Salfio
APIReference

Update the caller's organization

Updates the whitelisted fields on the caller's organization. Only `name`, `defaultTimezone`, and `defaultCurrency` are writable. **`plan` is billing-bound** — an attempt to update it is rejected with `400 invalid_argument` rather than silently ignored, so a partner misreading the spec gets a clear error rather than a false sense of success. **`slug` is stable** for the same reason — changing it breaks dashboard deep links and other external references. Both return 400 when present in the body. Other unknown fields are silently ignored.

PUT
/organization

Authorization

bearerAuth
AuthorizationBearer <token>

Salfio API tokens start with the literal prefix sk_live_ followed by 32 base62 characters (≈190 bits of entropy). Tokens are hashed at rest with argon2id and shown to the user only once at creation.

In: header

Request Body

application/json

TypeScript Definitions

Use the request body type in TypeScript.

Response Body

application/json

application/json

application/json

application/json

curl -X PUT "https://api.salfio.com/v1/organization" \  -H "Content-Type: application/json" \  -d '{}'
{
  "meta": {
    "cursor": "string",
    "hasMore": true
  },
  "data": {
    "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
    "name": "Acme Inc.",
    "slug": "acme",
    "plan": "free",
    "defaultTimezone": "Europe/Amsterdam",
    "defaultCurrency": "EUR",
    "rateLimits": {
      "organizationPerMinute": 100,
      "endpointPerMinute": 50
    },
    "createdAt": "2019-08-24T14:15:22Z",
    "updatedAt": "2019-08-24T14:15:22Z"
  }
}
{
  "error": {
    "code": "invalid_argument",
    "message": "limit must be an integer between 1 and 100"
  }
}
{
  "error": {
    "code": "unauthorized",
    "message": "Authentication required"
  }
}
{
  "error": {
    "code": "rate_limited",
    "message": "Rate limit exceeded",
    "details": {
      "retry_after_seconds": 30
    }
  }
}

Get the caller's organization

Returns the organization associated with the bearer token. Singleton endpoint — there is no `{organizationId}` in the path and there is no way for a caller to read a different organization's record. **Spec-vs-implementation note (SAL-232).** The spec exposes `plan` and `rateLimits.*` fields; today the organization model does not carry a per-org plan or rate-limit override. The response stubs `plan` to `"free"` and populates `rateLimits` with the system-wide defaults (100 requests/min per org, 50 requests/min per endpoint). When per-org overrides land (SAL-220 follow-up #7) the same wire fields will start reflecting per-org values — the response shape is designed to be forwards-compatible.

Get a client's default dashboard

Returns the three-card default dashboard — Client Health, Wins & Traction, Frictions & Risks — derived from the SAL-209 insight pipeline. The endpoint is strictly read-only: it never triggers a recompute on the request path. If no insight has been generated yet (brand-new client, pipeline hasn't run), all three cards come back with `status: "computing"` and empty content — **not** `404`. Partners poll (or rely on the background pipeline to backfill). Cross-tenant lookup returns `404 not_found` — existence is never leaked across organizations.