Authentication & consent

The Compliance Status API v0 uses token-based access.

There is no API key, OAuth flow, or login required for integrators.


How it works

  1. A founder on Klarify (Compass+ plan) creates an investor share link in FundRaise Mode.

  2. The link contains a cryptographically random token.

  3. Anyone who holds the token can call:

    GET /api/v1/compliance-status/{token}
  4. The token expires after 7 days (configurable by the founder at creation time).

  5. The founder can revoke the token at any time from FundRaise Mode.

The token is the credential. Treat it like a password-protected share link.


Consent model

PrincipleDetail
Founder initiatesOnly organisation owners create share links
Explicit sharingFounders copy the API URL and send it to investors or paste it into application forms
Time-boundDefault expiry: 7 days
RevocableDELETE via dashboard revokes both human view and API access
No PII beyond company nameResponses exclude founder email, team roster, documents, and CRM notes

Processing basis (NDPA): founder-initiated sharing for business due diligence.


What integrators should do

  • Store tokens securely — do not log full tokens in plain text
  • Do not scrape — respect the 60 req/min rate limit
  • Display the disclaimer — every response includes data.disclaimer; show it in your UI
  • Do not imply regulator endorsement — use language like “self-reported compliance snapshot”

v1 (coming soon)

Flagship enterprise partners will receive partner API keys (Authorization: Bearer pk_live_…) and an OAuth-style founder consent screen:

“Authorize {Accelerator Name} to view my compliance status”

v0 requires a per-startup token from each founder. v1 enables portfolio-level queries at scale.


Security notes

  • Tokens are scoped to a single organisation
  • Cross-org access is not possible with a valid token
  • Rate limiting: 60 requests per minute per IP per token
  • API host: api.klarify.africa (TLS required)