Clients, Projects & Tokens

These endpoints let a client app manage the account-side resources: clients (organizations), projects that belong to a client, and the API tokens used to authenticate. All endpoints accept either a session cookie (__Host-aius_session) or a bearer aius_… token, unless noted. Your identity is derived from the credential — you cannot act on another user’s resources.

Clients (organizations)

A client is an organization that owns projects, billing, and tokens. A default client is created automatically when you register.

List clients

GET /v1/clients

curl https://aius.co/api/v1/clients \
  -H "Authorization: Bearer aius_xxxxxxxx..."
Response 200: 
{
  "data": [
    {
      "id": "client_xyz789",
      "name": "Acme Corp",
      "role": "owner",
      "created_at": 1717123456
    }
  ]
}

Create a client

POST /v1/clients

curl -X POST https://aius.co/api/v1/clients \
  -H "Authorization: Bearer aius_xxxxxxxx..." \
  -H "Content-Type: application/json" \
  -d '{"name": "Acme Corp"}'
Response 200: 
{
  "id": "client_xyz789",
  "name": "Acme Corp",
  "owner_id": "dev@example.com",
  "created_at": 1717123456
}
The owner is set from your authenticated identity; you do not send owner_id.

Projects

A project belongs to a client. List/create operations are scoped by the client id.

List projects

GET /v1/projects?org_id=<client_id>
The org_id query parameter (the client id) is required. 
curl "https://aius.co/api/v1/projects?org_id=client_xyz789" \
  -H "Authorization: Bearer aius_xxxxxxxx..."
Response 200: 
{
  "data": [
    {
      "id": "proj_123",
      "org_id": "client_xyz789",
      "name": "Churn analysis",
      "description": "Q3 churn model",
      "created_at": 1717123456,
      "updated_at": 1717123456
    }
  ]
}

Create a project

POST /v1/projects

curl -X POST https://aius.co/api/v1/projects \
  -H "Authorization: Bearer aius_xxxxxxxx..." \
  -H "Content-Type: application/json" \
  -d '{
    "org_id": "client_xyz789",
    "name": "Churn analysis",
    "description": "Q3 churn model"
  }'
FieldTypeRequired
org_idstringYes — the owning client id
namestringYes
descriptionstringNo
Response 200: the created project (same shape as the list item above).

Get a project

GET /v1/projects/{project_id}

curl https://aius.co/api/v1/projects/proj_123 \
  -H "Authorization: Bearer aius_xxxxxxxx..."

Delete a project

DELETE /v1/projects/{project_id}

curl -X DELETE https://aius.co/api/v1/projects/proj_123 \
  -H "Authorization: Bearer aius_xxxxxxxx..."
Response 200: { "deleted": true } Accessing a project in a client you don’t belong to returns 403 NO_ACCESS; an unknown id returns 404 NOT_FOUND.

Fork a project

Create a point-in-time copy of a project as a brand-new project. The fork duplicates the brief, artifacts, and reports, records its lineage (forked_from_id), and gets an auto-uniqued name (<name> (fork)). The original project is untouched. 
POST /v1/projects/{project_id}/fork

curl -X POST https://aius.co/api/v1/projects/proj_123/fork \
  -H "Authorization: Bearer aius_xxxxxxxx..."
Response 200: the new project, e.g. { "id": "proj_456", "name": "Churn model (fork)", "forked_from_id": "proj_123", ... }

Tokens

API tokens are the aius_… credentials you use as bearer tokens. Minting requires a session (cookie), not a bearer token. Listing and revoking also require a session.

Mint a token

POST /v1/tokens
See Authentication › Mint an API token for the full flow. Briefly: 
curl -X POST https://aius.co/api/v1/tokens \
  -H "Content-Type: application/json" \
  --cookie "__Host-aius_session=eyJ..." \
  -d '{"token_name": "my-cli"}'
Response 200: 
{
  "id": 42,
  "client_id": "dev@example.com",
  "token_name": "my-cli",
  "token": "aius_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
  "created_at": 1717123999
}

List tokens

GET /v1/tokens

curl https://aius.co/api/v1/tokens \
  --cookie "__Host-aius_session=eyJ..."
Response 200: { "data": [ ... ] }. The secret token value is never returned again after minting — only metadata is listed.

Revoke a token

POST /v1/tokens/revoke

curl -X POST https://aius.co/api/v1/tokens/revoke \
  -H "Content-Type: application/json" \
  --cookie "__Host-aius_session=eyJ..." \
  -d '{"id": 42}'
Response 200: { "id": 42, "revoked_at": 1717124500 }. A revoked token is rejected on all subsequent requests with 401 invalid token. Missing id400; unknown id → 404.

Billing (overview)

A client also exposes Stripe-backed billing endpoints (subscription checkout, credit top-ups and balance, invoices, payment methods, and a billing portal), all under /v1/clients/{client_id}/…. These are typically driven from the web dashboard. See Billing for details.