APIs that read like a manual.
REST, webhooks, SDKs, and tenant-aware auth — everything you need to wire compliance into your stack.
Quickstart
Five minutes from key to first event.
POST /v1/consentcurl
curl https://api.asiri.ng/v1/consent \
-H "Authorization: Bearer $ASIRI_KEY" \
-H "Content-Type: application/json" \
-d '{
"subjectId": "usr_018f...",
"purpose": "marketing.email",
"granted": true,
"evidence": { "ip": "102.89.11.4", "ua": "Mozilla/5.0" }
}'Response201
HTTP/1.1 201 Created
Content-Type: application/json
{
"id": "cns_01HX9K2T3M4P7Q8R9S0",
"subjectId": "usr_018f...",
"purpose": "marketing.email",
"granted": true,
"recordedAt": "2026-05-03T09:14:22.103Z",
"ledgerHash": "sha256:9f2c…b41",
"version": 17
}REST
Endpoints you’ll touch on day one.
| POST | /v1/consent | Record a consent event from any client. |
| GET | /v1/consent/:subjectId | Pull the full consent ledger for a subject. |
| POST | /v1/dsr | Open a DSR programmatically (e.g. from your support tool). |
| GET | /v1/audit | Stream the audit log — paginated and signed. |
| POST | /v1/breach | File a breach incident from your alerting system. |
Headers
One Authorization, one signature — that’s it.
The same headers apply to every REST endpoint. Webhooks add a signature you must verify before trusting the body. Anything not listed is safely ignored.
| Header | Status | Description | Example |
|---|---|---|---|
| Authorization | Required | Bearer token. Tenant-scoped API key or OAuth 2.0 access token. | Bearer sk_live_018f9b… |
| Content-Type | Required | Always application/json for write endpoints. | application/json |
| Idempotency-Key | Optional | ULID/UUID. Safe to retry POSTs — duplicate keys return the original response for 24h. | 01HX9K2T3M4P7Q8R9S0 |
| Asiri-Tenant | Optional | Override the tenant for multi-tenant keys (admin / DPCO portfolios). | ten_018f9b… |
| Asiri-Version | Optional | Pin a date-based API version. Defaults to your account version. | 2026-04-01 |
Webhooks
What we send when things happen.
Every webhook is signed with HMAC-SHA256, retried with exponential backoff for 24 hours, and eventually moved to a dead-letter queue you can inspect from the dashboard.
Sample payloaddsr.completed
POST /your-endpoint HTTP/1.1
Host: yourapp.com
Content-Type: application/json
Asiri-Event: dsr.completed
Asiri-Delivery: whk_01HX9K7QF2M3
Asiri-Signature: t=1714728862,v1=8c7e2f…b41
{
"id": "evt_01HX9K7QF2M3",
"type": "dsr.completed",
"createdAt": "2026-05-03T09:14:22.103Z",
"tenantId": "ten_018f9b...",
"data": {
"dsrId": "dsr_01HX9K3F8N1Q",
"subjectId": "usr_018f...",
"type": "access",
"outcome": "fulfilled"
}
}SDKs & primitives
Wherever your code runs.
JavaScript / TypeScript
Browser, Node, edge runtimes.
iOS (Swift)
Native consent + DSR flows.
Android (Kotlin)
Material 3 banners and ledger sync.
Python
Server-side ingestion and back-office automation.
Webhooks
Signed HMAC payloads with retry + dead-letter.
Auth
Tenant-scoped API keys, OAuth 2.0, and SSO via SAML/OIDC.
Versioning
Date-based versions; deprecation windows ≥ 12 months.