Fastio API Documentation Put your files to work — workspaces for agentic teams. Answer across your files, automate the busywork, and keep work secure and on the record. Storage is step zero.

Base URL: https://api.fast.io/current/ API Version: 1.0 Doc Version: 2.1 Format: JSON

Fastio provides workspaces for agentic teams — where agents collaborate with other agents and with humans. Upload outputs, create branded portals, ask questions about documents using built-in AI, and hand everything off to a human when the job is done. No infrastructure to manage.

For AI agents: Create an account with agent=true, choose a paid plan (Starter, Business, or Growth) with a 14-day trial, build workspaces for your team (agents and humans), and query documents with built-in RAG. All paid plans include the AI Agent plan feature for agentic chat, RAG, and intelligence.

For MCP-enabled agents: Connect via the Model Context Protocol to interact with Fastio workspaces, shares, files, and storage directly. Connect to https://mcp.fast.io/mcp (Streamable HTTP) or https://mcp.fast.io/sse (legacy SSE). The server exposes multiple domain-specific tools with action-based routing.

Detailed API References

Auth & Users

Authentication methods, user CRUD, getting started patterns

OAuth 2.0

PKCE flow, token exchange, session management, DCR, resource indicators

Organizations

Org CRUD, members, billing, discovery

Workspaces

Workspace CRUD, members, assets, discovery

Storage

File/folder operations, locking, previews, transforms

Share types, storage modes, members, branding, durable File Share (single-file links)

Upload

Chunked upload flow, web upload, status polling

AI & Chat

RAG chat, intelligence, notes, metadata extraction

How-To

Single-call natural-language product help (answer or clarifying question)

Events & Activity

Event search, activity polling, WebSocket, realtime

Comments

Threading, mentions, reactions, JSON body format

Workflow

Task lists, tasks — the fully supported Tasks API

Workflow Orchestration

Durable runtime, obligations, triggers, signed audit, inbound/outbound webhooks

Signing / E-Signature

SignEnvelopes, recipients, fields, signer OTP/consent, audit certificate, PAdES-LT signing

What Fastio Does

Storage is step zero. Fastio is organized around three things you do with your files — Intelligence, Automation, and Secure collaboration:

Pillar	What It Does
Intelligence	Ask across all your files and get cited answers (RAG chat); turn documents and images into structured data (Metadata Views); research, analyze, and draft with the built-in agent, Ripley; semantic search by meaning
Automation	Describe a workflow in plain English and an agent (Ripley or your own, over MCP) runs it on your files — event/schedule triggers, approvals, tasks, and native e-signature
Secure collaboration	Files belong to the project, not the person — org/workspace-owned storage, Send/Receive/Exchange shares and branded portals, granular permissions and scoped agent tokens, an append-only audit log, and a per-workspace dashboard

Building blocks:

Capability	What It Does
Workspaces	Shared workspaces for agentic teams with file versioning, search, and AI chat
Shares	Purpose-built spaces for agent-human exchange with two storage modes: Portal (independent portal with passwords, expiration, guest access) or Shared Folder (live-synced workspace folder). Three share types: Send, Receive, Exchange
File Share	Durable single-file links with access tiers (anyone-with-link / any-registered / named-people), per-user grants (view / download / edit), optional link password, and external edit / write-back. Replaces the deprecated QuickShare
Built-in AI	RAG-powered document Q&A, semantic search, auto-summarization, metadata extraction
File Preview	Inline rendering for PDF, images, video, audio, spreadsheets, code — no download needed
Activity Tracking	Full audit trail with AI-powered natural language summaries

Plans

New organizations choose one of three paid plans. Each includes a 14-day trial, and all three include the content_ai, ai_agent, and signing plan features.

Plan	Price	Monthly credits	Storage	Seats	Overage
Starter	$29/mo ($290/yr)	300,000	1 TB	1	Hard-stop
Business	$99/mo ($990/yr)	1,200,000	10 TB	20	Metered
Growth	$299/mo ($2,990/yr)	4,500,000	50 TB	50 (1/user above 50)	Metered

Credits cover: storage (100/GB), bandwidth (212/GB), AI tokens (1/100 tokens), document ingestion (10/page), video ingestion (5/sec), image ingestion (5/image), file conversions (25/each).

