API Documentation

Developer Reference

OrgScan API

RESTful API for German Handelsregister data. Search companies, trigger multi-step data fetching pipelines, download official registry documents, and retrieve structured company data. Includes a pre-alpha compliance assessment engine for KYB risk scoring.

v1Base https://api.orgscan.appJSONAll endpoints authenticated

Authentication

All API requests require an X-API-Key header. Keys are SHA-256 hashed and stored securely — the raw key is shown only once at creation.

curl -X POST https://api.orgscan.app/api/search \
  -H "Content-Type: application/json" \
  -H "X-API-Key: osk_your_api_key_here" \
  -d '{"query": "GASAG AG", "mode": "all"}'

Security: Never expose API keys in client-side code. Use environment variables or a secrets manager. The Next.js frontend uses an internal service key for server-to-server calls.

Key Tiers & Scope Matrix

Tier	Rate Limit	Credits	Scopes
standard	60/h	500/mo	searchfetchfetch_quickfetch_statuscompanylookupassessstatusreport
premium	300/h	5 000/mo	searchfetchfetch_quickfetch_statuscompanylookupdocuments_directorsdocuments_shareholdersdocuments_capital_historyextracted_dataassessstatusreportrulessubstances
internal	9 999/h	unlimited	* (all)

Requests to endpoints outside the key's allowed scopes return 403. The internal tier has wildcard access to all endpoints.

Company Data Endpoints

core

Kernendpunkte für die Unternehmenssuche und den Datenabruf. Starten Sie mit /api/lookup für URL-basierte Abfragen oder /api/search für die Namensuche. Beide lösen bei Bedarf automatisch die vollständige Fetch-Pipeline aus.

Company Profile & Data

company

Abruf strukturierter Unternehmensdaten nach erfolgreicher Datenerfassung. Umfasst das vollständige Unternehmensprofil, Netzwerkvisualisierung, UBO-Eigentümerstruktur sowie Abonnement- und Freischaltungsfunktionen.

Editing & Feedback

editing

Endpunkte zur Datenkorrektur und -pflege. Nutzer können Feedback zu falschen Daten einreichen, Editoren können Kontaktdaten inline bearbeiten, und Administratoren können Unternehmenseinträge archivieren und löschen.

Notifications

notifications

Endpunkte für benutzerbezogene Änderungsbenachrichtigungen. Damit können Integrationen aktualisierte Registerdaten, Statuswechsel oder erkannte Unternehmensänderungen effizient weiterverarbeiten.

Fetch Pipeline Steps

1

Find company website via search

find_website

2

Extract contact data, tech stack, social links

scrape_website_metadata

3

Parse register number from imprint page

extract_register_number

4

Search official Handelsregister portal

search_handelsregister

5

Download all register documents (AD, CD, UT, VÖ, SI)

download_documents

6

Parse structured data from SI XML

parse_xml

7

Upsert company, management, shareholders to DB

store_database

Each step transitions: pending → in_progress → completed | failed | skipped. Poll /api/fetch-status/{job_id} with include_steps=true (default) for real-time progress.

Compliance Assessment

pre-alpha

API für die automatisierte KYB-Risikoprüfung mit 6 Dimensionen. Die Assessment-Endpoints liefern asynchrone Bewertungen, Statusabfragen und Berichte für risikobasierte Entscheidungsprozesse.

Pre-alpha feature. The compliance engine performs 6-dimension KYB risk scoring with LLM-powered analysis on dimensions 3 and 4. API surface may change.

6-Dimension Risk Model

1Product Legal StatusLegality of products/services offered

2Business Model LegalityCompliance of the overall business model

3Criminal Liability (PSP)Criminal exposure for payment service providers — LLM-powered

4Civil/Contractual RiskChargeback exposure, card network monitoring — LLM-powered

5Company ReputationPublic perception, trust signals, press coverage

6Regulatory FrameworkLicensing, registration, and regulatory compliance

Scores 1-5: NIEDRIG · MITTEL · HOCH · SEHR_HOCH · KRITISCH. Decision: GO (≤12) · CONDITIONAL_GO (13-18) · NO_GO (>18).

