Security

All API requests require a Bearer token in the Authorization header. Keys follow the format smz_live_* (production) or smz_test_* (sandbox).

Keys are shown once at creation and cannot be retrieved afterwards. Only a display hint is stored for identification.

All resources are scoped to a single workspace. Data from one workspace is not accessible from another via the public API.

Role-based access control ensures members only access resources appropriate to their role. Permissions are enforced at the API level for every request.

In transit: All API traffic is encrypted via TLS 1.2+. The API only accepts HTTPS connections.

At rest: All data is encrypted at rest. API keys are securely hashed - the raw key is never stored.

Conversation content is processed transiently and not retained beyond your configured retention settings. Run metadata (status, timing, output signals) is stored for your workspace to query.

Webhooks are signed using HMAC and must be verified using your webhook secret. The signature is sent in the Semarize-Signature header.

Webhook endpoints must be HTTPS only and publicly routable. Delivery is at-least-once - dedupe on Semarize-Delivery-Id.

The POST /v1/runs endpoint accepts an optional Idempotency-Key header for safe retries.

If a request with the same idempotency key is received, the API returns the original run instead of creating a duplicate. This ensures safe retries in unreliable network conditions.