "UNAUTHORIZED",
    "message": "Invalid or expired token",
    "statusCode": 401
  }
}

Common Error Codes ​

Rate Limiting ​

Rate limits are applied per API key or session:

• Standard: 100 requests/minute
• Extended: 1,000 requests/minute (by arrangement)
• Unlimited: Available for enterprise clients

When rate-limited, the API returns 429 Too Many Requests with a Retry-After header indicating how long to wait (in seconds).

Endpoint Categories ​