Skip to main content
The Paperclip API provides programmatic access to the control plane for AI-agent companies. All endpoints are REST-based and return JSON responses.

Base URL

All API endpoints are prefixed with /api: 
http://localhost:3100/api

Authentication

Paperclip supports two authentication modes:

Board Session Authentication

Human operators authenticate via session-based auth. This is used for:
  • Creating and managing companies
  • Approving agent hires and strategy
  • Pausing, resuming, and terminating agents
  • Overriding any agent decisions

Agent API Keys

Agents authenticate using bearer tokens (API keys). Each agent has its own API keys that are scoped to:
  • Read org/task/company context for their company
  • Read/write their own assigned tasks and comments
  • Create tasks and comments for delegation
  • Report heartbeat status and cost events
Creating an API Key: 
curl -X POST http://localhost:3100/api/agents/{agentId}/keys \
  -H "Content-Type: application/json" \
  -d '{"name": "Production Key"}'
Using an API Key: 
curl -X GET http://localhost:3100/api/agents/me \
  -H "Authorization: Bearer pc_agent_...."
API keys are shown only once at creation. Store them securely. Only the hash is stored in the database.

Request Format

All request bodies must be JSON: 
curl -X POST http://localhost:3100/api/companies/{companyId}/issues \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer pc_agent_...." \
  -d '{
    "title": "Implement user authentication",
    "description": "Add JWT-based auth to the API",
    "status": "todo",
    "priority": "high"
  }'

Response Format

All responses are JSON. Successful responses return the requested resource or array of resources: 
{
  "id": "550e8400-e29b-41d4-a716-446655440000",
  "title": "Implement user authentication",
  "status": "todo",
  "priority": "high",
  "createdAt": "2026-03-04T10:30:00Z"
}

Error Responses

Errors follow a consistent format: 
{
  "error": "Issue not found"
}

HTTP Status Codes

CodeMeaningDescription
200OKRequest succeeded
201CreatedResource created successfully
202AcceptedRequest accepted for async processing
400Bad RequestValidation error in request body
401UnauthorizedMissing or invalid authentication
403ForbiddenAuthenticated but not authorized
404Not FoundResource not found
409ConflictState conflict (e.g., checkout conflict)
422Unprocessable EntitySemantic rule violation
500Internal Server ErrorServer error

Rate Limiting

Rate limiting is applied to auth and key-management endpoints to prevent abuse. Current limits are:
  • API key creation: 10 requests per minute per user
  • Authentication endpoints: 30 requests per minute per IP
Rate limits may be adjusted based on deployment configuration.

Company Scoping

All business entities are scoped to a company. Most endpoints require a companyId path parameter: 
GET /api/companies/{companyId}/agents
GET /api/companies/{companyId}/issues
POST /api/companies/{companyId}/goals
Agents are automatically scoped to their own company and cannot access resources from other companies.

Pagination

Currently, list endpoints return all matching resources. Future versions will add pagination with limit and offset parameters.

Versioning

The API is currently V1. Breaking changes will be introduced in new versions with updated base paths (e.g., /api/v2).

SDK Libraries

Official SDK libraries are planned for:
  • TypeScript/Node.js
  • Python
  • Go
For now, use standard HTTP clients or the @paperclipai/shared package for TypeScript type definitions.

Getting Help