Administration

admin

Verwaltungsendpunkte für interne Betriebsabläufe: API-Key-Management, Queue-Überwachung und Datenkonsolidierung. Diese Schnittstellen sind für administrative Automatisierungen und Backoffice-Tools vorgesehen.

Internal tier only. All endpoints require admin role or above. Not accessible with standard or premium API keys.

Rate Limiting & Credits

Each key has an hourly request limit enforced via a sliding 1-hour window. Credits are consumed only by POST /api/v1/assess calls and reset on the 1st of each month (UTC). All authenticated responses include rate limit headers.

Header	Description
X-RateLimit-Limit	Maximum requests per hour for this key
X-RateLimit-Remaining	Remaining requests in the current window
X-RateLimit-Reset	UTC epoch timestamp when the window resets
X-Credits-Limit	Monthly credit limit (assess calls only)
X-Credits-Remaining	Remaining credits this billing period
X-Credits-Reset	ISO 8601 date of next credit reset

Error Catalog

Code	Meaning	Retry	Detail
400	Bad Request	no	Malformed request body or missing required fields.
401	Unauthorized	no	Missing or invalid X-API-Key header. Key may be expired.
402	Credit Budget Exhausted	no	Monthly assess credit limit reached. Resets on the 1st of each month (UTC).
403	Forbidden	no	API key lacks the required scope for this endpoint.
404	Not Found	no	Resource not found (job, assessment, or report).
429	Rate Limited	yes	Hourly request limit exceeded. Check X-RateLimit-Reset header.
500	Server Error	yes	Unexpected failure. Retry with exponential backoff.
503	Service Unavailable	yes	Database or dependency temporarily offline.

Integration Examples

TypeScript — URL Lookup (Recommended)

const API_KEY = process.env.ORGSCAN_API_KEY;
const BASE = "https://api.orgscan.app";
const headers = { "Content-Type": "application/json", "X-API-Key": API_KEY };

// 1. Lookup by URL — returns existing data or starts fetch pipeline
const lookup = await fetch(`${BASE}/api/lookup`, {
  method: "POST", headers,
  body: JSON.stringify({ url: "gasag.de" }),
}).then((r) => r.json());

if (lookup.status === "found") {
  console.log("Already in DB:", lookup.company_id);
} else if (lookup.status === "pending") {
  // 2. Poll until pipeline completes
  let job;
  do {
    await new Promise((r) => setTimeout(r, 5_000));
    job = await fetch(`${BASE}/api/fetch-status/${lookup.job_id}`, { headers })
      .then((r) => r.json());
  } while (job.status !== "completed" && job.status !== "failed");

  console.log("Fetch result:", job.status, job.company_id);
}

Python — URL Lookup with Polling

import os, time, requests

API_KEY = os.environ["ORGSCAN_API_KEY"]
BASE = "https://api.orgscan.app"
H = {"Content-Type": "application/json", "X-API-Key": API_KEY}

# 1. Lookup by URL (optionally pass company_name)
result = requests.post(f"{BASE}/api/lookup", json={
    "url": "gasag.de"
}, headers=H).json()

if result["status"] == "found":
    print("Company ID:", result["company_id"])
elif result["status"] == "pending":
    # 2. Poll until done
    while True:
        time.sleep(5)
        job = requests.get(
            f"{BASE}/api/fetch-status/{result['job_id']}", headers=H
        ).json()
        if job["status"] in ("completed", "failed"):
            print(f"Result: {job['status']}, ID: {job.get('company_id')}")
            break

cURL — Search

curl -X POST https://api.orgscan.app/api/search \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $ORGSCAN_API_KEY" \
  -d '{"query": "Deutsche Bahn", "mode": "all"}' | jq '.'

Versioning

Core endpoints (/api/*) are unversioned and stable. Compliance endpoints use path versioning (/api/v1/*). Non-breaking additions (new optional fields) may be added without notice.