API Terms of Use

These terms govern programmatic access to Madless through the API. They complement — and do not replace — the main Havetobe Ltd Terms of Service. Where they conflict, the main Terms of Service govern. Madless is operated by Havetobe Ltd (trading as Madless), registered in England and Wales under company number 17255387, at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ.

Your API keys are secret credentials tied to your space. Treat them like passwords: never embed them in client-side code, public repositories, or anywhere a third party can read them.

• You are responsible for all activity that happens under your keys, whether you intended it or not. Calls made with a valid key are treated as authorised by you.
• If a key is lost or compromised, revoke it immediately in Settings → Developer and mint a new one. Revocation takes effect within seconds.
• A key can never be more privileged than the admin who created it — its scopes are clamped to theirs.

Endpoints are rate limited per key and per space. When you exceed a limit the API returns 429 Too Many Requests with a Retry-After header. Respect it and back off — do not hammer the endpoint or rotate keys to dodge the limit. Sustained attempts to circumvent rate limits are a breach of these terms.

Automated access should be reasonable: poll on a sensible cadence, prefer webhooks over busy-loops, and use cursor pagination rather than re-fetching whole collections.

You may build on the API for your own use and for integrations you operate. You may not resell, rent, sublicense, or otherwise make the API itself available as a standalone product or proxy to third parties. You may not wrap the API in a service whose primary value is reselling Madless access. Building a genuine integration on top of Madless is fine; reselling the pipe is not.

If your application reads or writes data on behalf of someone whose space you have a key for, you are handling their data. You must:

• Use that data only for the purpose the space owner authorised, and only while they want you to.
• Keep it secure, and delete it when your access ends. Do not retain copies beyond what your integration actually needs.
• Never sell it, share it with unrelated third parties, or use it to train models — see the API Acceptable Use policy.

Automated clients must stay within the scopes and entitlements granted to their key, and within the documented endpoints. Do not probe for, or call, undocumented or scope-gated endpoints you were not granted. Do not use the API to circumvent plan entitlements or per-space AI credit limits. The full list of prohibited programmatic behaviour lives in the API Acceptable Use policy.

The /api/v1 major version is stable: we ship breaking changes as a new major and give notice before any sunset. How that works — the version headers, the deprecation signals, and the notice window — is set out in the Deprecation & Versioning policy. While the API is in beta, shapes may still change with shorter notice.

The API is provided “as is” and “as available”, without warranties of any kind, to the fullest extent permitted by law. We do not warrant that it will be uninterrupted, error-free, or fit for any particular purpose. To the extent permitted by law, Havetobe Ltd is not liable for indirect or consequential losses arising from your use of the API. Nothing here limits liability that cannot be limited by law. These limits mirror, and are read together with, the liability terms in the main Terms of Service.