API

API access for paid document review workflows.

The paid API accepts one file in document or repeated documents fields, analyzes each item, and returns per-file findings, counters, and save status in one JSON response.

AUTHORIZATIONS: Authorization: Bearer <API_KEY> or X-API-Key: <API_KEY>

Access and authentication

Paid callers authenticate with Authorization: Bearer <API_KEY> or X-API-Key. Header-only key transport is required in the production checklist, and the backend enforces both IP-level and user-level rate limiting.

Production behavior

The production runbook requires MySQL over TLS, Redis over TLS, background workers, aligned upload limits, and validation of 429 responses and API-key rotation before go-live.

POST

Analyze uploaded documents

Upload one file with document or multiple files with repeated documents form fields. The backend authenticates the caller, applies per-IP and per-user rate limits, analyzes each file, optionally stores encrypted copies for accounts with secure storage enabled, and returns per-file findings in one JSON response.

The production backend currently exposes this upload endpoint and route aliases only. The previous multi-step submission flow on this page was not accurate and has been removed.

BASE URL https://portal.deltalyth.com

ROUTES /api/analyze-documents /api/analyze-documents/ /api/analyze_documents

REQUEST HEADERS

Authorization required

Send Bearer <API_KEY> in the Authorization header.

X-API-Key alternative

Alternative header accepted by the backend when you do not use the bearer token form.

FORM

Request contract

Use multipart/form-data with a single document field or repeated documents fields. Requests above the configured MAX_FILES_PER_REQUEST limit are rejected, and accounts without remaining scan allowance receive subscription_blocked.

REQUEST BODY

document required

Single uploaded file sent as multipart/form-data.

documents repeatable

Use repeated documents form fields to send multiple files in one request.

file count limit enforced

The backend rejects requests above MAX_FILES_PER_REQUEST. In the production codebase the default is 25.

subscription usage policy

If the account has no remaining paid scan allowance, the endpoint returns 403 subscription_blocked.

GET

Response payload

The API returns aggregate counts plus a results array for each analyzed file. Each item includes status, any backend error code, full flags, triggered flags, and save status.

TOP-LEVEL RESPONSE FIELDS

authenticated_user object

Contains the authenticated id and username.

save_documents_online boolean

Indicates whether encrypted document storage is enabled for the caller account.

file_count, analyzed_count integer

Total analyzed files after expansion and processing.

pdf_analyzed_count, saved_count, unsupported_count, error_count, protected_count, damaged_count integer

Operational counters returned directly by the backend.

results[] array

Per-file analysis entries containing filename, file_type, status, error, message, flags, triggered_flags, admin_rules_matched, admin_rule_ignored_flag_keys, saved_online, and save_error.

ERR

Error handling

The backend returns explicit machine-readable codes for authentication, rate limiting, upload validation, and subscription enforcement.

COMMON ERRORS

401 missing_api_key auth

No API key was provided in Authorization or X-API-Key.

401 invalid_api_key auth

The supplied key could not be matched to an enabled account.

429 rate_limited traffic

Returned for both IP-level and user-level rate limiting. The response also includes a scope value.

400 no_files input

No files were sent in document or documents.

400 too_many_files input

The request exceeded the configured maximum files per request.

403 subscription_blocked policy

The account has no remaining scan allowance for the submitted workload.

OPS

Production notes

The production checklist and runbook require header-only API key transport, production-safe rate-limit settings, MySQL over TLS, Redis over TLS, and background workers for queue processing. Upload size limits must stay aligned between Flask and the reverse proxy.

For go-live readiness, verify 429 rate_limited behavior under burst traffic, confirm old keys are rejected after rotation, and keep MAX_UPLOAD_MB aligned with proxy limits such as client_max_body_size.

POST /api/analyze-documents

Request sample

cURL

Content type multipart/form-data

curl -X POST "https://portal.deltalyth.com/api/analyze-documents" \
+  -H "Authorization: Bearer YOUR_API_KEY" \
+  -F "document=@/path/to/invoice.pdf"

Response sample

JSON

Status 200 OK

{
  "authenticated_user": {
    "id": 7,
    "username": "demo_user"
  },
  "save_documents_online": true,
  "analyzed_count": 1,
  "file_count": 1,
  "pdf_analyzed_count": 1,
  "saved_count": 1,
  "unsupported_count": 0,
  "error_count": 0,
  "protected_count": 0,
  "damaged_count": 0,
  "results": [
    {
      "filename": "file1.pdf",
      "file_type": "pdf",
      "status": "risk",
      "error": null,
      "message": null,
      "saved_online": true,
      "save_error": null,
      "flags": [
        {
          "key": "creation_modification_mismatch",
          "label": "Creation date differs from modified date",
          "description": "CreationDate and ModDate values are not identical.",
          "triggered": true,
          "severity": "risk"
        }
      ],
      "triggered_flags": [
        {
          "key": "creation_modification_mismatch",
          "label": "Creation date differs from modified date",
          "description": "CreationDate and ModDate values are not identical.",
          "triggered": true,
          "severity": "risk"
        }
      ],
      "admin_rules_matched": [],
      "admin_rule_ignored_flag_keys": []
    }
  ]
}