ArcNautical Voyage Risk API

API v1 documentation

Integrate voyage risk scoring

Score maritime routes synchronously or in batches, retain results for audit, and add live corridor monitoring when your entitlement includes it.

Operational Base URL: https://arcnautical.com JSON over HTTPS Version: v1

Quickstart

  1. Store the issued key as ARCNAUTICAL_API_KEY.
  2. Confirm the key environment and quota with GET /api/v1/usage.
  3. Create an assessment with a unique Idempotency-Key.
1. Check authentication and usage
curl --fail-with-body https://arcnautical.com/api/v1/usage \
  -H "Authorization: Bearer $ARCNAUTICAL_API_KEY" \
  -H "X-Request-Id: integration-check-001"
2. Score one voyage
curl --fail-with-body https://arcnautical.com/api/v1/voyage-assessments \
  -X POST \
  -H "Authorization: Bearer $ARCNAUTICAL_API_KEY" \
  -H "Content-Type: application/json" \
  -H "Idempotency-Key: voyage-$(uuidgen)" \
  -d '{
    "customer_reference": "lane-NLRTM-CNSHA-001",
    "route": {
      "origin": { "locode": "NLRTM" },
      "destination": { "locode": "CNSHA" },
      "vessel_type": "container",
      "load_condition": "laden",
      "speed_knots": 16,
      "dwt_tonnes": 100000
    }
  }'

Authentication

Send the API key as a Bearer token on every authenticated request. Keys are shown once and should be stored in a server-side secret manager.

Required header
Authorization: Bearer arc_test_...  # evaluation
Authorization: Bearer arc_live_...  # production
Do not put an API key in browser JavaScript, mobile bundles, source control, URLs, analytics events, or client-visible logs.
ScopeAllows
voyage:scoreSynchronous and batch assessments, plus retained-result retrieval.
voyage:monitorLive corridor monitors and monitor history.
webhooks:manageWebhook endpoint lifecycle and signed test delivery.
usage:readEntitlement limits and current consumption.

Test and live environments

KeyDataQuotaMonitoring
arc_test_...Real route-risk computationSeparate test bucketCannot create active corridor monitors
arc_live_...Real route-risk computationSeparate live bucketAvailable with scope and entitlement

The environment is selected by the issued key, not by changing the base URL. Resources, usage, batches, monitors, and webhook endpoints are isolated by environment.

Assessment contract

Routes use uppercase five-character UN/LOCODEs. Vessel assumptions are optional and belong inside the route object.

Required

  • route.origin
  • route.destination

Optional

  • customer_reference
  • route.via, up to 20 coordinates
  • vessel type, load, speed, DWT, fuel, bunker price

Observed response shape

201 Created
{
  "id": "76e0b22d-d46d-4f76-82fa-0b54341ce1fb",
  "customer_reference": "lane-NLRTM-CNSHA-001",
  "route": {
    "origin_locode": "NLRTM",
    "dest_locode": "CNSHA",
    "via_waypoints": [],
    "distance_nm": 10082.3,
    "geometry": { "type": "Feature", "geometry": { "type": "LineString" } }
  },
  "score": 55,
  "risk_level": "elevated",
  "drivers": [
    {
      "source": "cii",
      "label": "Country instability",
      "summary": "...",
      "event_count": 1,
      "contribution_band": "high",
      "relative_rank": 1
    }
  ],
  "confidence": 1,
  "missing_sources": [],
  "source_status": { "piracy": "ok", "weather": "ok" },
  "methodology_version": "voyage_risk_external_v1",
  "assessed_at": "2026-07-16T17:40:00.000Z",
  "expires_at": "2026-08-15T17:40:00.000Z",
  "disclaimer": "..."
}

Retrieve the same customer-owned result with GET /api/v1/voyage-assessments/{id} until its expires_at timestamp.

Batch workflow

  1. POST /api/v1/voyage-assessment-batches with a unique idempotency key.
  2. Poll GET /api/v1/voyage-assessment-batches/{id} until completed, partial, or failed.
  3. Read results from GET /api/v1/voyage-assessment-batches/{id}/items.

