# HonestFit Public API v1 Implementation-true reference for the shipped v1 partner endpoints: - `GET /api/v1/candidates/{publicSlug}` - `POST /api/v1/candidates/{publicSlug}/fit` These endpoints expose only the candidate-controlled public projection already allowed on the public candidate page. They do not expose canonical/private profile fields, raw evidence, provider internals, or recruiter-only workflow data. **Version boundary:** Public API **v1** is the partner contract version for these endpoints. It is independent from the HonestFit app product version (`1.0.0` for production v1) and from Trust Layer v1 as a shipped feature version. ## Discovery on the public site This file is the **repo-canonical** markdown. The same contract is **publicly discoverable** (for humans, search, and machine fetch) at: | Format | Production URL | | --- | --- | | HTML (interactive OpenAPI) | `https://honestfit.ai/docs/api/public-api-v1` | | Markdown (this document) | `https://honestfit.ai/docs/api/public-api-v1.md` | | OpenAPI 3.1 YAML | `https://honestfit.ai/docs/api/public-api-v1.openapi.yaml` | **Auth is unchanged:** those URLs are **documentation and spec** only. **Every** JSON call to `/api/v1/...` still requires `Authorization: Bearer ` with the right scopes—there is **no** anonymous public API access. The public profile web and markdown surfaces are separate from authenticated Public API v1 access: - `/c/{publicSlug}` and `/c/{publicSlug}.md` can remain live for a candidate-approved public profile. - `/api/public-profile?identifier={publicSlug}` can remain available for the public profile projection. - `/api/v1/...` requires Public API key configuration. If that server-side integration surface is intentionally unconfigured, it returns `503 PUBLIC_API_NOT_CONFIGURED` instead of implying anonymous access or surfacing an internal server error. An **internal** duplicate viewer (same bundled spec, **noindex**) lives at `https://honestfit.ai/internal/docs/public-api-v1` for signed-in operators and in-app links from Settings. ## Public candidate surfaces vs Public API v1 The following **do not** require a partner API key and serve the **sanitized public projection** when the candidate has enabled public profile (HTML semantics differ; payloads are the same contract family): | Surface | Example | | --- | --- | | Public profile (HTML) | `GET /c/{publicSlug}` | | Public profile (Markdown) | `GET /c/{publicSlug}.md` | | Public profile JSON (unauthenticated projection) | `GET /api/public-profile?identifier={publicSlug}` | **Public API v1** (`/api/v1/candidates/...`) is the **partner**, **key-authenticated** surface meant to return the same **public-safe** candidate and fit data as above. It depends on **Public API configuration** (keys, server wiring). ### Disabled or unconfigured Public API v1 When Public API auth/configuration is intentionally not enabled for the environment, **`GET /api/v1/candidates/{publicSlug}`** and related Public API v1 calls return **`503 Service Unavailable`** with stable error code **`PUBLIC_API_NOT_CONFIGURED`**. Unexpected application failures still use **`500 Internal Server Error`** with **`INTERNAL_ERROR`**. Missing or invalid keys remain **`401 Unauthorized`** once Public API key authentication is configured; missing scopes remain **`403 Forbidden`**. **Related:** [`docs/product/trust-layer-shipped-state.md`](../product/trust-layer-shipped-state.md) (operator snapshot), [`BRAIN.md`](../../BRAIN.md) → **Public API v1 — operational caveat**. ## Quickstart - Base path: `/api/v1` - Auth: `Authorization: Bearer ` - Read scope: `public_candidate.read` - Fit scope: `public_candidate.fit` - Content type: - `GET` does not send a body - `POST /fit` requires `Content-Type: application/json` - Request IDs: - Send `X-Request-Id` to provide your own correlation ID - HonestFit echoes that value back in the `X-Request-Id` response header - Success responses also repeat it in `meta.requestId` - Error responses also repeat it in `error.requestId` - If you do not send one, HonestFit generates an opaque `req_...