When credits run out: Starter plans hard-stop on overage until the monthly credit reset; Business and Growth meter overage. Direct the user to upgrade or adjust the plan at https://fast.io or via POST /current/org/{org_id}/billing/.

Profile Hierarchy

User (Type 1) → Organization (Type 2) → Workspace (Type 3) / Share (Type 4)

Users own organizations. An organization is a collector of workspaces — it can represent a company, a business unit, a team, or simply a personal collection. Organizations own workspaces and shares. Users can also directly own shares.

All profile IDs are 19-digit numeric strings (e.g., "1234567890123456789"). Most endpoints also accept a custom name in place of the numeric ID.

Account types: human or agent — visible in all user objects via account_type field.

Authentication

All authenticated endpoints require: Authorization: Bearer {jwt_token}

Four methods:

Basic Auth → JWT: GET /current/user/auth/ with HTTP Basic Auth. Returns JWT. If 2FA enabled, token has limited scope until verified.
OAuth 2.0 PKCE: For desktop/mobile apps and MCP agents. S256 only. Supports Dynamic Client Registration (RFC 7591), CIMD for URL-based client_id, and Resource Indicators (RFC 8707). See OAuth reference.
API Keys: Long-lived tokens. Same Bearer header. Create via POST /current/user/auth/key/. Optionally supports scoped permissions, agent names, and expiration. Update via POST /current/user/auth/key/{id}/.
2FA: Limited-scope token → full token after POST /current/user/auth/2factor/auth/{token}/.

Choose your access pattern

Human's account — Human creates API key, gives it to you. You operate as them. → Auth reference
Autonomous agent — Create agent account (agent=true), create org, work independently. → Auth reference
Collaboration — Create agent account, human invites you to their org/workspace. → Auth reference
PKCE browser login — Secure, no password sharing, supports SSO. → OAuth reference

Response Envelope

Success (data fields at root level):

{"result": true, "status": "ok", ...}

Error:

{
  "result": false,
  "error": {
    "code": 195654,
    "text": "Human-readable message",
    "documentation_url": "https://api.fast.io/llms.txt",
    "resource": "POST /current/user/"
  }
}

Validation error (HTTP 400) with structured per-parameter detail:

{
  "result": false,
  "error": {
    "code": 10022,
    "text": "email: This value should not be blank.",
    "documentation_url": "https://api.fast.io/llms.txt",
    "resource": "POST /current/user/email/",
    "params": [
      {
        "name": "email",
        "kind": "missing",
        "message": "This value should not be blank.",
        "code": 10022
      }
    ]
  }
}

result: boolean — true on success, false on error
error.code: Unique error identifier (integer) for debugging
error.text: Human-readable error message. Advisory; clients should prefer params for programmatic handling. Retained byte-identically for compatibility.
error.documentation_url: Link to error documentation (string or null)
error.resource: The endpoint that produced the error
error.params: Array of {name, kind, message, code, expected_type?, received_alias?}. Present on validation errors (HTTP 400). Aggregates every failed parameter so callers see all problems in one round trip. kind is one of missing (required parameter omitted), invalid (value failed a constraint), or type_mismatch (value could not be decoded into the expected type). Omitted when empty.

OAuth (/current/oauth/token/, /current/oauth/revoke/, /current/oauth/register/) and the cloud-storage / billing webhook receivers retain RFC-compliant bare-JSON error envelopes (RFC 6749 §5.2 / RFC 7591). The params field is not emitted by those endpoints.

