Alloovium

Get Started

Changelog

Material changes to the Alloovium public API. Additive changes land without a version bump — breaking changes never do. Anything that would move a field, remove an endpoint, or change an error code gets its own major version.

Versioning policy

The API is versioned in the URL path (path). We will not remove fields, rename endpoints, or change response shapes inside a major version. New fields, new endpoints, and new optional parameters are additive and land without warning. If you are using a generated SDK, regenerate it after each release to pick up additions.

2026-04-08 — v2 public release

First public release of the v2 API surface and the FastMCP 3.x server built on top of it.

  • count capabilities mounted across vault, chat, workflows, templates, and meta.
  • API key auth with live / test prefixes, Bearer scheme, rotatable without restart.
  • OAuth 2.1 stack: PKCE (S256), Dynamic Client Registration (RFC 7591), Protected Resource Metadata (RFC 9728), Authorization Server metadata (RFC 8414), token revocation (RFC 7009). Read-only capabilities only.
  • RFC 7807 problem-details error envelope on every 4xx/5xx — see Errors.
  • Idempotency keys on every write endpoint, 24-hour cache, 60-second in-progress lock — see Idempotency.
  • Cursor-paginated list endpoints with a stable envelope envelope — see Pagination.
  • Rate limits applied per-tier (free / standard / pro / enterprise) via a token bucket — see Rate Limits.
  • Streamable HTTP MCP server at path exposing all non-multipart capabilities — see MCP Server.
  • Interactive OpenAPI reference at path powered by Scalar.

Known gaps

  • capability is a stub and currently returns code. When it lands it will mirror the v1 SSE event protocol (delta, progress, citation, done).
  • Webhook delivery for asynchronous jobs (document ingestion, workflow runs, template fills) is not yet exposed publicly. Poll the relevant endpoint endpoint in the meantime.
  • OAuth is read-only. Writing capabilities require an API key because their handlers need the full ORM principal — calling one with an OAuth Bearer JWT returns code.

Deprecation policy

When something has to go, we will announce it here with at least 90 days of notice before any behavioural change lands. Deprecated endpoints keep working for the full notice period; they just gain a dep and sunset header so your observability stack can alert on them.

The v1 surface under path is the application's internal API and is not part of the public contract — do not build against it. Use v2 exclusively from third-party code.

See also

  • API Reference — the interactive Scalar reference, always in sync with the running API.
  • Capabilities — browse the full endpoint catalog.