` value ```bash curl https://honestfit.ai/api/v1/candidates/alex-rivera \ -H "Authorization: Bearer $HONESTFIT_PUBLIC_API_KEY" \ -H "X-Request-Id: partner-read-001" ``` ```bash curl https://honestfit.ai/api/v1/candidates/alex-rivera/fit \ -X POST \ -H "Authorization: Bearer $HONESTFIT_PUBLIC_API_KEY" \ -H "Content-Type: application/json" \ -H "X-Request-Id: partner-fit-001" \ -d '{ "jobDescription": "Staff Frontend Engineer\n\nResponsibilities\n- Lead design systems and component libraries.\n- Mentor frontend engineers.\n\nPreferred\n- Own accessibility program direction." }' ``` ## Shared Conventions ### Success envelope ```json { "data": {}, "meta": { "apiVersion": "v1", "requestId": "partner-read-001" } } ``` ### Error envelope ```json { "error": { "code": "UNAUTHORIZED", "message": "Missing API key.", "status": 401, "requestId": "partner-read-001", "retryable": false } } ``` ### Shared notes - Unknown response fields should be ignored for forward compatibility. - All timestamps are ISO 8601 UTC strings. - `POST /fit` accepts JSON only. - `POST /fit` request bodies are strict: only `jobDescription` is accepted. ## GET Candidate Purpose: fetch the candidate-controlled, public-safe profile projection for a single public candidate. - Method: `GET` - Path: `/api/v1/candidates/{publicSlug}` - Auth scope: `public_candidate.read` ### Path params | Name | Type | Required | Notes | | --- | --- | --- | --- | | `publicSlug` | string | yes | Canonical public slug. If it does not resolve to a live public candidate projection, the endpoint returns `404`. | ### Request body No body. ### Response shape ```json { "data": { "candidate": { "publicSlug": "alex-rivera", "canonicalUrl": "https://honestfit.ai/c/alex-rivera", "basics": { "displayName": "Alex Rivera", "headline": "Staff Frontend Engineer", "summary": "Candidate-approved public summary." }, "location": { "label": "TX", "granularity": "region" }, "links": [ { "kind": "linkedin", "label": "LinkedIn", "url": "https://www.linkedin.com/in/alex-rivera/?trk=private", "hostname": "www.linkedin.com" }, { "kind": "github", "label": "GitHub", "url": "https://github.com/alexrivera?tab=repositories", "hostname": "github.com" }, { "kind": "portfolio", "label": "Portfolio", "url": "https://alexrivera.dev/work?preview=true", "hostname": "alexrivera.dev" } ], "featuredExperience": [ { "id": "role-1", "title": "Staff Frontend Engineer", "company": "ExampleCo", "dateRangeLabel": "Jan 2021 - Mar 2024", "scope": "Led the design system and frontend platform.", "highlights": [ { "id": "claim-1", "text": "Scaled a component platform used across multiple teams.", "linkedClaimId": "claim-1" } ], "technologies": ["React", "TypeScript", "Storybook"] } ], "featuredClaims": [ { "id": "claim-1", "text": "Scaled a component platform used across multiple teams.", "category": "work_impact", "kind": "fact", "roleContext": { "roleId": "role-1", "roleLabel": "Staff Frontend Engineer · ExampleCo" }, "trust": { "status": "supported", "supportLevel": "moderate", "explanation": "This claim is supported by candidate-approved source material visible through the public projection rules.", "fairnessNote": null, "sourceLabels": ["Candidate confirmation", "Uploaded source material"] } }, { "id": "claim-2", "text": "Bridges design systems and product execution without handoff gaps.", "category": "professional_strength", "kind": "judgment", "roleContext": { "roleId": null, "roleLabel": null }, "trust": { "status": "self_reported", "supportLevel": "limited", "explanation": "This reads as candidate-reported strength rather than direct public proof.", "fairnessNote": "Support may be thin because the strongest evidence can be private, historical, or proprietary.", "sourceLabels": [] } } ], "publicState": { "visibility": "public", "publicFitEnabled": true, "shareReadiness": "ready" } } }, "meta": { "apiVersion": "v1", "projectionVersion": 