OPTIONS Introspection

OPTIONS introspection is currently supported on roughly 40% of public endpoints. Supported endpoints respond with a JSON description of their accepted parameters — source (query / body / path / header), required vs optional flag, expected type, and a summary of declared constraints (length bounds, choice set, range, equality). Use this to fetch parameter requirements before issuing a call rather than learning them from a 400 round trip.

curl -X OPTIONS "https://api.fast.io/current/{endpoint}/" -H "Authorization: Bearer {jwt_token}"

Unsupported endpoints (OAuth, webhook receivers, and a substantial set of legacy endpoints not yet migrated) return 405 Method Not Allowed for OPTIONS. Coverage is being expanded incrementally — check via OPTIONS first; fall back to the documented schema when you receive a 405.

Error Codes

Client Errors

Code	Description	HTTP Status
`1605`	Invalid Input	400 Bad Request
`1607`	Duplicate Entry	400 Bad Request
`1650`	Authentication Invalid	401 Unauthorized
`1651`	Invalid Request Type	405 Method Not Allowed
`1609`	Not Found	404 Not Found
`1652`	Resource Not Found	404 Not Found
`1653`	User Not Found	404 Not Found
`1656`	Limit Exceeded	400 Bad Request
`1667`	Max Limit	429 Too Many Requests
`1685`	Feature Limit	412 Precondition Failed
`1658`	Not Acceptable	406 Not Acceptable
`1660`	Conflict	409 Conflict
`1669`	Already Exists	409 Conflict
`1670`	Restricted	403 Forbidden
`1680`	Access Denied	403 Forbidden
`1671`	Rate Limited	429 Too Many Requests
`1677`	Locked	423 Locked

Billing & Credit Errors

Code	Description	HTTP Status	Details
`1688`	Subscription Required	402 Payment Required	Organization does not have an active subscription or has exhausted its monthly credit allowance. Upgrade the plan or wait for the monthly credit reset.
`1695`	Upgrade Required	402 Payment Required	Requested feature requires a higher-tier plan.
`1696`	Credit Limit Exceeded	402 Payment Required	Monthly credit allowance exceeded. Error message includes credits used and credit limit.

Server Errors

Code	Description	HTTP Status
`1654`	Internal Error	500
`1664`	Datastore Error	500
`1686`	Not Implemented	501

Retired Per-Field Codes

As of 2026-05-05, error codes 136957, 249170, 279705, 295625 are retired. The equivalent field-level failures now surface inside error.params[] with kind: 'invalid' (and a per-field code and message describing the specific violation). Clients that previously switched on those exact integers should switch on params[].name + params[].kind instead.

Rate Limiting

Headers: x-ve-limit-avail (requests remaining), x-ve-limit-max (window cap), x-ve-limit-expires (Unix-time the window resets).

When exceeded: HTTP 429 with error code 1671 (Rate Limited). Back off until x-ve-limit-expires.

Pagination

Offset Pagination (List Endpoints)

Most list endpoints support offset-based pagination:

limit: 1–500 (default: 100) — number of items to return
offset: 0+ (default: 0) — number of items to skip
Response: pagination.total, pagination.limit, pagination.offset, pagination.has_more

Keyset Pagination (Storage List Endpoints)

Storage listing uses cursor-based pagination:

sort_by: name | updated | created | type (default: name)
sort_dir: asc | desc (default: asc)
page_size: 100 | 250 | 500 (default: 100)
cursor: opaque string from previous response
Response: pagination.has_more, pagination.next_cursor, pagination.page_size

Compact Responses (`output=`)

Most list and detail endpoints accept an optional output query parameter that selects a response shape tuned to how much detail the caller actually needs. This is useful for agents and clients that want to minimize payload size and token usage.

