API reference

All HTTP APIs are served from your Threadline deployment (by default https://api.threadline.to).

Authentication is via a Bearer API key tied to an agent.

Authentication

Every request must include:

Request

Authorization: Bearer tl_live_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Content-Type: application/json

Keys are created in the developer dashboard. Threadline stores a SHA-256 hash of each key and never returns the key again after creation.

If authentication fails, you'll receive:

Response

{ "error": "Invalid API key.", "code": "UNAUTHORIZED" }

GET /api/context/[userId]

GET

/api/context/[userId]

Fetch the structured context object for a user.

Request

GET /api/context/USER_UUID
Authorization: Bearer tl_live_...

Response

{
"userId": "USER_UUID",
"communication_style": "short, direct",
"ongoing_tasks": ["Ship onboarding flow"],
"key_relationships": ["PM: Sam", "Designer: Lee"],
"domain_expertise": ["TypeScript", "product strategy"],
"preferences": { "tone": "casual", "format": "bullets" },
"emotional_state": { "recent_sentiment": "stressed but optimistic" },
"last_updated": "2026-03-12T10:00:00.000Z"
}

POST /api/context/inject

POST

/api/context/inject

Returns a prompt string with context intelligently injected for a given user.

Request

POST /api/context/inject
Authorization: Bearer tl_live_...
Content-Type: application/json

Request body

{
"userId": "USER_UUID",
"basePrompt": "You are a helpful assistant."
}

Response

{
"injectedPrompt": "System:\nThis user prefers concise, bullet-point answers and is currently working on an onboarding flow...\n\nYou are a helpful assistant."
}

POST /api/context/update

POST

/api/context/update

Updates a user's context based on a single interaction.

Request

POST /api/context/update
Authorization: Bearer tl_live_...
Content-Type: application/json

Request body

{
"userId": "USER_UUID",
"userMessage": "I need to finish the onboarding flow by Friday.",
"agentResponse": "Got it. Let's break your onboarding flow into concrete steps..."
}

Response

{
"updated": true,
"delta": {
  "ongoing_tasks": ["Finish onboarding flow"],
  "communication_style": "short, direct"
}
}

Error codes

Threadline returns structured errors:

Response

{ "error": "Message", "code": "ERROR_CODE" }

Common codes:

Code	HTTP	Description
BAD_REQUEST	400	Invalid params or payload
UNAUTHORIZED	401	Missing or invalid API key
FORBIDDEN	403	No active grant for this user + agent
NOT_FOUND	404	Resource not found (e.g. no context yet)
SUPABASE_ERROR	500	Internal persistence error
OPENAI_ERROR	502	Model integration failed
INTERNAL_ERROR	500	Unexpected server error

Rate limits

Threadline applies soft rate limits per API key:

Context reads (GET /api/context and POST /api/context/inject): optimized via Redis cache.
Context writes (POST /api/context/update): write-through to Postgres with audit logging.

If you hit a limit, you'll receive:

Response

{ "error": "Rate limit exceeded.", "code": "RATE_LIMITED" }

Enterprise and high-throughput workloads can request higher limits and dedicated capacity.

threadline

API reference

All HTTP APIs are served from your Threadline deployment (by default https://api.threadline.to).

Authentication is via a Bearer API key tied to an agent.

Authentication

Every request must include:

Request

Authorization: Bearer tl_live_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Content-Type: application/json

Keys are created in the developer dashboard. Threadline stores a SHA-256 hash of each key and never returns the key again after creation.

If authentication fails, you'll receive:

Response

{ "error": "Invalid API key.", "code": "UNAUTHORIZED" }

GET /api/context/[userId]

GET

/api/context/[userId]

Fetch the structured context object for a user.

Request

GET /api/context/USER_UUID
Authorization: Bearer tl_live_...

Response

{
"userId": "USER_UUID",
"communication_style": "short, direct",
"ongoing_tasks": ["Ship onboarding flow"],
"key_relationships": ["PM: Sam", "Designer: Lee"],
"domain_expertise": ["TypeScript", "product strategy"],
"preferences": { "tone": "casual", "format": "bullets" },
"emotional_state": { "recent_sentiment": "stressed but optimistic" },
"last_updated": "2026-03-12T10:00:00.000Z"
}

POST /api/context/inject

POST

/api/context/inject

Returns a prompt string with context intelligently injected for a given user.

Request

POST /api/context/inject
Authorization: Bearer tl_live_...
Content-Type: application/json

Request body

{
"userId": "USER_UUID",
"basePrompt": "You are a helpful assistant."
}

Response

{
"injectedPrompt": "System:\nThis user prefers concise, bullet-point answers and is currently working on an onboarding flow...\n\nYou are a helpful assistant."
}

POST /api/context/update

POST

/api/context/update

Updates a user's context based on a single interaction.

Request

POST /api/context/update
Authorization: Bearer tl_live_...
Content-Type: application/json

Request body

{
"userId": "USER_UUID",
"userMessage": "I need to finish the onboarding flow by Friday.",
"agentResponse": "Got it. Let's break your onboarding flow into concrete steps..."
}

Response

{
"updated": true,
"delta": {
  "ongoing_tasks": ["Finish onboarding flow"],
  "communication_style": "short, direct"
}
}

Error codes

Threadline returns structured errors:

Response

{ "error": "Message", "code": "ERROR_CODE" }

Common codes:

Code	HTTP	Description
BAD_REQUEST	400	Invalid params or payload
UNAUTHORIZED	401	Missing or invalid API key
FORBIDDEN	403	No active grant for this user + agent
NOT_FOUND	404	Resource not found (e.g. no context yet)
SUPABASE_ERROR	500	Internal persistence error
OPENAI_ERROR	502	Model integration failed
INTERNAL_ERROR	500	Unexpected server error

Rate limits

Threadline applies soft rate limits per API key:

Context reads (GET /api/context and POST /api/context/inject): optimized via Redis cache.
Context writes (POST /api/context/update): write-through to Postgres with audit logging.

If you hit a limit, you'll receive:

Response

{ "error": "Rate limit exceeded.", "code": "RATE_LIMITED" }

Enterprise and high-throughput workloads can request higher limits and dedicated capacity.