API reference
All 50 endpoints, grouped by purpose. Guides lead, this is the reference.
Complete endpoint reference for the COHESION Judgment Independence Score API. If you are just starting, read the guides first. The reference is here for when you need the exact wire shape.
Base URL: https://api.cohesionauth.com. All endpoints return JSON. Every response includes request_id and timestamp.
Meta
| Endpoint | Auth | Purpose |
|---|---|---|
| GET / | none | Health check |
| GET /v1 | none | API self-describe |
Scoring
All scoring endpoints authenticate via X-API-Key: ck_live_<26-char> (the per-org key issued at signup or via key rotation).
| Endpoint | Auth | Purpose |
|---|---|---|
| POST /v1/score | per-org key | Score one interaction |
| POST /v1/score/batch | per-org key | Score up to 100 interactions |
POST /v1/score/{session_id}/commit | per-org key | Finalize a provisional score (2026-04-23 additive) |
| GET /v1/operator/:operator_id/profile | per-org key | Operator judgment profile |
| GET /v1/organization/dashboard | per-org key | Org aggregate dashboard |
| POST /v1/maintenance/recommend | per-org key | Intervention recommendation |
| GET /v1/compliance/report | per-org key | Persisted Article 14 report |
Admin (per-org self-serve)
These endpoints authenticate via the org’s own X-API-Key. Every action is audit-logged to the org’s own audit_log.
| Endpoint | Auth | Purpose |
|---|---|---|
| POST /v1/admin/key/rotate | per-org key | Self-serve key rotation (returns new key once) |
| POST /v1/admin/key/revoke | per-org key | Self-serve key revocation (active=0) |
| GET /v1/admin/audit-log | per-org key | Own-org audit events |
| GET /v1/admin/audit-log/export | per-org key | NDJSON streaming export, own-org |
| POST /v1/admin/webhook/register | per-org key | Register webhook destination |
| GET /v1/admin/webhook/list | per-org key | List registered webhooks |
DELETE /v1/admin/webhook/{id} | per-org key | Remove webhook destination |
Admin (master-key — added 2026-05-02)
Nine endpoints added in the 2026-05-02 additive authorization bundle. These authenticate via the endpoint’s OWN scoped Cloudflare Secret (MASTER_ADMIN_KEY_*) — NOT the per-org X-API-Key. Each handler reads ONLY its scope’s secret per defense-in-depth (D15). Layer 2 rate limit bypassed; Layer 1 per-IP enforced. No X-RateLimit-Limit header on these endpoints (avoids leaking the bypass).
Caller split:
payment-worker(Stripe self-serve onboarding) holds 4 secrets and can call the first 4 endpoints belowadmin-worker(internal admin dashboard) holds 5 secrets and can call the last 5 endpoints belowscoring-apivalidates all 9 master keys (it is the validator side of the contract)- Cross-worker compromise blast radius is bounded per endpoint
- Global uniqueness invariant: every active and previous value across all
MASTER_ADMIN_KEY_*scopes (and across both workers’ rotation lists) MUST be globally unique. Provisioning verifies uniqueness BEFOREwrangler secret put. Duplicate values across scopes collapse the per-endpoint authorization model and are a deploy-blocking misconfiguration.
| Endpoint | Caller | Scoped key | Purpose |
|---|---|---|---|
| POST /v1/admin/org/create | payment-worker | MASTER_ADMIN_KEY_ORG_CREATE | Provision new org + mint first key (Stripe checkout success) |
POST /v1/admin/billing/org/{org_id}/suspend | payment-worker | MASTER_ADMIN_KEY_BILLING_SUSPEND | Quota cross / cancel / refund / dispute (active=0) |
POST /v1/admin/billing/org/{org_id}/rotate | payment-worker | MASTER_ADMIN_KEY_BILLING_ROTATE | Subscription reactivation (mints NEW key, returned once) |
GET /v1/admin/org/{org_id}/usage | payment-worker | MASTER_ADMIN_KEY_ORG_USAGE_READ | 5-min quota poll (interaction count + tier limit + utilization) |
POST /v1/admin/org/{org_id}/suspend | admin-worker | MASTER_ADMIN_KEY_ORG_SUSPEND | Manual suspend (Peyton-initiated) |
POST /v1/admin/org/{org_id}/reactivate | admin-worker | MASTER_ADMIN_KEY_ORG_REACTIVATE | Manual reactivate |
POST /v1/admin/org/{org_id}/force-rotate | admin-worker | MASTER_ADMIN_KEY_ORG_FORCE_ROTATE | Manual key rotation (suspected compromise; returns new key once) |
POST /v1/admin/org/{org_id}/force-revoke | admin-worker | MASTER_ADMIN_KEY_ORG_FORCE_REVOKE | Manual revoke |
POST /v1/admin/alerts/{alert_id}/ack | admin-worker | MASTER_ADMIN_KEY_ALERT_ACK | Acknowledge alert |
Idempotency contract: the 8 mutating endpoints accept Idempotency-Key: <stripe-event-id-or-uuid> header. Replays return the cached envelope (sanitized — plaintext keys NEVER cached; replays of org/create, billing/rotate, or force-rotate return prefix + already_provisioned: true only, and the original caller had ONE chance to capture the plaintext from the first response). The composite primary key on admin_action_idempotency is (endpoint, idempotency_key) per Codex P1-16 — prevents cross-endpoint replay where a key minted for one endpoint could be replayed against another.
Read endpoint exemption: GET /v1/admin/org/{org_id}/usage is read-only and skips the idempotency cache.
Postman collection: the new “Admin (master-key)” folder in api/postman/cohesion-api.postman_collection.json covers all 9 endpoints with sample requests + responses. Set scope-specific {{master_admin_key_*}} env variables (NOT {{api_key}}) to avoid sending a per-org key to a master-auth endpoint.
Public demo
| Endpoint | Auth | Purpose |
|---|---|---|
| POST /assessments | IP-rate-limited | Submit a public demo run |
| GET /assessments/:sessionId | public | Retrieve a shared demo run |
Interactive playground
All endpoints can be called from the playground with your own API key.
Error shape
Uniform K8 v2 envelope:
{
"error": {
"code": "VALIDATION_FAILED",
"message": "modification_extent must be between 0.0 and 1.0",
"request_id": "req_01H...",
"timestamp": "2026-04-22T18:22:10.432Z"
}
}See the full error catalog.