Skip to main content

Changelog

Updates and changes to the DraftLift platform and API.

May 2026

Public API Overhaul — Full CLI/MCP Coverage with Scopes & Workspace Binding

The Public API now spans the full DraftLift product surface. The original launch shipped 3 documented endpoints; this overhaul flips the remaining backend routes to dual auth, adds per-key scopes (read/write), per-key workspace binding, and auto-generated OpenAPI docs.

Added

  • Broader endpoint coveragedl_live_ API keys now work across references, workspaces, contents, conversions, scoring, knowledge graph, usage, voice profiles, and images. The CLI and MCP surfaces are now first-class against the public API; previously, only /templates, /generate, and /finalizeContent accepted API keys.
  • Per-key scopes — Choose read, write, or both at key creation. Reads return content and metadata; writes create, update, or delete resources. Mutating a resource with a read-only key returns 403 with details.error_code: "insufficient_scope" and an upgrade_action URL.
  • Workspace binding — Optionally bind a key to a single workspace at creation time. Bound keys auto-target their workspace; mismatched --workspace requests return 403 with details.error_code: "workspace_mismatch". Unbound keys span all of your workspaces and accept --workspace per request.
  • --workspace global CLI flagdl --workspace <id> <command> works on every workspace-scoped command. Per-command --workspace flags continue to override the global.
  • GET /api/v1/api-keys/current — Introspect the calling key’s name, scopes, workspace binding, and expiration. dl whoami now surfaces this metadata automatically.
  • Expiration picker — Choose 30, 90, 365 days, or Never when creating a key. Default is 90 days.
  • Auto-generated OpenAPI spec — Routes are tagged stable, beta, or internal. Public docs and the OpenAPI spec render only stable and beta; internal routes are excluded.
  • dl images commandsdl images list|generate|upload|get|delete for the image generation surface.

Changed

  • Existing API keys auto-backfill to read + write — Keys created before this release continue to work and gain both scopes. No action required.
  • Solo-user keys auto-bind to your only workspace — If you have exactly one workspace, existing keys are bound to it during the migration. Multi-workspace users keep unbound keys (workspace-scoped operations now require --workspace, or set a binding when re-issuing).
  • v1 stability commitment/api/v1 follows strict semver: only additive changes. Breaking changes ship under /api/v2 with a deprecation window.
  • Deny-list for sensitive surfaces — Billing mutations, account/user mutations, API key management mutations, and all /admin/* routes remain JWT-only. The GET /api/v1/api-keys/current introspection endpoint is the single API-key-accessible exception in the api-keys family.

Documentation

  • New CLI quickstart covering install, login, first reference, first generation, and --workspace examples.
  • New API key scopes guide covering read vs write, when to bind a workspace, and rotation patterns.
  • Authentication reference rewritten to cover scopes, workspace binding, deny-list, and stability tags.
  • Introduction updated with scopes, workspace binding, deny-list, and the v1 stability commitment.

March 2026

Public API — Initial Release

We’re excited to launch the DraftLift Public API, giving Business and Agency customers programmatic access to content generation, memories, templates, and more.

Added

  • API key authentication — Create and manage API keys from Settings > API Keys. Keys use the dl_live_ prefix and are stored as SHA-256 hashes for security.
  • 11 public endpoints across 5 resource groups:
    • GenerationPOST /api/v1/generate
    • Contents — List, get, update, and delete generated content
    • Templates — Browse available content templates
    • Memories — List and create memories for personalized generation
    • Models — List available AI models
  • Per-key rate limiting — Business plans get 100 req/min and 1,000 req/hour; Agency plans get 300 req/min and 5,000 req/hour. All responses include X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset headers.
  • API usage tracking — Monitor per-key request counts (today and this month) directly from Settings.
  • Dual authentication — Public endpoints accept both API keys and existing Supabase JWT tokens, so the dashboard and API share the same backend seamlessly.
  • OpenAPI spec — A public OpenAPI specification is available for code generation and client library creation.

Documentation

  • Product documentation site at docs.draftliftai.com covering all features
  • API reference auto-generated from OpenAPI spec
  • Authentication guide with key creation and management instructions
  • Rate limiting documentation with per-tier limits