API Reference
All enterprise API endpoints require authentication via JWT bearer token. The base URL is your deployment host (e.g. http://localhost).
Authentication
All requests include a bearer token in the Authorization header:
Authorization: Bearer <access-token>POST /api/auth/login
Authenticate with email and password. Returns access and refresh tokens.
POST /api/auth/login
Content-Type: application/json
{
"email": "user@example.com",
"password": "password"
}
# Response
{
"access_token": "eyJ...",
"refresh_token": "eyJ...",
"token_type": "bearer"
}POST /api/auth/register
Register a new user. The first user becomes admin.
POST /api/auth/register
Content-Type: application/json
{
"email": "user@example.com",
"password": "password",
"name": "User Name"
}POST /api/auth/refresh
Exchange a refresh token for a new access token.
POST /api/auth/refresh
Content-Type: application/json
{
"refresh_token": "eyJ..."
}Teams
GET /api/teams
List all teams the current user belongs to.
POST /api/teams
Create a new team. Requires admin role.
POST /api/teams
Content-Type: application/json
{
"name": "Engineering",
"description": "Engineering team"
}POST /api/teams/:id/members
Add a member to a team.
POST /api/teams/:id/members
Content-Type: application/json
{
"user_id": "uuid",
"role": "member"
}API Keys
GET /api/keys
List all API keys for the current user.
POST /api/keys
Create a new API key.
POST /api/keys
Content-Type: application/json
{
"name": "CI Integration",
"scopes": ["read", "write"]
}
# Response includes the key — store it securely, it won't be shown again
{
"id": "uuid",
"name": "CI Integration",
"key": "vbm_...",
"scopes": ["read", "write"]
}DELETE /api/keys/:id
Revoke an API key.
Webhooks
GET /api/webhooks
List all webhook subscriptions.
POST /api/webhooks
Create a webhook subscription.
POST /api/webhooks
Content-Type: application/json
{
"url": "https://your-server.com/webhook",
"events": [
"transcription.complete",
"transcription.failed",
"recording.created",
"recording.deleted",
"document.uploaded",
"document.processed",
"project.created"
],
"secret": "your-webhook-secret"
}Webhook payloads are signed with the secret using HMAC-SHA256. Verify the X-Webhook-Signature header.
Available Events
| Event | Description |
|---|---|
transcription.complete | A transcription job finished successfully |
transcription.failed | A transcription job failed |
recording.created | A new recording was created |
recording.deleted | A recording was deleted |
document.uploaded | A document was uploaded |
document.processed | A document finished OCR/text extraction |
project.created | A new project was created |
License
GET /api/license/status
Check the current license status. No authentication required.
GET /api/license/status
# Response
{
"valid": true,
"org_name": "Acme Corp",
"seat_count": 100,
"expires_at": "2027-12-31T00:00:00",
"features": "all"
}Admin
GET /api/admin/users
List all users. Requires admin role.
GET /api/admin/audit
Query the audit log. Requires admin role. Supports pagination and filtering.
GET /api/admin/audit?limit=50&offset=0
# Response
{
"items": [
{
"id": "uuid",
"user_id": "uuid",
"action": "POST",
"path": "/api/recordings",
"timestamp": "2026-01-15T10:30:00Z"
}
],
"total": 1234
}System
GET /api/info
Returns system info. No authentication required.
GET /api/info
# Response
{
"name": "Verbatim Studio API",
"version": "1.3.0",
"mode": "enterprise"
}GET /health
Health check endpoint. Returns 200 if the service is running.