Authentication & consent
The Compliance Status API v0 uses token-based access.
There is no API key, OAuth flow, or login required for integrators.
How it works
-
A founder on Klarify (Compass+ plan) creates an investor share link in FundRaise Mode.
-
The link contains a cryptographically random token.
-
Anyone who holds the token can call:
GET /api/v1/compliance-status/{token} -
The token expires after 7 days (configurable by the founder at creation time).
-
The founder can revoke the token at any time from FundRaise Mode.
The token is the credential. Treat it like a password-protected share link.
Consent model
| Principle | Detail |
|---|---|
| Founder initiates | Only organisation owners create share links |
| Explicit sharing | Founders copy the API URL and send it to investors or paste it into application forms |
| Time-bound | Default expiry: 7 days |
| Revocable | DELETE via dashboard revokes both human view and API access |
| No PII beyond company name | Responses exclude founder email, team roster, documents, and CRM notes |
Processing basis (NDPA): founder-initiated sharing for business due diligence.
What integrators should do
- Store tokens securely — do not log full tokens in plain text
- Do not scrape — respect the 60 req/min rate limit
- Display the disclaimer — every response includes
data.disclaimer; show it in your UI - Do not imply regulator endorsement — use language like “self-reported compliance snapshot”
v1 (coming soon)
Flagship enterprise partners will receive partner API keys (Authorization: Bearer pk_live_…) and an OAuth-style founder consent screen:
“Authorize {Accelerator Name} to view my compliance status”
v0 requires a per-startup token from each founder. v1 enables portfolio-level queries at scale.
Security notes
- Tokens are scoped to a single organisation
- Cross-org access is not possible with a valid token
- Rate limiting: 60 requests per minute per IP per token
- API host:
api.klarify.africa(TLS required)

