API Reference
Firm API
Firm profile, settings, API keys, webhooks, and users
Endpoints in this group
- GET
/v1/firm/me - PATCH
/v1/firm/me/settings - GET
/v1/firm/me/settings - GET
/v1/firm/me/stats - GET
/v1/firm/me/backup-status - GET
/v1/firm/me/api-keys - POST
/v1/firm/me/api-keys - DELETE
/v1/firm/me/api-keys/{keyId} - GET
/v1/firm/me/webhooks - POST
/v1/firm/me/webhooks - DELETE
/v1/firm/me/webhooks/{id} - GET
/v1/firm/me/users - POST
/v1/firm/me/users - POST
/v1/firm/me/users/{id} - DELETE
/v1/firm/me/users/{id} - GET
/v1/firm/me/document-types - POST
/v1/firm/me/document-types - PATCH
/v1/firm/me/document-types/{slug}
GET
/v1/firm/meGet current firm details
Responses
200Current firm details401Unauthorized
| Field | Type | Req | Description |
|---|---|---|---|
id | string | No | |
name | string | No | |
frnNumber | string | No | |
plan | string | No | LEDGERPRINCIPALBOTH |
createdAt | string (date-time) | No | |
settings | FirmSettings | No |
Example request
curl
curl -X GET "https://api.bedrockcompliance.co.uk/v1/firm/me" \
-H "X-Bedrock-Key: bk_live_your_api_key"PATCH
/v1/firm/me/settingsUpdate firm settings
Toggle firm-level controls. Currently supports the impact-assessment enforcement gate; more settings will be added here rather than scattered across new endpoints. Compliance-relevant changes emit a FIRM_SETTINGS_UPDATED ledger event carrying the field-level diff and the authenticated actor (user or API key). No-op writes (where the incoming value already matches the stored value) are ignored — nothing is written to the database and no ledger record is emitted.
Request body
| Field | Type | Req | Description |
|---|---|---|---|
biasWarningThreshold | number | No | Bias score at which a warning is raised |
biasAlertThreshold | number | No | Bias score at which an alert is raised |
biasAbsoluteRejectionThreshold | number | No | Bias score at which automatic rejection occurs |
cdRejectionRateWarningThreshold | number | No | Consumer Duty rejection rate warning threshold |
cdRejectionRateAlertThreshold | number | No | Consumer Duty rejection rate alert threshold |
cdSlaComplianceWarningThreshold | number | No | Consumer Duty SLA compliance warning threshold |
cdSlaComplianceAlertThreshold | number | No | Consumer Duty SLA compliance alert threshold |
cdReadCompletionWarningThreshold | number | No | Consumer Duty read-completion warning threshold |
enforceImpactAssessments | boolean | No | When true, jobs submitted with aiContext.model are gated on a matching APPROVED impact assessment |
Responses
200Updated firm settings401Unauthorized
| Field | Type | Req | Description |
|---|---|---|---|
biasWarningThreshold | number | No | Bias score at which a warning is raised |
biasAlertThreshold | number | No | Bias score at which an alert is raised |
biasAbsoluteRejectionThreshold | number | No | Bias score at which automatic rejection occurs |
cdRejectionRateWarningThreshold | number | No | Consumer Duty rejection rate warning threshold |
cdRejectionRateAlertThreshold | number | No | Consumer Duty rejection rate alert threshold |
cdSlaComplianceWarningThreshold | number | No | Consumer Duty SLA compliance warning threshold |
cdSlaComplianceAlertThreshold | number | No | Consumer Duty SLA compliance alert threshold |
cdReadCompletionWarningThreshold | number | No | Consumer Duty read-completion warning threshold |
enforceImpactAssessments | boolean | No | When true, jobs submitted with aiContext.model are gated on a matching APPROVED impact assessment |
Example request
curl
curl -X PATCH "https://api.bedrockcompliance.co.uk/v1/firm/me/settings" \
-H "X-Bedrock-Key: bk_live_your_api_key" \
-H "Content-Type: application/json" \
-d '{
"biasWarningThreshold": 0,
"biasAlertThreshold": 0,
"biasAbsoluteRejectionThreshold": 0,
"cdRejectionRateWarningThreshold": 0,
"cdRejectionRateAlertThreshold": 0,
"cdSlaComplianceWarningThreshold": 0,
"cdSlaComplianceAlertThreshold": 0,
"cdReadCompletionWarningThreshold": 0,
"enforceImpactAssessments": true
}'GET
/v1/firm/me/settingsGet firm settings
Returns the current firm settings including bias thresholds, Consumer Duty thresholds, and impact-assessment enforcement.
