Getting started with the REST API

Generate an API key, authenticate your requests, and make your first call to the Clment REST API.

Updated 16 Jun 2026

The Clment REST API gives your own services programmatic access to the same contract workspace you use in the app — upload contracts, run AI reviews, manage playbooks and key dates, and search. This guide gets you from zero to your first authenticated call.

For the full endpoint reference, see the interactive API reference. To receive event notifications instead of polling, see Setting up webhooks.

1. Generate an API key

API keys are managed by an organization admin:

  1. In the Clment web app, open Settings → API & Integrations.
  2. Under API keys, click Generate new key.
  3. Give it a memorable label (e.g. “Billing sync” or “Nightly export”) so you can identify it later.
  4. Copy the secret immediately. We show it once and store only a hash — there’s no way to retrieve it later. If you lose it, generate a new key.

A key looks like this:

clm_sk_live_3f9aK2pLqR7xVn4mWtZ8cYbD1eHsJ6uG

Treat it like a password. Anyone with this string can act as your workspace via the API.

2. Authenticate your requests

Send the key as a bearer token in the Authorization header on every request:

curl https://us.clment.com/v1/contracts \
  -H "Authorization: Bearer clm_sk_live_3f9aK2pLqR7xVn4mWtZ8cYbD1eHsJ6uG"

Use your organization’s home region in the base URL:

RegionBase URL
United Stateshttps://us.clment.com/v1
Europehttps://eu.clment.com/v1
Australiahttps://au.clment.com/v1

A key only works against the region its organization lives in — your data never leaves it. Calling a different region returns 401.

3. Read the response

Successful responses wrap their payload in a data object:

{
  "data": {
    "contracts": [
      { "id": "a1b2…", "title": "Acme MSA", "status": "active" }
    ],
    "total": 1
  }
}

Errors return an error object with a stable, machine-readable code and a human message:

{ "error": { "code": "UNAUTHORIZED", "message": "Invalid API key" } }

Branch your error handling on code, not message — the wording can change, the codes won’t.

What a key can and can’t do

An API key can read and write everything a member can in the app:

  • Upload, read, update, and delete contracts
  • Run AI reviews and read their findings
  • Create and edit playbooks
  • Manage key dates and reminders
  • Search across the workspace

A key cannot touch settings. Billing, members and roles, SSO, cloud integrations, organization configuration, and webhook subscriptions all require a human admin signed in to the app. Calling those endpoints with a key returns 403 API_KEY_FORBIDDEN. This keeps the blast radius of a leaked key bounded to workspace content — it can’t change who has access or how you’re billed.

Pagination

List endpoints page with skip (offset) and take (page size, max 100). The response includes a total so you know when you’ve reached the end:

curl "https://us.clment.com/v1/contracts?skip=40&take=20" \
  -H "Authorization: Bearer $CLMENT_API_KEY"

Credits

Read operations are free. AI operations — running a review, generating a redline, converting a document — consume credits from your plan’s monthly allowance, then any credit packs. If the balance is exhausted, the call returns 402 INSUFFICIENT_CREDITS. Top up under Settings → Billing.

Rotating and revoking keys

  • Rotate by generating a new key, updating your service, then revoking the old one.
  • Revoke any key from Settings → API & Integrations. Revocation is immediate — the next request with that key gets 401. The row stays so the “last used” audit trail survives; it just can’t authenticate anymore.

Rotate keys on a schedule, and immediately if you suspect one has leaked.

Still have questions?

Instant article search