miniterms started as a document generator and a DSAR inbox. Today it ships a public API: five REST resources, OpenAPI 3.1, signed outbound webhooks, a public DSAR intake endpoint, and a Model Context Protocol server. The compliance floor is no longer a screen you log into — it's a programmable surface other systems can plug into.
The REST surface lives at miniterms.com/api/v1. Profile, documents, DSARs, publish, and cookie-scan — the same data the dashboard renders. Bearer-token auth, scope-filtered, rate-limited. v1 endpoints don't change shape until there's a v2; the OpenAPI 3.1 manifest is the contract we sign against. Curl samples in the docs, or point any OpenAPI-aware client at the manifest and the SDK writes itself.
Six event types — document drift, subprocessor change, DSAR received, DSAR acknowledged, policy expired, publish completed. Each delivery is HMAC-signed; receivers verify with the secret printed once at endpoint creation. Failed deliveries retry on a backoff queue, not a synchronous loop, so a flaky receiver doesn't block your inbox. Replay protection via signed timestamp.
Every workspace can mint a one-shot intake token that lives behind a public form on your domain. A data subject submits a request without an account; the token is HMAC-bound, bot-challenge-gated, four-layer rate-limited, and lands in your inbox flagged as needs_review. The 72-hour acknowledgement clock starts the moment the request lands. This is the piece every privacy notice has promised since 2018 and almost no SaaS has actually built.
An API is a stability promise. Compliance tooling without one is a screen you have to keep clicking — and a screen you have to keep clicking is one nobody runs.
Model Context Protocol is the emerging standard for letting AI agents call tools across vendors. miniterms now ships one at /api/v1/mcp — JSON-RPC 2.0, nine tools, scope-filtered against the same bearer token. An agent with the right scope can list documents, acknowledge a DSAR, kick off a regenerate, or fetch the cookie-scan result. The same surface that powers the REST API also powers the agent loop.
API-driven regenerate and Hub-side publish-confirmed delivery land next, behind the same contract. If you're on the miniterms beta and want a key, reply to any of our emails. If you're integrating from outside, the OpenAPI manifest is at /api/v1/openapi.json — start there.