Responses
200Current firm settings401Unauthorized
| Field | Type | Req | Description |
|---|---|---|---|
biasWarningThreshold | number | No | Bias score at which a warning is raised |
biasAlertThreshold | number | No | Bias score at which an alert is raised |
biasAbsoluteRejectionThreshold | number | No | Bias score at which automatic rejection occurs |
cdRejectionRateWarningThreshold | number | No | Consumer Duty rejection rate warning threshold |
cdRejectionRateAlertThreshold | number | No | Consumer Duty rejection rate alert threshold |
cdSlaComplianceWarningThreshold | number | No | Consumer Duty SLA compliance warning threshold |
cdSlaComplianceAlertThreshold | number | No | Consumer Duty SLA compliance alert threshold |
cdReadCompletionWarningThreshold | number | No | Consumer Duty read-completion warning threshold |
enforceImpactAssessments | boolean | No | When true, jobs submitted with aiContext.model are gated on a matching APPROVED impact assessment |
Example request
curl
curl -X GET "https://api.bedrockcompliance.co.uk/v1/firm/me/settings" \
-H "X-Bedrock-Key: bk_live_your_api_key"GET
/v1/firm/me/statsGet current firm statistics
Responses
200Firm statistics401Unauthorized
| Field | Type | Req | Description |
|---|---|---|---|
recordCount | integer | No | |
certificateCount | integer | No | |
jobCount | integer | No |
Example request
curl
curl -X GET "https://api.bedrockcompliance.co.uk/v1/firm/me/stats" \
-H "X-Bedrock-Key: bk_live_your_api_key"GET
/v1/firm/me/backup-statusGet immutable backup status for the firm
Responses
200Backup status with record counts and spot-check results401Unauthorized
| Field | Type | Req | Description |
|---|---|---|---|
healthy | boolean | No | |
database | object | No | |
immutableStorage | object | No | |
countsMatch | boolean | No | |
latestRecord | object | null | No | |
spotChecks | object[] | No | |
checkedAt | string (date-time) | No |
Example request
curl
curl -X GET "https://api.bedrockcompliance.co.uk/v1/firm/me/backup-status" \
-H "X-Bedrock-Key: bk_live_your_api_key"GET
/v1/firm/me/api-keysList API keys for the authenticated firm
Responses
200List of API keys401Unauthorized
Example request
curl
curl -X GET "https://api.bedrockcompliance.co.uk/v1/firm/me/api-keys" \
-H "X-Bedrock-Key: bk_live_your_api_key"POST
/v1/firm/me/api-keysGenerate a new API key
Request body
| Field | Type | Req | Description |
|---|---|---|---|
name | string | Yes | Name/label for the API key |
Responses
201API key generated (shown only once)401Unauthorized
| Field | Type | Req | Description |
|---|---|---|---|
id | string | No | |
key | string | No | The full API key — only returned at creation time |
name | string | No | |
createdAt | string (date-time) | No |
Example request
curl
curl -X POST "https://api.bedrockcompliance.co.uk/v1/firm/me/api-keys" \
-H "X-Bedrock-Key: bk_live_your_api_key" \
-H "Content-Type: application/json" \
-d '{
"name": "<name>"
}'DELETE
/v1/firm/me/api-keys/{keyId}Revoke an API key
Parameters
| Parameter | In | Type | Req | Description |
|---|---|---|---|---|
keyId | path | string | Yes | API key ID |
Responses
204API key revoked401Unauthorized404API key not found
Example request
curl
curl -X DELETE "https://api.bedrockcompliance.co.uk/v1/firm/me/api-keys/<keyId>" \
-H "X-Bedrock-Key: bk_live_your_api_key"GET
/v1/firm/me/webhooksList webhook endpoints for the authenticated firm
Responses
200List of webhook endpoints401Unauthorized
Example request
curl
curl -X GET "https://api.bedrockcompliance.co.uk/v1/firm/me/webhooks" \
-H "X-Bedrock-Key: bk_live_your_api_key"POST
