Supply API
v1The connection publishers, agencies and AI agents use to submit requests to your OXIAE platform.
https://api.oxiae.com/api Introduction
The Supply API is intended for parties that submit requests to your OXIAE platform: publishers, agencies, forms and AI agents. You submit a request with its provenance and consent, and then look up its status. Every request is attributed to the organization of the key used. All calls go over HTTPS and return JSON, within your own white-label environment. Buyers pick these requests up again through the Demand API.
Authentication
The Supply API uses API keys. Send your key as a Bearer token in the Authorization header (or via X-Api-Key). You manage keys yourself, under your own brand, in Settings → API keys. Each key belongs to a single organization, and requests you submit with that key are attributed to that organization as the source.
curl https://api.oxiae.com/api/supply/leads \
-X POST \
-H "Authorization: Bearer oxa_3f9a2b7c8d1e4f60a1b2c3d4" \
-H "Content-Type: application/json" - Use keys server-side only, never in a browser or app.
- Rotate keys periodically and revoke leaked keys immediately.
- Use one key per integration, so you can revoke in a targeted way.
- Each key has a rate limit; 120 requests per minute by default.
/api/supply/leads Submit a request
Delivers a single request. You record provenance and consent in the same call, so every lead carries its own evidence. On success you get back the internal id and a public_access_token that you use to look up the status.
Required fields
first_namestring- First name of the requester.
last_namestring- Last name of the requester.
emailstring- Valid email address.
phonestring- Phone number, including country code.
postcodestring- Postal code of the requester.
descriptionstring- The request or question itself (max 5,000 characters).
Optional fields (provenance & consent)
utm_source · utm_medium · utm_campaign · utm_term · utm_contentstring- Provenance: campaign data, recorded with the request.
gclid · partner_id · channel · referrer · landing_pagestring- Provenance: click ID, partner, channel and source URL.
consentboolean- Whether the requester gave consent.
consent_textstring- The exact consent text that was shown.
consent_versionstring- Version identifier of the consent text.
consent_basisenum- Basis: consent, contract, legitimate_interest or legal_obligation.
curl https://api.oxiae.com/api/supply/leads \
-X POST \
-H "Authorization: Bearer oxa_3f9a2b7c8d1e4f60a1b2c3d4" \
-H "Content-Type: application/json" \
-d '{
"first_name": "Sanne",
"last_name": "de Vries",
"email": "sanne@example.com",
"phone": "+31612345678",
"postcode": "1011AB",
"description": "I need help with an employment dispute.",
"utm_source": "google",
"utm_campaign": "employment-law",
"consent": true,
"consent_text": "I agree that my details may be shared.",
"consent_basis": "consent"
}' {
"data": {
"id": 21740,
"public_access_token": "YQ7ETX",
"status": "phone_unverified"
}
} /api/supply/leads/{token} Check status
Returns the current status and quality assessment of a previously submitted request, based on the public_access_token. You only see requests submitted with your own key; otherwise you get a 404.
curl https://api.oxiae.com/api/supply/leads/YQ7ETX \
-H "Authorization: Bearer oxa_3f9a2b7c8d1e4f60a1b2c3d4" {
"data": {
"id": 21740,
"status": "assigned",
"quality_status": "ok",
"created_at": "2026-07-07T18:50:09+00:00"
}
} Error handling
The API uses standard HTTP status codes. On a validation error you get a 422 with an errors object per field.
401- Missing or invalid API key.
404- Request not found, or not submitted with your key.
422- Validation error; see the errors object.
429- Rate limit reached (120 per minute by default).
{
"message": "The email field must be a valid email address.",
"errors": {
"email": ["The email field must be a valid email address."]
}
}