Skip to main content

API Overview

Retrieva provides a RESTful API for all operations. All endpoints are prefixed with /api/v1.

Base URL

Development: http://localhost:3007/api/v1
Production:  https://your-domain.com/api/v1

Authentication

Most endpoints require authentication via JWT tokens.

Token Format

Include the access token in cookies (preferred) or Authorization header:

# Cookie (set automatically on login)
Cookie: accessToken=eyJhbGciOiJIUzI1NiIs...

# Or Authorization header
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...

Workspace Header

Protected endpoints require the workspace ID:

X-Workspace-Id: 507f1f77bcf86cd799439011

Response Format

Success Response

{
  "status": "success",
  "message": "Operation completed successfully",
  "data": {
    // Response payload
  }
}

Error Response

{
  "status": "error",
  "message": "Error description",
  "error": {
    "code": "VALIDATION_ERROR",
    "details": ["field is required"]
  }
}

Common HTTP Status Codes

CodeDescription
200Success
201Created
400Bad Request - Validation error
401Unauthorized - Invalid/missing token
403Forbidden - Insufficient permissions
404Not Found
429Too Many Requests - Rate limited
500Internal Server Error

API Endpoints Summary

RAG

MethodEndpointDescription
POST/ragAsk a question
POST/rag/streamAsk with SSE streaming

Conversations

MethodEndpointDescription
GET/conversationsList conversations
POST/conversationsCreate conversation
GET/conversations/:idGet conversation
PATCH/conversations/:idUpdate conversation
DELETE/conversations/:idDelete conversation
POST/conversations/:id/askAsk in conversation

Authentication

MethodEndpointDescription
POST/auth/registerRegister user
POST/auth/loginLogin
POST/auth/logoutLogout
POST/auth/refreshRefresh access token
GET/auth/meGet current user
POST/auth/forgot-passwordRequest password reset email
POST/auth/reset-passwordReset password with token
POST/auth/verify-emailVerify email address with token
POST/auth/resend-verificationResend email verification link

Workspaces (Vendor Registry)

MethodEndpointDescription
GET/workspacesList workspaces for the current user / org
POST/workspacesCreate a new vendor workspace
GET/workspaces/:idGet workspace details
PATCH/workspaces/:idUpdate vendor profile (tier, country, contracts, certs)
DELETE/workspaces/:idDelete workspace
POST/workspaces/:id/membersAdd workspace member
DELETE/workspaces/:id/members/:userIdRemove workspace member
GET/workspaces/roi-exportDownload EBA DORA Art. 28(3) RoI XLSX workbook

Assessments

MethodEndpointDescription
GET/assessmentsList assessments for a workspace
POST/assessmentsCreate assessment and upload vendor documents
GET/assessments/:idGet assessment details and gap results
DELETE/assessments/:idDelete assessment
GET/assessments/:id/reportDownload Word (.docx) compliance report

Questionnaires

MethodEndpointDescription
GET/questionnairesList questionnaires for a workspace
POST/questionnairesCreate and send a vendor questionnaire
GET/questionnaires/:idGet questionnaire with scoring results
PATCH/questionnaires/:idUpdate questionnaire
DELETE/questionnaires/:idDelete questionnaire

Organizations

MethodEndpointDescription
POST/organizationsCreate a new organization (first-time onboarding)
GET/organizations/meGet current user's organization
PATCH/organizations/:idUpdate organization
POST/organizations/:id/inviteInvite a team member (sends email with /join link)
GET/organizations/:id/membersList organization members
PATCH/organizations/:id/members/:memberIdChange member role
DELETE/organizations/:id/members/:memberIdRevoke membership

Analytics

MethodEndpointDescription
GET/analytics/queriesQuery analytics
GET/analytics/usageUsage statistics
GET/analytics/sourcesSource statistics

MCP Data Sources

MethodEndpointDescription
POST/mcp-sourcesRegister a new MCP data source
GET/mcp-sourcesList all MCP sources for the workspace
GET/mcp-sources/:idGet a single MCP source
PATCH/mcp-sources/:idUpdate connection settings
DELETE/mcp-sources/:idRemove source and its indexed documents
POST/mcp-sources/test-connectionTest connectivity without persisting
POST/mcp-sources/:id/syncTrigger a sync job
GET/mcp-sources/:id/statsDocument counts and sync stats

Compliance (DORA Articles)

MethodEndpointDescription
GET/compliance/domainsList all DORA domains with article counts
GET/compliance/articlesList articles, filter by domain or chapter
GET/compliance/articles/:articleGet a single article with full regulatory text

Data Sources (File / URL / Confluence)

MethodEndpointDescription
POST/data-sourcesCreate a data source (file upload or JSON)
GET/data-sourcesList data sources for a workspace
GET/data-sources/:idGet a single data source
POST/data-sources/:id/syncTrigger a re-sync
DELETE/data-sources/:idDelete source and soft-delete indexed documents

Health Check

GET /health

Returns service health status:

{
  "status": "success",
  "message": "Service is healthy",
  "data": {
    "status": "up",
    "timestamp": "2024-01-01T00:00:00.000Z",
    "uptime": 123.456
  }
}

Rate Limiting

EndpointLimit
General100 requests/minute
Auth10 requests/15 minutes
RAG20 requests/minute
Sync5 requests/hour

Rate limit headers are included in responses:

X-RateLimit-Limit: 100
X-RateLimit-Remaining: 95
X-RateLimit-Reset: 1704067200

Pagination

List endpoints support pagination:

GET /conversations?page=1&limit=20

Response includes pagination metadata:

{
  "status": "success",
  "data": {
    "items": [...],
    "pagination": {
      "page": 1,
      "limit": 20,
      "total": 150,
      "pages": 8
    }
  }
}

Filtering & Sorting

# Filter by status
GET /conversations?status=active

# Sort by field
GET /conversations?sort=-createdAt  # Descending
GET /conversations?sort=createdAt   # Ascending

CORS

The API supports CORS for configured origins:

Access-Control-Allow-Origin: http://localhost:3000
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET, POST, PUT, PATCH, DELETE, OPTIONS
Access-Control-Allow-Headers: Content-Type, Authorization, X-Workspace-Id