Authorization header. Every request to an authenticated endpoint must include:
/v1/me/* endpoint resolves the company from the key itself - there is no company id in any request, and a founder key cannot read or change any company but its own.
Key format
fnd portal segment is what distinguishes a founder key from an investor cap_inv_* key. The two are not interchangeable: a founder key works only on the /v1/me/* founder endpoints, and an investor key is rejected from them with 403.
Live vs test
| Prefix | Accepted by | What it sees |
|---|---|---|
cap_fnd_live_ | api.venture.caplia.ai and mcp.venture.caplia.ai | Your real company |
cap_fnd_test_ | api-sandbox.venture.caplia.ai and mcp-sandbox.venture.caplia.ai | A sandbox / test company, isolated from production |
test key while you build and debug an integration so you can’t accidentally publish a deck or edit your live profile. The production endpoints reject test keys with 401 and vice-versa, so leaking a key into the wrong environment fails closed.
Getting a key
Mint a key yourself in the Caplia founder portal:- Sign in to the founder portal
- Open the account menu → API Keys (
/account/api-keys) - Click Create key, give it a descriptive name, and pick a scope -
read, orread+write(see below) - Copy the key - the plaintext is shown exactly once
The Founder API is live in production. To build and test safely, use the
-sandbox hosts with a cap_fnd_test_* key, then switch to your cap_fnd_live_* key for your real company.Scopes
A key carriesread, or read plus write.
Read access to your own data -
GET /v1/me/company, /v1/me/scores, /v1/me/metrics, /v1/me/documents, and your deck drafts.Everything
read allows plus the write endpoints - update your profile, upload documents, and the deck loop (POST /v1/me/deck/drafts, publish).write key, because submitting and publishing a deck changes what investors see. Use a read key for a dashboard that only displays your CRI.
Using the token
Every authenticated request needs the header. Note there’s no company id anywhere - the key is the company:Error responses
If the header is missing or malformed:401 Unauthorized
403 Forbidden
request_id is useful when emailing support - it lets us trace your exact request.
Revoking a key
In the founder portal, open API Keys and click Revoke on the row. Revocation is immediate - the next request with that key returns401 within seconds. If you suspect a key has leaked, revoke first, then investigate where it leaked, then mint a replacement.
Security best practices
- Never commit keys to source control. Use environment variables or a secret manager.
- Never put a
cap_fnd_*key in a browser or client-side code. It carries write authority over your company. Server-side only. - Use a
testkey while developing. Reserve thelivekey for the integration you actually trust. - Use the least-privilege scope. A read-only dashboard doesn’t need a
writekey.