3, "generatedAt": "2026-04-20T18:30:00.000Z", "requestId": "partner-read-001" } } ``` ### Field guide | Field | Type | Notes | | --- | --- | --- | | `data.candidate.publicSlug` | string | Canonical public candidate identifier. | | `data.candidate.canonicalUrl` | string | Absolute HonestFit public profile URL. | | `data.candidate.basics` | object | Candidate-approved public basics only. | | `data.candidate.location.granularity` | `city_region` \| `region` \| `hidden` | Safe location projection setting. | | `data.candidate.links[].kind` | `linkedin` \| `github` \| `portfolio` | Normalized public link type. | | `data.candidate.featuredExperience[]` | array | Candidate-selected featured roles only. | | `data.candidate.featuredClaims[]` | array | Candidate-selected public claims only. | | `data.candidate.featuredClaims[].trust` | object | Resolved public trust label and explanation. | | `data.candidate.publicState.publicFitEnabled` | boolean | Whether the fit endpoint is currently allowed for this candidate. | | `data.candidate.publicState.shareReadiness` | `ready` \| `needs_more` | Candidate-facing guidance only, not a recruiter score. | | `meta.projectionVersion` | number | Shared public projection schema version. | ### Curl example ```bash curl https://honestfit.ai/api/v1/candidates/alex-rivera \ -H "Authorization: Bearer $HONESTFIT_READ_KEY" \ -H "X-Request-Id: partner-read-001" ``` ### JavaScript / TypeScript example ```ts const apiKey = process.env.HONESTFIT_READ_KEY; if (!apiKey) { throw new Error("Missing HONESTFIT_READ_KEY"); } async function getCandidate(publicSlug: string) { const response = await fetch(`https://honestfit.ai/api/v1/candidates/${publicSlug}`, { headers: { Authorization: `Bearer ${apiKey}`, "X-Request-Id": "partner-read-001", }, }); const payload = await response.json(); if (!response.ok) { throw new Error(`${payload.error.code}: ${payload.error.message}`); } return payload.data.candidate; } const candidate = await getCandidate("alex-rivera"); console.log(candidate.publicSlug); console.log(candidate.basics.displayName); console.log(candidate.publicState.publicFitEnabled); ``` ### Python example ```python import os import requests api_key = os.environ["HONESTFIT_READ_KEY"] response = requests.get( "https://honestfit.ai/api/v1/candidates/alex-rivera", headers={ "Authorization": f"Bearer {api_key}", "X-Request-Id": "partner-read-001", }, timeout=30, ) payload = response.json() if not response.ok: raise RuntimeError(f"{payload['error']['code']}: {payload['error']['message']}") candidate = payload["data"]["candidate"] print(candidate["publicSlug"]) print(candidate["basics"]["displayName"]) print(candidate["publicState"]["publicFitEnabled"]) ``` ## POST Candidate Fit Purpose: run a synchronous fit analysis grounded only in the candidate’s public projection. - Method: `POST` - Path: `/api/v1/candidates/{publicSlug}/fit` - Auth scope: `public_candidate.fit` - Content type: `application/json` ### Path params | Name | Type | Required | Notes | | --- | --- | --- | --- | | `publicSlug` | string | yes | Canonical public slug. If it does not resolve to a live public candidate projection, the endpoint returns `404`. | ### Request body ```json { "jobDescription": "Staff Frontend Engineer\n\nResponsibilities\n- Lead design systems and component libraries.\n- Mentor frontend engineers.