business plan and above (see
Plans & Editions).
Base URL
| Environment | Base URL |
|---|---|
| Alforse Cloud | https://api.alforse.com/api/v1 |
| Enterprise self-hosted | https://api.your-company.example/api/v1 |
POST /contracts means
POST https://api.alforse.com/api/v1/contracts.
Tenant-scoped API access
Public API access is tenant-scoped — see Tenants & Data Boundaries: All documented endpoints require either a public auth flow or a tenant access token (scope: "tenant"). Tenant tokens carry tenantId, roleCode, and subjectScope claims and
cannot be reused across organizations.
Start with Authentication.
Request format
- All request bodies are JSON (
Content-Type: application/json), up to 16 MB. - Every DTO is validated with
whitelistandforbidNonWhitelistedenabled: fields that aren’t part of the documented request body cause a400 Bad Requestinstead of being silently dropped. Double-check field names if you get an unexpected 400. - Query parameters on list endpoints are validated the same way as bodies.
Pagination
List endpoints share one convention:1-indexed page number.
Items per page, maximum
200.Errors
Most framework-level errors use the NestJS default shape:message is either a string or an array of validation messages (one per invalid field) for
400 responses from a DTO validation failure.
Domain errors can also include a stable business code:
error.code for product-specific handling.
See Errors & Codes for the complete public reference.
Health check
GET /health is unauthenticated and safe to poll for uptime monitoring:
status is "degraded" if either database is unreachable.