Test keys accept up to the test_max_routes shown by /usage; live keys use live_max_routes. Only accepted route items reserve quota.

Endpoint guide

MethodPathScopeSuccess
POST/api/v1/voyage-assessmentsvoyage:score201
GET/api/v1/voyage-assessments/{id}voyage:score200
POST/api/v1/voyage-assessment-batchesvoyage:score202
GET/api/v1/voyage-assessment-batches/{id}voyage:score200
GET/api/v1/voyage-assessment-batches/{id}/itemsvoyage:score200
POST/api/v1/corridor-monitorsvoyage:monitor201
GET/api/v1/corridor-monitorsvoyage:monitor200
POST/api/v1/webhook-endpointswebhooks:manage201
GET/api/v1/usageusage:read200

Open the complete OpenAPI 3.1 contract for update, delete, history, pagination, schemas, and all response codes.

Reliability contract

Idempotency

Every resource-creating POST requires Idempotency-Key. Keep the key stable only when retrying the identical method, path, and JSON body. Results are replayable for 24 hours. Reusing a key with a different body returns 409 idempotency_conflict.

Retries

Retry GET/HEAD requests and idempotency-keyed POST requests after transport failures or HTTP 408, 425, 429, 500, 502, 503, and 504. Honor Retry-After; otherwise use exponential backoff with jitter. Do not automatically retry non-idempotent mutations.

Limits and tracing

  • Per-key rate limit: 120 requests per minute.
  • Read X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset.
  • Assessment responses include X-ArcNautical-Quota-Limit, X-ArcNautical-Quota-Remaining, and X-ArcNautical-Quota-Reset.
  • Send a unique X-Request-Id and retain the returned value for support.

Error handling

All API errors use the same envelope. Validation errors add field_violations.

422 Unprocessable Entity
{
  "code": "validation_failed",
  "message": "Request validation failed.",
  "request_id": "req_6f3d...",
  "field_violations": [
    { "field": "route.destination", "message": "UN/LOCODE is required." }
  ]
}
StatusMeaningAction
400 / 422Invalid JSON, headers, or route fieldsCorrect the request; do not retry unchanged.
401 / 403Invalid key, environment, entitlement, or scopeCheck the issued key and entitlement.
402Monthly assessment quota exhaustedWait for reset or request a limit change.
409Idempotency or resource-state conflictInspect code; retry in-progress keys with backoff.
429Rate or concurrency limitHonor Retry-After.
500 / 503 / 504Temporary server, edge, or upstream failureRetry only when the request is replay-safe.

Live monitors and webhooks

Live keys with the required scopes can create retained corridor monitors. ArcNautical recomputes each corridor on the entitlement cadence and emits material-change, data-degradation, recovery, batch-completion, and quota events.

Webhook endpoints must be public HTTPS URLs. The creation response returns the HMAC secret once.

Verify each delivery
X-ArcNautical-Signature: t=1721149200,v1=<hex digest>

signed_payload = timestamp + "." + raw_request_body
expected = HMAC_SHA256(webhook_secret, signed_payload)

Compare signatures in constant time, reject stale timestamps, and deduplicate using the event id. Return any 2xx response promptly; delivery retries use increasing delays before becoming dead.

Data-use boundaries

  • Responses contain derived scores, drivers, route context, confidence, and source-status summaries.
  • Raw third-party feed payloads and internal scoring weights are not redistributed.
  • The API is decision-support intelligence, not navigation, safety, legal, insurance, sanctions-compliance, or operational advice.
  • Test access is for agreed evaluation only; it does not authorize production or customer-facing use.
For integration support, include the endpoint, UTC timestamp, response status, error code, and X-Request-Id. Never send the full API key.

Request test access

Test keys are issued after a manual review of the integration use case. You can inspect the complete contract and run a public, non-retained preview before requesting a key.

Open the API product page and live playground