# API Overview

**Last reviewed:** 8 July 2026

Finpliq API routes should validate input, verify authentication, scope data by business/user, avoid leaking secrets and log high-risk activity where appropriate.

## Operating principles

- Preserve tenant isolation and user authentication.
- Keep claims truthful and aligned with implemented features.
- Protect secrets and high-sensitivity financial records.
- Review changes before production deployment.

## Verification checklist

- Authentication and admin routes remain protected.
- Private app routes are not indexed.
- No secrets are exposed in logs, client code or documentation.
- HMRC and filing functionality is described by actual release status.