\n\nPreferred\n- Own accessibility program direction." } ``` ### Request body fields | Field | Type | Required | Notes | | --- | --- | --- | --- | | `jobDescription` | string | yes | Trimmed server-side. Must be non-empty and at most `32000` characters after trim. | ### Response shape ```json { "data": { "fitAnalysis": { "publicSlug": "alex-rivera", "summary": { "overall": "Strong public evidence for lead design systems and component libraries, with thinner public proof on own accessibility program direction.", "evidenceBackedRead": "Facts: the public profile shows direct evidence of design systems leadership, component platform work, and relevant frontend stack usage.", "missingEvidenceRead": "Missing evidence: the public profile does not currently expose direct proof of accessibility program ownership.", "inferredJudgment": "Inference: there is meaningful role overlap, but some leadership expectations still rely on adjacent signals rather than explicit proof.", "recommendation": "Recommendation: treat this as a strong public match for frontend systems work and ask follow-up questions where the public surface stays thin." }, "strongestVisibleMatch": { "id": "req-design-systems-leadership", "label": "Lead design systems and component libraries", "importance": "core", "category": "technical", "confidence": "high", "reasoningType": "fact", "matchedKeywords": ["design", "systems", "component"], "evidence": [ { "source": "claim", "label": "Staff Frontend Engineer · ExampleCo", "detail": "Scaled a component platform used across multiple teams." }, { "source": "role", "label": "Staff Frontend Engineer · ExampleCo", "detail": "Led the design system and frontend platform across product surfaces." } ], "explanation": "This requirement is directly supported by explicit public role and claim evidence." }, "strengths": [ { "id": "req-design-systems-leadership", "label": "Lead design systems and component libraries", "importance": "core", "category": "technical", "confidence": "high", "reasoningType": "fact", "matchedKeywords": ["design", "systems", "component"], "evidence": [ { "source": "claim", "label": "Staff Frontend Engineer · ExampleCo", "detail": "Scaled a component platform used across multiple teams." }, { "source": "role", "label": "Staff Frontend Engineer · ExampleCo", "detail": "Led the design system and frontend platform across product surfaces." } ], "explanation": "This requirement is directly supported by explicit public role and claim evidence." } ], "lowerConfidence": [ { "id": "req-mentor-frontend-engineers", "label": "Mentor frontend engineers", "importance": "core", "category": "leadership", "confidence": "medium", "reasoningType": "inference", "matchedKeywords": ["mentor", "frontend"], "evidence": [ { "source": "summary", "label": "Public summary", "detail": "Frontend platform leader focused on systems and team enablement." } ], "explanation": "The public profile shows adjacent leadership signals, but the match still relies partly on interpretation." } ], "missingEvidence": [ { "id": "req-accessibility-program-direction", "label": "Own accessibility program direction", "importance": "nice", "category": "technical", "confidence": "low", "reasoningType": "missing_evidence", "matchedKeywords": [], "evidence": [], "explanation": "The public profile does not currently surface direct evidence for this requirement." } ], "grounding": { "scope": "public_projection_only", "fairnessNote": "Missing public evidence does not mean the candidate lacks the underlying experience.", "trustSemantics": "claim_level_resolved_labels_only" }, "job": { "inferredRole": "Staff Frontend Engineer", "requirementCount": 6 } } }, "meta": { "apiVersion": "v1", "fitSchemaVersion": 1, "generatedAt": "2026-04-20T18:31:00.000Z", "requestId": "partner-fit-001" } } ``` ### Field guide | Field | Type | Notes | | --- | --- | --- | | `data.fitAnalysis.publicSlug` | string | Candidate slug bound to this fit result. | | `data.fitAnalysis.summary` | object | Deterministic public-safe fit summary strings. | | `data.fitAnalysis.strongestVisibleMatch` | object \| `null` | Highest-confidence visible match, if one exists. | | `data.fitAnalysis.strengths[]` | array | Strong direct matches from public data. | | `data.fitAnalysis.lowerConfidence[]` | array | Adjacent or inferred matches from public data. | | `data.fitAnalysis.missingEvidence[]` | array | Job requirements not proven on the public surface. | | `data.fitAnalysis.grounding.scope` | `public_projection_only` | Hard public-boundary