These API Terms govern your use of Vailar AI's REST and GraphQL APIs, SDKs, webhooks and developer documentation. They are in addition to the main Terms of Service and any applicable Enterprise Agreement.

• Use API keys or OAuth credentials issued through the developer dashboard
• Keep credentials secret and never embed them in public client code
• Rotate credentials promptly on suspected compromise
• Scope keys to minimum required permissions and environments

API usage is subject to per-key and per-account rate limits to protect platform stability. Limits are returned in standard response headers and may be increased for enterprise customers via order form.

• Respect rate-limit headers and back off on 429 responses
• Use exponential backoff with jitter on retries
• Cache responses where appropriate

• No scraping or bulk extraction beyond your authorized account data
• No use to train, distill or replicate Vailar AI models
• No circumvention of rate limits, quotas or platform safeguards
• No use to facilitate spam, phishing, fraud or abuse
• No use that violates applicable laws or third-party rights

• Implement strong authentication and access controls in your application
• Validate and sanitize all input passed to the API
• Disclose your data practices clearly to your end users
• Honor end-user deletion and access requests routed through your application

• Use TLS 1.2+ for all API requests
• Store credentials and tokens in secure secret management
• Log only the minimum necessary metadata; never log raw secrets or PHI
• Promptly report suspected security issues to security@vailarai.com

Vailar AI monitors API usage for abuse, fraud, security threats and platform stability. Aggregated and de-identified telemetry may be used to improve the service.

Vailar AI may throttle, suspend or revoke API access at any time to protect the platform or other users, with notice where reasonably possible. Material or repeated violations may result in termination of API access and the underlying account.

We aim to evolve the API responsibly. Breaking changes are versioned and announced in advance via the developer changelog. Beta endpoints are provided as-is and may change without notice.