Syntax: ?output=<token> or ?output=<token>,<token> — comma-separated list of tokens.
Detail-level tokens (mutually exclusive — pick at most one per request):
- terse — the smallest useful shape: identifiers, primary labels, and the handful of fields needed to navigate between resources. Best for tree traversal, picker UIs, autocomplete, and any workflow that will follow up with a detail call only on user interest.
- standard — terse plus the operational context most list and detail views actually render: timestamps, lifecycle flags, short descriptions, plan/status fields, creator/owner refs, member status, and short summaries. Recommended default for most agent list/detail workflows.
- full — the complete resource shape; equivalent to omitting ?output= entirely. Use when you need branding, capability matrices, permission blocks, long-form AI summaries, metadata, or other rarely-read detail.
Modifier tokens (orthogonal — may be combined with any detail level):
- markdown — switches the response encoding from JSON to GitHub-flavored Markdown. Response Content-Type becomes text/markdown; charset=UTF-8. Works on every endpoint that returns a JSON envelope, including error responses. Arrays of same-shaped records become GFM pipe tables; associative maps become bullet lists; error envelopes are promoted to a leading # Error section. Consumers that render markdown as HTML MUST sanitize the output.
Default behavior: When output= is absent, responses are full JSON and byte-for-byte unchanged from previous API versions — existing clients require no changes.
Combining level tokens: Specifying more than one detail level in the same request (e.g. ?output=terse,standard) is an error and returns HTTP 400. Combine a level with modifiers only (e.g. ?output=standard,markdown).
Unknown tokens: Silently ignored for forward compatibility. New tokens may be added without bumping the API version.
Cumulative fields: standard is a superset of terse, and full is a superset of standard. Nothing disappears as you move up a tier.
Scope: Applies transparently to nodes (files/folders/notes/links), events, users, workspaces, orgs, and shares wherever they appear — including when nested inside other resources.

Per-category field lists for terse and standard are documented in the relevant category reference (storage, events, orgs, workspaces, shares, auth/users).

ID Formats

Profile IDs (user, org, workspace, share, file share): 19-digit numeric string
Node IDs (files, folders, notes): OpaqueId — 29 alphanumeric characters, displayed in a 34-character hyphenated form (5 groups of 5 plus a final group of 4) (e.g., f3jm5-zqzfx-pxdr2-dx8z5-bvnb3-rpjf). The first character is a type prefix: f = file, d = folder, n = note. API input accepts either the hyphenated or un-hyphenated form.
Upload IDs / Web Upload IDs / Quickshare tokens / Chat IDs: OpaqueId — same canonical format as node IDs.
Special folder aliases: "root" for storage root, "trash" for trash folder

Custom names as identifiers

Profile Type	Custom Name
Workspace	Folder name (e.g., `my-project`)
Share	URL name (e.g., `q4-financials`)
Organization	Domain name (e.g., `acme`)
User	Email address (e.g., `user@example.com`)

Field Constraints

Profile fields (org, workspace, share) have validation rules enforced server-side.

Entity	Field	API Key	Min	Max	Regex	Required
Org	domain	`domain`	2	80	`^[a-z0-9]([-a-z0-9]{0,61}[a-z0-9])?$`	Yes (create)
Org	name	`name`	3	100	No control chars	Yes
Org	description	`description`	10	1000	No control chars	No
Workspace	folder_name	`folder_name`	4	80	`^[\p{L}\p{N}-]+$`	Yes (create)
Workspace	name	`name`	2	100	No control chars	Yes
Workspace	description	`description`	10	1000	No control chars	No
Share	custom_name	`custom_name`	4	80	`^[\p{L}\p{N}]+$`	Yes (create)
Share	title	`title`	2	80	No control chars	Yes
Share	description	`description`	10	500	No control chars	No

Agent Workflows

Upload Files

Small files (< 4MB): single-request upload. Large files: chunked upload with parallel chunks.

→ Full details: Upload reference

Query Documents with AI

Create chats with chat (general) or chat_with_files (RAG with citations). Stream responses via SSE.

→ Full details: AI reference

Create Send/Receive/Exchange shares with Portal or Shared Folder storage modes.

→ Full details: Shares reference

Monitor Usage

GET /current/org/{org_id}/billing/usage/limits/credits/ — credit consumption
GET /current/org/{org_id}/billing/usage/meters/list/ — detailed breakdown
GET /current/events/search/ — activity feed

→ Full details: Events reference

Activity Polling

Long-poll for changes instead of looping on individual endpoints:

GET /current/activity/poll/{entityId}?wait=95&lastactivity={timestamp}