marker. | | `data.fitAnalysis.grounding.trustSemantics` | `claim_level_resolved_labels_only` | Trust is claim-level only; no hidden whole-profile trust mode. | | `data.fitAnalysis.job.inferredRole` | string \| `null` | Role inferred from the submitted job description. | | `meta.fitSchemaVersion` | number | Shared fit output schema version. | All finding objects in `strongestVisibleMatch`, `strengths`, `lowerConfidence`, and `missingEvidence` share the same shape: | Field | Type | Notes | | --- | --- | --- | | `id` | string | Opaque requirement identifier. | | `label` | string | Normalized requirement label. | | `importance` | `core` \| `nice` | Requirement importance. | | `category` | `technical` \| `domain` \| `leadership` \| `execution` \| `seniority` \| `location` \| `other` | Requirement category. | | `confidence` | `high` \| `medium` \| `low` | Deterministic confidence tier. | | `reasoningType` | `fact` \| `inference` \| `missing_evidence` | Why the item landed in that bucket. | | `matchedKeywords` | string[] | Machine-usable keyword overlap. | | `evidence[]` | array | Public-safe evidence only. | | `evidence[].source` | `headline` \| `summary` \| `role` \| `skill` \| `claim` | Evidence origin inside the public projection. | | `evidence[].label` | string | Short evidence label. | | `evidence[].detail` | string | Public-safe detail snippet. | | `explanation` | string | Concise deterministic explanation. | ### Curl example ```bash curl https://honestfit.ai/api/v1/candidates/alex-rivera/fit \ -X POST \ -H "Authorization: Bearer $HONESTFIT_FIT_KEY" \ -H "Content-Type: application/json" \ -H "X-Request-Id: partner-fit-001" \ -d '{ "jobDescription": "Staff Frontend Engineer\n\nResponsibilities\n- Lead design systems and component libraries.\n- Mentor frontend engineers.\n\nPreferred\n- Own accessibility program direction." }' ``` ### JavaScript / TypeScript example ```ts const apiKey = process.env.HONESTFIT_FIT_KEY; if (!apiKey) { throw new Error("Missing HONESTFIT_FIT_KEY"); } async function analyzeCandidateFit(publicSlug: string, jobDescription: string) { const response = await fetch(`https://honestfit.ai/api/v1/candidates/${publicSlug}/fit`, { method: "POST", headers: { Authorization: `Bearer ${apiKey}`, "Content-Type": "application/json", "X-Request-Id": "partner-fit-001", }, body: JSON.stringify({ jobDescription }), }); const payload = await response.json(); if (!response.ok) { throw new Error(`${payload.error.code}: ${payload.error.message}`); } return payload.data.fitAnalysis; } const fitAnalysis = await analyzeCandidateFit( "alex-rivera", `Staff Frontend Engineer Responsibilities - Lead design systems and component libraries. - Mentor frontend engineers. Preferred - Own accessibility program direction.`, ); console.log(fitAnalysis.summary.overall); console.log(fitAnalysis.strongestVisibleMatch?.label ?? "No strong visible match"); console.log(fitAnalysis.missingEvidence.map((item) => item.label)); ``` ### Python example ```python import os import requests api_key = os.environ["HONESTFIT_FIT_KEY"] response = requests.post( "https://honestfit.ai/api/v1/candidates/alex-rivera/fit", headers={ "Authorization": f"Bearer {api_key}", "Content-Type": "application/json", "X-Request-Id": "partner-fit-001", }, json={ "jobDescription": """Staff Frontend Engineer Responsibilities - Lead design systems and component libraries. - Mentor frontend engineers. Preferred - Own accessibility program direction.""" }, timeout=30, ) payload = response.json() if not response.ok: raise RuntimeError(f"{payload['error']['code']}: {payload['error']['message']}") fit_analysis = payload["data"]["fitAnalysis"] print(fit_analysis["summary"]["overall"]) print( fit_analysis["strongestVisibleMatch"]["label"] if fit_analysis["strongestVisibleMatch"] else "No strong visible match" ) print([item["label"] for item in fit_analysis["missingEvidence"]]) ``` ## Error Examples ### 401 Unauthorized Returned when the API key is missing or invalid. ```json { "error": { "code": "UNAUTHORIZED", "message": "Missing API key.", "status": 401, "requestId": "partner-read-001", "retryable": false } } ``` ### 403 Forbidden Returned when the API key lacks the required scope, or when public fit is disabled for the candidate on `POST /fit`. Scope example: ```json { "error": { "code": "FORBIDDEN", "message": "API key does not have required scope: public_candidate.fit.", "status": 403, "requestId": "partner-fit-001", "retryable": false } } ``` Candidate fit disabled example: ```json { "error": { "code": "FORBIDDEN", "message": "Public fit is disabled for this candidate.", "status": 403, "requestId": "partner-fit-001", "retryable": false } } ``` ### 404 Not Found Returned when the slug does not resolve to a currently public candidate projection. ```json { "error": { "code": "NOT_FOUND", "message": "Candidate not found.", "status": 404, "requestId": "partner-read-001", "retryable": false } } ``` ### 413 Payload Too Large Returned by `POST /fit` when the JSON body exceeds `40 KB` or `jobDescription` exceeds `32000` characters after trim. ```json { "error": { "code": "PAYLOAD_TOO_LARGE", "message": "jobDescription must be at most 32000 characters.", "status": 413, "requestId": "partner-fit-001", "retryable": false, "details": { "fieldErrors": { "jobDescription": ["Must be at most 32000 characters"] } } } } ``` ### 429 Rate Limited Returned when the current per-key or per-slug limit is exceeded. HonestFit also includes `Retry-After: 60`. ```json { "error": { "code": "RATE_LIMITED", "message": "Rate limit exceeded.", "status": 429, "requestId": "partner-fit-001", "retryable": true } } ``` ### 503 Service Unavailable Returned when Public API v1 key authentication is intentionally unavailable because no Public API keys are configured for the environment. This does not change public profile page, markdown, or `/api/public-profile` availability. ```json { "error": { "code": "PUBLIC_API_NOT_CONFIGURED", "message": "Public API is not configured.", "status": 503, "requestId": "partner-read-001", "retryable": false } } ``` ## Boundary Notes - Public-safe projection only: - Included: candidate-approved basics, safe location, public links, featured experience, featured claims, resolved claim trust, public fit state - Excluded: phone numbers, street addresses, private email, hidden roles/claims/links, transcripts, raw evidence, provider payloads, debug signals, admin data, whole-profile verification fields - Public fit uses only candidate-controlled public data: - Fit is grounded only in the same public projection returned by `GET /candidates/{publicSlug}` - Trust semantics stay claim-level only - Missing public evidence is not treated as disproof - Auth and rate-limit assumptions: - Bearer API key auth is required for both endpoints - Current server defaults are `120/minute per key` and `30/minute per slug` for `GET` - Current server defaults are `12/minute per key` and `5/minute per slug` for `POST /fit` - These limits are server-configurable and `429` responses include `Retry-After` ## OpenAPI Canonical machine-readable spec (single source of truth for schema, examples, and the interactive reference UIs): [`docs/api/public-api-v1.openapi.yaml`](./public-api-v1.openapi.yaml). The same bytes are served publicly at **`/docs/api/public-api-v1.openapi.yaml`**. ### Rendered reference (public and internal) The app exposes the same interactive OpenAPI viewer (Scalar), loading the YAML bundled at build time from `docs/api/public-api-v1.openapi.yaml`, at: - **`/docs/api/public-api-v1`** — **Public**, indexable partner documentation (primary). - **`/internal/docs/public-api-v1`** — **Internal** mirror (**noindex**); convenient for operators and links from Settings. After editing the YAML, run a fresh build or dev session so both viewers pick up changes. To swap the renderer later, replace the wrapper in `app/components/docs/PublicApiV1OpenApiReference.tsx` and keep importing the YAML from this path.