Board Claim
GET inspects a board-ownership claim challenge. POST claims board ownership after a signed-in board user submits the matching code in the request body.
Response Semantics
- Invalid or missing challenge tokens return
404. - Claiming without a board session returns
401. - Expired claim attempts return
409. - A successful claim returns
{ "claimed": true, "userId": "..." }.
CLI Auth
Response Semantics
POST /api/cli-auth/challengesreturns the challenge ID, secret token, board API token, approval path, approval URL when derivable, poll path, expiry, and a suggested poll interval.GET /api/cli-auth/challenges/{id}returns the challenge state plusrequiresSignIn,canApprove, andcurrentUserId.POST /api/cli-auth/challenges/{id}/approvereturns approval status, the user ID that approved it, the board key ID if created, and the challenge expiry.POST /api/cli-auth/challenges/{id}/cancelreturns the cancellation status and whether the challenge was cancelled.GET /api/cli-auth/mereturns the current board principal, its access snapshot, and the active board key ID when the request came from a board key.POST /api/cli-auth/revoke-currentrevokes the current board API key and returns the revoked key ID.
Skills
Response Semantics
GET /api/skills/availablereturns{ "skills": [...] }from the local Claude skills directory plus Paperclip-managed skills.GET /api/skills/indexreturns the curated Paperclip skill index with paths under/api/skills/....GET /api/skills/{skillName}returns the raw Markdown source for a known skill and404for unknown names.
Invites
Response Semantics
- Invite creation returns the invite record plus the plaintext token, invite URL, company name, and onboarding paths/text.
GET /api/invites/{token}returns the current invite summary for a live invite only.GET /api/invites/{token}/onboardingreturns the onboarding manifest as JSON.GET /api/invites/{token}/onboarding.txtreturns the onboarding document as plain text.GET /api/invites/{token}/test-resolutionreturns probe results for the supplied absolute HTTP or HTTPS URL.- Revoke returns the updated invite row after it is marked revoked.
Join Requests
Response Semantics
GET /api/companies/{companyId}/join-requestsreturns filtered join request rows sorted newest-first.- Approve and reject return the updated join request row.
POST /api/join-requests/{requestId}/claim-api-keyreturns the created API key ID, token, agent ID, and creation time.
Members And Admin Access
Response Semantics
- Company member reads return the current member list for the company.
- Permission updates return the updated member record.
- Instance-admin promotion and demotion return the updated admin-state record.
- Instance-admin company-access reads and writes return the user’s current company-access snapshot.
Scope Notes
- Board and agent access checks are enforced in the handlers, not in the docs.
- Some routes accept the local implicit board actor in trusted local deployments.
- Invite and join-request mutations are audited with activity logs in the server.