API Reference
Complete technical reference for GDPR, CCPA, and HIPAA compliance endpoints.
Base URL
https://api.compliable.dev/v1Authentication
All API requests require an API key passed via the Authorization header as a Bearer token. API keys start with the cpbl_ prefix.
Authorization: Bearer cpbl_your_api_key_hereImportant: Never expose your API key in client-side code. All requests should be made from your backend.
Rate Limits
Rate limits apply per API key:
- 10 requests per minute
- 100 requests per hour
When you exceed the rate limit, you'll receive a 429 Too Many Requests response with a Retry-After header.
Quota Limits
Each subscription tier has monthly request quotas. Quota resets on the 1st of each month.
| Tier | Monthly Quota |
|---|---|
| Free | 500 checks |
| Starter | 5,000 checks |
| Pro | 25,000 checks |
| Scale | 100,000 checks |
Size & Token Limits
Request Size Limits
| Item | Limit |
|---|---|
| Request body | 2 MB max |
content field | 1.5 MB max |
scope/context combined | 100 KB max |
Token Limits (by tier)
| Tier | Token Limit |
|---|---|
| Free | 2,000 tokens |
| Starter | 4,000 tokens |
| Pro | 8,000 tokens |
| Scale | 16,000 tokens |
Endpoints
All compliance check endpoints follow the pattern: POST /v1/check/{framework}
| Endpoint | Framework |
|---|---|
| POST /v1/check/gdpr | EU General Data Protection Regulation |
| POST /v1/check/ccpa | California Consumer Privacy Act |
| POST /v1/check/hipaa | Health Insurance Portability and Accountability Act |
Request Format
All endpoints accept the same base structure with framework-specific scope options.
Base Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| content | string | Yes | The text content to analyze (max 1.5MB) |
| scope | object | No | Framework-specific analysis options (see framework sections below) |
| context | object | No | Shared document context across all frameworks |
| context.documentType | string | No | privacy_policy, terms_of_service, cookie_policy, dpa |
| context.industry | string | No | healthcare, finance, saas, ecommerce |
POST
/v1/check/gdpr
GDPR-specific scope options:
| scope.jurisdiction | EU, UK, CH, NO, IS, LI |
| scope.articles | Array of specific GDPR articles to check (e.g., ["13", "14", "15"]) |
| scope.focus | data_controller, lawful_basis, user_rights, data_retention, etc. |
POST
/v1/check/ccpa
CCPA-specific scope options:
| scope.businessType | for-profit, service-provider, third-party |
| scope.categories | right-to-know, right-to-delete, right-to-opt-out, non-discrimination |
| scope.focus | consumer_rights, sale_disclosure, opt_out_mechanisms |
POST
/v1/check/hipaa
HIPAA-specific scope options:
| scope.coveredEntity | Boolean - true if analyzing for covered entity requirements |
| scope.safeguards | administrative, physical, technical |
| scope.focus | privacy_rule, security_rule, breach_notification, patient_rights |
Response Schema
All endpoints return the same response format:
{
"success": true,
"data": {
"checkId": "83f57b8f-e207-4da1-97dd-7c50f95fb35d",
"framework": "gdpr",
"isCompliant": false,
"violationCount": 2,
"violations": [
{
"ruleCode": "GDPR-ART-13-1-A",
"rule": "Article 13(1)(a)",
"severity": "critical",
"description": "Missing data controller information",
"location": "Entire document",
"suggestedFix": "Add data controller name and contact details"
}
],
"processingTimeMs": 1245,
"checkedAt": "2026-04-10T11:25:37.128Z"
}
}Severity Levels
critical— Must fix immediatelyhigh— Should fix soonmedium— Should addresslow— Minor issue
Error Responses
All error responses follow this format:
{
"success": false,
"error": {
"code": "ERROR_CODE",
"message": "Human-readable error message"
}
}Common Errors
| Status | Code | Description |
|---|---|---|
| 400 | INVALID_JSON | Request body is not valid JSON |
| 401 | INVALID_API_KEY | API key is invalid, expired, or missing |
| 403 | QUOTA_EXCEEDED | Monthly quota exceeded |
| 413 | REQUEST_TOO_LARGE | Request body exceeds 2MB limit |
| 413 | CONTENT_TOO_LARGE | Content field exceeds 1.5MB limit |
| 413 | METADATA_TOO_LARGE | Scope/context fields exceed 100KB combined |
| 413 | TOKEN_LIMIT_EXCEEDED | Content exceeds token limit for your tier |
| 429 | RATE_LIMIT_EXCEEDED | Too many requests (10/min or 100/hour) |
| 500 | INTERNAL_SERVER_ERROR | Internal server error |
Best Practices
Error Handling
Always check the success field:
if (!result.success) {
switch (result.error.code) {
case 'TOKEN_LIMIT_EXCEEDED':
// Split content or upgrade plan
break;
case 'QUOTA_EXCEEDED':
// Show upgrade prompt
break;
case 'RATE_LIMIT_EXCEEDED':
// Implement exponential backoff
break;
}
}Rate Limit Handling
async function checkWithRetry(framework, content, scope, context) {
const response = await fetch(`https://api.compliable.dev/v1/check/${framework}`, {
method: 'POST',
headers: {
'Authorization': `Bearer ${apiKey}`,
'Content-Type': 'application/json',
},
body: JSON.stringify({ content, scope, context })
});
if (response.status === 429) {
const retryAfter = parseInt(response.headers.get('Retry-After') || '60');
await new Promise(resolve => setTimeout(resolve, retryAfter * 1000));
return checkWithRetry(framework, content, scope, context);
}
return await response.json();
}Changelog
Version 1.0 (April 10, 2026)
- Initial release
- Framework-specific endpoints: /v1/check/gdpr, /v1/check/ccpa, /v1/check/hipaa
- Structured request format with scope and context objects
- Multi-tier token limits and quotas
- Rate limiting (10/min, 100/hour)