Back to the Atlas
Platform Foundation

API Platform

Versioned REST API with idempotency keys, standard error envelopes, pagination, rate limiting, and a webhook firehose for every data event.

Why this matters for enterprise procurement

Enterprise BPOs run integrations — payroll exports, WFM forecast feeds, CCaaS webhooks, BI tools. FrontLine ships a versioned public API as a first-class product, not an afterthought. Every endpoint follows the same contract rules, every mutation accepts an idempotency key, and every data event can be subscribed to via webhook.

How it's implemented

Versioned, documented, and treated as a first-class product

All endpoints sit under `/api/v1/` with semantic versioning and a deprecation policy. Mutations require an `Idempotency-Key` header — repeated requests with the same key return the same result. Errors return a standard envelope with `code`, `message`, `request_id`, and structured `details`. Pagination uses cursor-based tokens for stable iteration. Rate limits are tenant-scoped and surfaced via `X-RateLimit-*` headers. Webhooks are signed with HMAC-SHA256, retried with exponential backoff, and replayable from a cursor.

Capabilities

What's covered out of the box

Versioned `/api/v1/` namespace with deprecation policy
Idempotency keys on every mutation
Standardized error envelope across all endpoints
Cursor-based pagination
Per-tenant rate limiting with header signals
OpenAPI 3.1 spec auto-generated from the route registry
HMAC-signed webhook firehose for every data event
OAuth 2.0 client credentials for machine-to-machine access
Standards & compliance

Audit-ready artifacts your reviewers can lean on

  • OpenAPI 3.1 published spec available to all customers
  • Semantic versioning with 12-month deprecation notice
  • Signed webhooks (HMAC-SHA256) with replay protection
  • SOC 2 Type II — change management for API contracts
Procurement FAQ

What security and compliance reviewers actually ask

Is there a published API spec?+
Yes. An OpenAPI 3.1 spec is auto-generated from the route registry and available to customers. The spec is the source of truth for our client SDKs and customer integrations.
How do you handle breaking changes?+
Breaking changes go in a new major version (e.g., `/api/v2/`). The previous version is supported for at least 12 months with a documented deprecation timeline.
Can we subscribe to data events?+
Yes. The webhook firehose delivers every domain event (employee change, schedule publish, QA evaluation, audit event, etc.) to your endpoint with HMAC signing and replay-from-cursor support.
What are the rate limits?+
Default limits are tenant-scoped and surfaced via standard `X-RateLimit-Limit` / `X-RateLimit-Remaining` headers. Enterprise plans can negotiate higher limits and burst windows.

Run this past your security team

We share security overviews, RLS policy DDL, audit-event schemas, and SOC 2 progress on request. Book a 30-minute security review with the founders.

Book a security reviewBack to the Atlas
Request Early Access
API Platform — FrontLine Platform | FrontLine