Skip to main content

REST API

Releval's REST API provides a traditional integration path for web-based applications.

OpenAPI specification

You can download the OpenAPI specification from the website.

This specification provides a comprehensive overview of the available endpoints, request/response formats, and authentication requirements.

You can use the OpenAPI specification with tools of your choosing like Insomnia or Postman.

  1. Download the OpenAPI JSON file.
  2. Import the file into your tool of choice, like Insomnia or Postman.
  3. Start making API calls directly from the tool.

API reference

If you'd like to try the REST APIs live in your browser, the API reference allows you to make API calls. You'll need a valid JWT token to do so. Insert the token into the page and click the SEND API REQUEST button:

API example using Bearer token

Authentication

Releval uses Bearer tokens to authorize requests, which are obtained using the OAuth 2.0 Client Credentials Flow, using the client_id and client_secret generated upon creating an app client. Consult the OAuth documentation for steps on how to create tokens.

Releval expects the Bearer token to be included via the HTTP Authorization header in all API requests to the server. When using curl, it looks like the following:

curl -H 'Authorization: Bearer <token>' https://app.releval.co/api/endpoints

Here's an implementation of a DelegatingHandler for C# HTTP clients that can be used to get access tokens on demand when making requests.

// Copyright 2025 Releval
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

using System.Net.Http.Headers;

namespace Releval;

public class OAuth2Handler : DelegatingHandler
{
    private readonly OAuth2TokenService _tokenService;

    public OAuth2Handler(OAuth2TokenService tokenService, HttpMessageHandler innerHandler) : base(innerHandler) =>
    _tokenService = tokenService;

    protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
    {
        var token = await _tokenService.GetAccessTokenAsync(cancellationToken).ConfigureAwait(false);
        request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
        return await base.SendAsync(request, cancellationToken).ConfigureAwait(false);
    }
}

To use this to construct a HTTP client that will automatically apply bearer tokens:

// Copyright 2025 Releval
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

var address = "https://app.releval.co";
var tokenService = new OAuth2TokenService(clientId, clientSecret, $"{address}/oauth2/token");
var handler = new OAuth2Handler(tokenService, new HttpClientHandler());
var client = new HttpClient(handler);

// use the client

Authorization

When creating an app client, a collection of roles are specified that determine what the app client has access to. These roles are encoded within the JSON Web Token (JWT) bearer token, and can be viewed using jwt.io.

Info

In all cases, if an app client does not have permission to do something, you'll get a 403 Forbidden error.

Pagination

Some APIs support pagination. Pagination is performed with a page parameter.

Note

You can change the number of items to be returned with the pageSize parameter. The OpenAPI specification indicates the valid values for each API.

Errors

Releval API uses the following HTTP status codes:

CodeTextDescription
400Bad RequestYour request is malformed in some way. The response usually indicates what's wrong.
401UnauthorizedYour request does not have valid authentication credentials for the operation.
403ForbiddenYour request is not authorized to perform the operation.
404Not FoundThe specified resource was not found
408Request TimeoutYour request was cancelled, typically by you.
409ConflictYour request conflicted with another operation.
429Too Many RequestsYou're making too many requests at once. Slow down!
500Internal Server ErrorWe've got some problem with our service. Please try again later.
503Service UnavailableWe're temporarily offline for maintenance. Please try again later.
504Gateway TimeoutThe deadline expired in which to perform the operation specified by your request.
Info

When API errors occur, it is up to you to retry your request - Releval does not keep track of failed requests.

Error Details

Releval uses RFC 9457 Problem Details to carry machine-readable details of errors in HTTP response content.

A typical example of a general error is:

{
  "type": "https://tools.ietf.org/html/rfc7231#section-6.5.4",
  "title": "Not Found.",
  "status": 404
}

An example of a bad request with validation errors is:

{
  "type": "https://tools.ietf.org/html/rfc7231#section-6.5.1",
  "title": "One or more validation errors occurred.",
  "status": 400,
  "errors": {
    "name": [
      "name is required"
    ]
  }
}

The "errors" field contains an object where the keys indicate which inputs have errors, and the values array for each key describes the errors. Errors not directly related to inputs are keyed against "" in the "errors" object.

Versioning

The Releval API is versioned. A new API version is released when we introduce a backwards-incompatible change to the API. For example, changing a field type or name, or deprecating endpoints.

While we're adding functionality to our API, we won't release a new API version. You'll be able to take advantage of this non-breaking backwards-compatible changes directly on the API version you're currently using.

Releval considers the following changes to be backwards-compatible:

  • Adding new API resources.

  • Adding new optional request parameters to existing API methods.

  • Adding new properties to existing API responses.

  • Changing the order of properties in existing API responses.

  • Changing the length or format of opaque strings such as object IDs, error messages, and other human-readable strings.

Info

Your integration should gracefully handle backwards-compatible changes.