/v1/firm/me/webhooksRegister a webhook endpoint
Request body
| Field | Type | Req | Description |
|---|---|---|---|
url | string (uri) | Yes | |
events | string[] | Yes | Event types to subscribe to |
Responses
201Webhook registered401Unauthorized
| Field | Type | Req | Description |
|---|---|---|---|
id | string | No | |
firmId | string | No | |
url | string (uri) | No | |
secret | string | No | HMAC secret used to sign deliveries to this endpoint. Returned in full from the create endpoint and on subsequent list calls — store it carefully. |
events | string[] | No | Subscribed webhook event names. Only events on this list are delivered. |
isActive | boolean | No | Set to false by `DELETE /v1/firm/me/webhooks/{id}`. Inactive endpoints stay on the row but receive no further deliveries. |
createdAt | string (date-time) | No |
Example request
curl
curl -X POST "https://api.bedrockcompliance.co.uk/v1/firm/me/webhooks" \
-H "X-Bedrock-Key: bk_live_your_api_key" \
-H "Content-Type: application/json" \
-d '{
"url": "https://example.com",
"events": []
}'DELETE
/v1/firm/me/webhooks/{id}Deactivate a webhook endpoint
Parameters
| Parameter | In | Type | Req | Description |
|---|---|---|---|---|
id | path | string | Yes | Webhook ID |
Responses
204Webhook deactivated401Unauthorized404Webhook not found
Example request
curl
curl -X DELETE "https://api.bedrockcompliance.co.uk/v1/firm/me/webhooks/<id>" \
-H "X-Bedrock-Key: bk_live_your_api_key"GET
/v1/firm/me/usersList users for the firm
Responses
200List of users401Unauthorized
Example request
curl
curl -X GET "https://api.bedrockcompliance.co.uk/v1/firm/me/users" \
-H "X-Bedrock-Key: bk_live_your_api_key"POST
/v1/firm/me/usersInvite a user to the firm
Request body
| Field | Type | Req | Description |
|---|---|---|---|
name | string | Yes | |
email | string (email) | Yes | |
fcaRef | string | Yes | FCA individual reference number |
qualifications | string[] | No | |
role | string | No | FIRM_ADMINREVIEWERLEAD_REVIEWER |
specialistVulnerability | boolean | No | Set to true to mark this user as an FG21/1 specialist who is allowed to handle jobs carrying vulnerability flags. Defaults to false. |
Responses
201User invited401Unauthorized
| Field | Type | Req | Description |
|---|---|---|---|
id | string | No | |
name | string | No | |
email | string (email) | No | |
fcaRef | string | null | No | |
qualifications | string[] | No | Professional qualifications used by the routing engine. |
role | string | No | FIRM_ADMINREVIEWERLEAD_REVIEWER |
isAvailable | boolean | No | |
specialistVulnerability | boolean | No | FCA FG21/1 specialist flag. Reviewers with this flag set (along with LEAD_REVIEWER and FIRM_ADMIN) are eligible to handle jobs carrying any vulnerability flags. |
invitedAt | string (date-time) | No | |
activatedAt | string (date-time) | null | No | |
deactivatedAt | string (date-time) | null | No | |
activeJobId | string | null | No |
Example request
curl
curl -X POST "https://api.bedrockcompliance.co.uk/v1/firm/me/users" \
-H "X-Bedrock-Key: bk_live_your_api_key" \
-H "Content-Type: application/json" \
-d '{
"name": "<name>",
"email": "<email>",
"fcaRef": "<fcaRef>",
"qualifications": [],
"role": "<role>",
"specialistVulnerability": true
}'POST
/v1/firm/me/users/{id}Update a user
Toggle the FG21/1 specialist flag on a user, or change their role. Specialist-flag updates accept either credential; role changes require a JWT-authenticated FIRM_ADMIN (API keys cannot promote users — passing a `role` field with an API-key credential returns 403 FORBIDDEN).
