API Reference

The Folio AI REST API lets you upload documents, fetch extraction results, manage review queues, and read QuickBooks sync state. Every endpoint your firm staff use in the dashboard is available programmatically with the same JWT authentication.

Base URL & auth

All API calls go to https://api.folioai.ca/v1. Authenticate with a Bearer JWT obtained from POST /auth/login. Tokens expire after 60 minutes; refresh via POST /auth/refresh.

Endpoints

POST/auth/login

Exchange firm credentials for a 60-minute Bearer JWT plus refresh token.

POST/documents

Multipart upload up to 25 MB. Magic-byte validation server-side. Returns document ID.

GET/documents

List documents for the authenticated firm. Supports cursor pagination.

GET/extractions/{id}

Read extracted fields, confidence scores, provider metadata, and raw text.

POST/extractions/{id}/rerun

Re-run extraction with a different provider. Idempotent via Idempotency-Key.

GET/review

List pending review items. Filter by confidence threshold and assignee.

PATCH/review/{id}

Submit approve, reject, or correct decision. Append-only and audit-logged.

GET/assets

Asset register list with CCA class, half-year and AII calculations.

POST/sred/export

Generate T661 CSV export for the requested fiscal period.

GET/integrations/qbo

QuickBooks Online sync status, last-sync timestamp per resource, error log.

DELETE/documents/{id}

Soft-delete a document. Audit-logged. Permanent purge after 30 days.

Conventions

  • JSON request and response bodies (Content-Type: application/json) except multipart uploads.
  • ISO-8601 timestamps in UTC. All money values are minor units (cents) with explicit currency code.
  • Cursor pagination via ?cursor= and ?limit= (max 200).
  • Errors follow RFC 7807 problem-detail JSON with type, title, status, detail.
  • Rate limit: 600 requests/minute per firm. Returns 429 with Retry-After seconds.
  • Idempotency: pass Idempotency-Key on POSTs that create resources to safely retry.

Webhooks

Configure a webhook endpoint in firm settings to receive events as they happen. Each delivery is signed with HMAC-SHA256 in the X-Folio-Signature header.

  • document.uploaded, extraction.completed, extraction.failed
  • review.queued, review.approved, review.rejected
  • qbo.synced, qbo.sync_failed
  • asset.created, asset.disposed

Need an API key or OpenAPI spec?

We share the full OpenAPI 3.1 schema, Postman collection, and sandbox credentials with customers on Professional and above.

Request access