The AI Startup Analyzer REST API gives you programmatic access to every capability in the platform — from registering users and managing sessions to creating multi-agent startup analyses, polling processing progress, regenerating individual report sections, and chatting with AI about your results. This reference covers every endpoint, its parameters, expected responses, and the security requirements you need to satisfy.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/Abbaddii-99/AI-Startup-Analyzer/llms.txt
Use this file to discover all available pages before exploring further.
Base URL
All API endpoints are served from a single origin. In local development the server binds to port4000:
BACKEND_URL environment variable on your frontend or client application to override this default. The server port can also be changed via BACKEND_PORT.
Content Type
Every request that includes a body must set theContent-Type header to application/json. Every successful response also returns application/json. There are no form-encoded or multipart endpoints.
Authentication
The API does not useAuthorization: Bearer headers. Authentication is handled exclusively through httpOnly cookies that the server sets automatically on successful login or registration. Your HTTP client must persist and re-send these cookies on every subsequent request.
accessToken— A signed JWT valid for 7 days. Sent with every protected request.refreshToken— An opaque token valid for 30 days, used to issue a new access token pair.
fetch or axios, enable credential forwarding:
curl testing, use -c to save cookies and -b to send them:
CSRF Protection
State-changing requests to/analysis routes (POST and DELETE) require a valid CSRF token in addition to the auth cookie. Fetch the token first, then include it as an X-XSRF-TOKEN header.
See Authentication — CSRF flow for details.
Error Codes
The API returns standard HTTP status codes. Error responses include a JSON body with amessage field (and sometimes a statusCode field) describing the problem.
| Status Code | Meaning |
|---|---|
400 Bad Request | Missing or invalid request body / query parameters |
401 Unauthorized | Missing, expired, or invalid access token cookie |
403 Forbidden | Authenticated but not permitted to access the resource |
404 Not Found | Resource does not exist or does not belong to the authenticated user |
409 Conflict | Monthly analysis limit reached for your current plan |
429 Too Many Requests | Rate limit exceeded — back off and retry |
500 Internal Server Error | Unexpected server error |
Rate Limits
Certain endpoints are rate-limited at two timescales to prevent abuse. The server returns429 Too Many Requests when a limit is exceeded.
| Endpoint | Per Minute | Per Hour |
|---|---|---|
POST /auth/register | 5 requests | 20 requests |
POST /auth/login | 10 requests | 50 requests |
POST /analysis/chat | 10 requests / 60 s | — |
Quick Start: Full Flow Example
The followingcurl sequence demonstrates a complete end-to-end flow — register a new account, obtain a CSRF token, submit a startup idea for analysis, and poll for completion.
API Sections
Auth Endpoints
Register, login, logout, token refresh, Google OAuth, and current user profile.
Analysis Endpoints
Create analyses, poll progress, retrieve reports, regenerate sections, chat with AI, and manage plan usage.
Authentication Guide
Deep dive into cookie-based JWT auth, the CSRF double-submit pattern, and token refresh flow.
Health Check
Server liveness endpoint for load balancers, container probes, and uptime monitors.