Parameters
| Parameter | In | Type | Req | Description |
|---|---|---|---|---|
id | path | string | Yes | User ID |
Request body
| Field | Type | Req | Description |
|---|---|---|---|
specialistVulnerability | boolean | No | FG21/1 specialist flag. Reviewers with this flag (along with LEAD_REVIEWER and FIRM_ADMIN) are eligible to handle jobs with vulnerability flags. |
role | string | No | Only firm admins authenticated as users (not API keys) can change roles.FIRM_ADMINREVIEWERLEAD_REVIEWER |
Responses
200Updated user401Unauthorized403FORBIDDEN — role changes require a JWT-authenticated firm admin404User not found
| Field | Type | Req | Description |
|---|---|---|---|
id | string | No | |
name | string | No | |
email | string (email) | No | |
fcaRef | string | null | No | |
qualifications | string[] | No | Professional qualifications used by the routing engine. |
role | string | No | FIRM_ADMINREVIEWERLEAD_REVIEWER |
isAvailable | boolean | No | |
specialistVulnerability | boolean | No | FCA FG21/1 specialist flag. Reviewers with this flag set (along with LEAD_REVIEWER and FIRM_ADMIN) are eligible to handle jobs carrying any vulnerability flags. |
invitedAt | string (date-time) | No | |
activatedAt | string (date-time) | null | No | |
deactivatedAt | string (date-time) | null | No | |
activeJobId | string | null | No |
Example request
curl
curl -X POST "https://api.bedrockcompliance.co.uk/v1/firm/me/users/<id>" \
-H "X-Bedrock-Key: bk_live_your_api_key" \
-H "Content-Type: application/json" \
-d '{
"specialistVulnerability": true,
"role": "<role>"
}'DELETE
/v1/firm/me/users/{id}Deactivate a user
Parameters
| Parameter | In | Type | Req | Description |
|---|---|---|---|---|
id | path | string | Yes | User ID |
Responses
204User deactivated400Cannot deactivate yourself401Unauthorized
Example request
curl
curl -X DELETE "https://api.bedrockcompliance.co.uk/v1/firm/me/users/<id>" \
-H "X-Bedrock-Key: bk_live_your_api_key"GET
/v1/firm/me/document-typesList all document types for the firm
Returns all document types (platform defaults and custom) with their checklist items. Use the slug when submitting review jobs.
Responses
200List of document types401Unauthorized
Example request
curl
curl -X GET "https://api.bedrockcompliance.co.uk/v1/firm/me/document-types" \
-H "X-Bedrock-Key: bk_live_your_api_key"POST
/v1/firm/me/document-typesCreate a custom document type
Request body
| Field | Type | Req | Description |
|---|---|---|---|
slug | string | Yes | Unique identifier, uppercase with underscores (e.g. PENSION_TRANSFER) |
name | string | Yes | Display name |
checklistItems | string[] | Yes | Review checklist items (at least one required) |
Responses
201Document type created400Invalid input (empty slug, name, or checklist)401Unauthorized409Slug already exists for this firm
| Field | Type | Req | Description |
|---|---|---|---|
id | string | No | |
firmId | string | No | |
slug | string | No | Unique identifier used in API payloads (e.g. SUITABILITY_REPORT) |
name | string | No | Display name (e.g. Suitability Report) |
checklistItems | string[] | No | Review checklist items for this document type |
createdAt | string (date-time) | No | |
updatedAt | string (date-time) | No |
Example request
curl
curl -X POST "https://api.bedrockcompliance.co.uk/v1/firm/me/document-types" \
-H "X-Bedrock-Key: bk_live_your_api_key" \
-H "Content-Type: application/json" \
-d '{
"slug": "<slug>",
"name": "<name>",
"checklistItems": []
}'PATCH
/v1/firm/me/document-types/{slug}Update a document type
Update the name and/or checklist items for a document type.
Parameters
| Parameter | In | Type | Req | Description |
|---|---|---|---|---|
slug | path | string | Yes | Document type slug |
Request body
| Field | Type | Req | Description |
|---|---|---|---|
name | string | No | Updated display name |
checklistItems | string[] | No | Updated checklist items |
Responses
200Document type updated400Empty body, empty name, or empty checklist401Unauthorized404Document type not found
| Field | Type | Req | Description |
|---|---|---|---|
id | string | No | |
firmId | string | No | |
slug | string | No | Unique identifier used in API payloads (e.g. SUITABILITY_REPORT) |
name | string | No | Display name (e.g. Suitability Report) |
checklistItems | string[] | No | Review checklist items for this document type |
createdAt | string (date-time) | No | |
updatedAt | string (date-time) | No |
Example request
curl
curl -X PATCH "https://api.bedrockcompliance.co.uk/v1/firm/me/document-types/<slug>" \
-H "X-Bedrock-Key: bk_live_your_api_key" \
-H "Content-Type: application/json" \
-d '{
"name": "<name>",
"checklistItems": []
}'