API Usage Policy

Last Updated: January 12, 2026Effective Date: January 12, 2026

1. Introduction and Scope

1.1. Purpose

This API Usage Policy ("Policy") governs the use of Evaste APIs, including conditions, limitations, and requirements. By using the API, you can programmatically access Evaste's data protection and consent management services.

1.2. Definitions

"API": Application Programming Interface - the interface providing programmatic access to Evaste services.

"API Key": A unique authentication key used to access the API.

"Endpoint": A specific function or resource accessible through the API.

"Rate Limit": Maximum number of API calls allowed within a specified period.

"Webhook": HTTP callbacks sent by Evaste to customer systems when certain events occur.

"SDK": Software Development Kit - libraries that facilitate API integration.

1.3. Scope

This policy covers:

REST API (v2)
GraphQL API
Webhook Delivery System
JavaScript SDK
Server-side SDKs (Node.js, Python, PHP, Ruby)

2. API Access and Authentication

2.1. Access Requirements

API access requires:

An active Evaste account
A subscription plan that includes API access
Generated API Key
Acceptance of this Policy

2.2. API Key Types

Key Type	Scope	Use Case
Public Key	Read-only	Frontend integrations
Secret Key	Full access	Backend integrations
Webhook Key	Verification	Webhook signature verification
Test Key	Sandbox	Development/testing

2.3. Authentication Methods

API Key Authentication: Header: X-API-Key: your_api_key_here
Bearer Token Authentication: Header: Authorization: Bearer your_token_here
OAuth 2.0 (Enterprise plans): Authorization Code Flow, Client Credentials Flow

2.4. API Key Security

MANDATORY security requirements:

Secret Keys must NEVER be used in client-side code
API keys must NOT be stored in source code
Use environment variables or secure vault systems
Rotate API keys regularly (recommended: 90 days)
Immediately revoke keys if suspicious activity detected

3. Usage Limits and Quotas

3.1. Rate Limiting

API calls are limited as follows:

Plan	Requests/Minute	Requests/Hour	Requests/Day
Pro	100	3,000	50,000
Enterprise	1,000	30,000	500,000
Enterprise Plus	10,000	300,000	5,000,000

3.2. Endpoint-Specific Limits

Additional limits apply to specific endpoints:

Endpoint Category	Limit/Minute
Read (GET)	Plan limit
Write (POST/PUT)	Plan limit x 0.5
Delete (DELETE)	Plan limit x 0.2
Bulk Operations	Plan limit x 0.1
Export/Report	10

3.3. Burst Limit

Burst limits for sudden traffic spikes:

Pro: 200 requests/second (10 second burst)
Enterprise: 500 requests/second (30 second burst)
Enterprise Plus: 2,000 requests/second (60 second burst)

3.4. Rate Limit Headers

Every API response includes these headers: X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-RateLimit-Retry-After

3.5. Rate Limit Exceeded

When limit is exceeded:

HTTP 429 (Too Many Requests) response returned
Retry-After header indicates wait time
Continuous exceeding may result in account suspension

4. API Usage Rules

4.1. General Rules

API must be used only for documented purposes
All API calls must be made over HTTPS
API responses may be cached (following Cache-Control directives)
Error responses must be handled appropriately

4.2. Client Requirements

All API requests must include:

Valid User-Agent header (Example: User-Agent: MyApp/1.0 (contact@example.com))
Content-Type header (Example: Content-Type: application/json)
Accept header (Example: Accept: application/json)

4.3. Data Format

Requests: Must be sent in JSON format
Responses: Returned in JSON format
Dates: ISO 8601 format (UTC)
Encoding: UTF-8

4.4. Pagination

For list endpoints:

Default page size: 20
Maximum page size: 100
Cursor-based pagination preferred
Offset pagination supported

4.5. Idempotency

For critical write operations:

Use Idempotency-Key header
Repeated requests with same key return same result
Keys valid for 24 hours
UUID v4 format recommended

5. Data Security and Privacy

5.1. Data Encryption

All API traffic encrypted with TLS 1.2+
TLS 1.0 and 1.1 not supported
Minimum cipher strength: AES-256
Certificate pinning available in SDKs

5.2. Personal Data Processing

When processing personal data via API:

Comply with GDPR and KVKK requirements
Apply data minimization principle
Do not collect or store unnecessary data
Support data subject rights

5.3. Audit Logging

All API calls are logged:

Call timestamp, Endpoint, IP address, API key used, Response code, Operation details
Logs: 90 days online access
1 year archived storage
Extended retention available for Enterprise customers

6. API Versioning

6.1. Version Policy

API versions use semantic versioning (vMajor.Minor)
Current stable version: v2
Legacy version: v1 (deprecated, ending Q4 2026)

6.2. Specifying Version

API version can be specified via:

URL path (recommended): /api/v2/consents
Header: X-API-Version: 2
Query parameter: ?api_version=2

6.3. Backward Compatibility

Minor version updates are backward compatible:

