Skip to main content

Base URLs

LexQ exposes two separate APIs with different base URLs:
APIBase URLPurpose
Management APIhttps://api.lexq.io/api/v1/partnersPolicy lifecycle (create, test, deploy)
Execution APIhttps://api.lexq.io/api/v1/executionRuntime policy evaluation (your app calls this)
Do not mix the two base URLs. Management endpoints return 404 on the Execution base URL and vice versa.

Authentication

LexQ uses API Key authentication. Include your key in every request: 
x-api-key: YOUR_API_KEY
API keys are created and managed in the Console under Management → API Keys.
API keys grant full access to your organization’s policy engine. Never expose them in client-side code or public repositories.

Request Format

All request and response bodies use JSON. Set the Content-Type header: 
Content-Type: application/json

Response Format

Every response follows a consistent envelope: 
{
  "result": "SUCCESS",
  "data": { ... },
  "message": null
}
The top-level field is result (value: "SUCCESS" or "ERROR"), not success: true/false. Always check result === "SUCCESS" in your integration code.

Error Codes

Error codes follow a prefix convention:
PrefixDomain
C-xxxCommon (input validation, not found, rate limit)
A-xxxAuth (credentials, API key, sessions)
P-xxxPolicy Engine (groups, versions, rules, deployments)
I-xxxIdempotency
S-xxxSystem / Crypto
B-xxxBilling (subscription, payment, quota)
M-xxxMember & Account
AN-xxxAnalytics & Simulation
ACT-xxxAction validation (discount, point, notification)
FD-xxxFact Definition
INT-xxxIntegration
FL-xxxFailure Log
WH-xxxWebhook Subscription
See the full error reference for details.

Rate Limits

Rate limits apply per organization (across all API keys for the same tenant), based on your plan’s Max TPS setting:
PlanMax TPS
Free10
Growth100
Pro500
EnterpriseCustom
Throttling uses a strict per-second window: the counter resets every epoch second. Requests exceeding the TPS limit in that second receive HTTP 429 Too Many Requests with code C-007. For execution endpoints, batch and composite calls count as a single request against TPS, regardless of how many fact sets they contain. This makes batching the most direct way to handle burst traffic without upgrading.
Issuing additional API keys does not raise your effective TPS — keys share the same per-tenant bucket. Upgrade your plan to raise the limit, or batch your calls to fit more work into each request.

Idempotency

For execution endpoints, you can include an Idempotency-Key header to prevent duplicate processing: 
Idempotency-Key: unique-request-id-123
Duplicate requests with the same key return the original response without re-executing the policy.

Pagination

List endpoints return paginated results: 
{
  "result": "SUCCESS",
  "data": {
    "content": [ ... ],
    "totalElements": 42,
    "totalPages": 3,
    "pageNo": 0,
    "pageSize": 20
  }
}
Use pageNo (0-indexed) and pageSize query parameters to navigate pages.

Next Steps

Authentication

API key management and security best practices.

Policy Execution

Execute policies against live traffic.