Existing fields not changed or removed
New optional fields may be added
New endpoints may be added
Behavior changes considered breaking

6.4. Deprecation Policy

Deprecated features supported for at least 12 months
Deprecation notification via: Email announcement, Deprecation header in API response, Documentation update
Sunset header indicates end date

7. Integration Requirements

7.1. SDKs

Official SDKs:

Platform	Package	Minimum Version
JavaScript	@evaste/js-sdk	Node 16+
Python	evaste-python	Python 3.8+
PHP	evaste/php-sdk	PHP 8.0+
Ruby	evaste-ruby	Ruby 3.0+
Java	evaste-java	Java 11+
.NET	Evaste.SDK	.NET 6.0+

7.2. SDK Usage

SDK usage is STRONGLY RECOMMENDED because:

Automatic retry mechanism
Rate limit handling
Error handling
Type safety
Automatic version compatibility

7.3. Webhook Integration

To receive webhooks:

Provide HTTPS endpoint
Accept POST requests
Respond within 5 seconds
Return 2xx response code

Webhook Signature Verification: Evaste-Signature: t=timestamp,v1=signature - Signature verification is MANDATORY.

7.4. Test Environment

Sandbox environment:

Base URL: https://api.sandbox.evaste.co
Use test API keys
No real data processed
Rate limits same as production
All features testable

8. Error Handling and Logging

8.1. HTTP Status Codes

Code	Meaning	Action
200	Success	-
201	Created	-
204	No content	-
400	Bad request	Fix request
401	Unauthorized	Authenticate
403	Forbidden	Check permissions
404	Not found	Check endpoint
409	Conflict	Sync data
422	Unprocessable	Fix validation errors
429	Too many requests	Wait and retry
500	Server error	Contact support
502	Bad gateway	Retry
503	Service unavailable	Retry

8.2. Retry Strategy

For transient errors (5xx, 429):

Use exponential backoff
First retry: 1 second
Maximum retries: 5 attempts
Maximum wait: 32 seconds
Add jitter

9. Prohibited Uses

9.1. Strictly Prohibited Uses

The following activities result in immediate API access termination:

(a) Security Violations

Exploiting API security vulnerabilities
Authentication bypass attempts
Unauthorized data access
SQL injection, XSS, etc.

(b) Abuse

DDoS or DoS attacks
Spam or bulk unwanted data transmission
Deliberately exceeding rate limits
Scraping or data mining

Using API for illegal activities
Infringing third-party rights
Violating data protection laws

9.2. Restricted Uses

Prior written permission required for:

High-volume data transfer (1M+ requests/day)
API usage in third-party applications
White-label or OEM integrations
Academic research use

10. Liability and Warranties

10.1. Evaste's Responsibilities

Evaste commits to:

Ensuring API functions as documented
Fixing security vulnerabilities promptly
Providing advance notice of planned maintenance
Providing technical support

10.2. Warranty Disclaimer

API is provided "AS IS". Evaste does NOT warrant:

Uninterrupted access
Error-free operation
Fitness for a particular purpose
Compatibility with third-party systems

10.3. Limitation of Liability

Evaste is NOT liable for: Indirect, incidental, or consequential damages, Loss of profit or data, Business interruption, Third-party claims. Maximum liability: Total fees paid in last 12 months.

10.4. User Responsibilities

API user is responsible for:

API key security
Issues arising from integration errors
Compliance with rate limits
Compliance with data protection laws
Protecting end-user data

11. API Changes and Termination

11.1. Change Notification

For API changes:

Change Type	Notification Period
New feature	Immediate
Minor change	30 days
Breaking change	6 months
API termination	12 months

11.2. Notification Channels

api-updates@evaste.co email list
Developer blog
Headers in API responses
Dashboard notifications
Status page

11.3. API Access Termination

Evaste may terminate API access for:

Terms of service violation
Account cancellation
Payment failure
Security threats

11.4. Data Export

Before termination:

30-day data export period provided
All data exportable via API
Bulk export endpoint available
Webhook history downloadable

12. Technical Support

12.1. Support Channels

Channel	Access
Documentation	https://docs.evaste.co
API Reference	https://api.evaste.co/docs
Status	https://status.evaste.co
Email	api-support@evaste.co
GitHub Issues	github.com/evaste/api-issues

12.2. Support Scope

Included:

API usage questions
Integration support
Bug reports
Feature requests

Excluded:

Custom code writing
Third-party integrations
Performance optimization (except Enterprise)

12.3. Changelog

Changelog: https://docs.evaste.co/changelog
RSS Feed: https://docs.evaste.co/changelog/rss
GitHub Releases: github.com/evaste/api/releases

Contact Information

Evaste API Team

API Support: api-support@evaste.co

Security: security@evaste.co

Partnerships: partners@evaste.co

Documentation: https://docs.evaste.co

API Reference: https://api.evaste.co/docs

Sandbox: https://api.sandbox.evaste.co

Back to Legal Center