Developers

GrowthPilot API v1

Read and steer your Growth Loops, posts, A/B tests, missions and your AAARRR metrics through a key-authenticated REST API. Every resource is scoped to your organization.

Authentication

Generate a key in Settings → API Keys (OWNER/ADMIN only). The key is shown only once — store it somewhere safe. Pass it in the header:

Authorization: Bearer gp_live_xxxxxxxxxxxxxxxxxxxxxxxx

A missing or invalid key returns 401. A resource that belongs to another organization returns 404 (never revealed).

Scopes: keys are readby default. Tick “Allow write” on creation to get the write scope (required for POST / PATCH) — otherwise 403.

Base URL

https://growth-pilot-swart.vercel.app/api/v1

Endpoints

get/loops— list the organization's Growth Loops

curl https://growth-pilot-swart.vercel.app/api/v1/loops \
  -H "Authorization: Bearer gp_live_…"

get/loops/{id}— single Growth Loop detail

curl https://growth-pilot-swart.vercel.app/api/v1/loops/LOOP_ID \
  -H "Authorization: Bearer gp_live_…"

get/metrics— snapshot of the 6 AAARRR metrics

curl https://growth-pilot-swart.vercel.app/api/v1/metrics \
  -H "Authorization: Bearer gp_live_…"

# Response:
{
  "data": {
    "awareness.users": 202,
    "acquisition.newUsers": 184,
    "activation.rate": 51,
    "retention.stickiness": 38,
    "referral.kFactor": 0.84,
    "revenue.mrr": 4280
  },
  "meta": { "isMock": { "revenue.mrr": false } }
}

post/loops— create a loop from a template (write scope)

curl -X POST https://growth-pilot-swart.vercel.app/api/v1/loops \
  -H "Authorization: Bearer gp_live_…" \
  -H "Content-Type: application/json" \
  -d '{ "name": "My loop", "type": "VIRAL" }'

# type ∈ VIRAL | PAID | CONTENT | PRODUCT

patch/loops/{id}— update name and/or status (write scope)

curl -X PATCH https://growth-pilot-swart.vercel.app/api/v1/loops/LOOP_ID \
  -H "Authorization: Bearer gp_live_…" \
  -H "Content-Type: application/json" \
  -d '{ "name": "Renamed", "status": "ACTIVE" }'

# status ∈ DRAFT | ACTIVE | PAUSED | ARCHIVED

get/posts— list CMS posts

post/posts— create a draft post — { title, content } (write scope)

get/tests— list A/B tests

post/tests— create a test + variants — { name, hypothesis, variants[] } (write scope)

get/missions— list missions (agile projects)

post/missions— create a mission — { name, description? } (write scope)

Every resource (loops, posts, tests, missions) also exposes GET /:id (detail) and PATCH /:id (update, write scope).

Outbound webhooks

Configure endpoints in Settings → Webhooks. On each subscribed event, GrowthPilot POSTs an HMAC-SHA256 signed payload. Events: alert.triggered, checkout.completed, loop.created, loop.published, post.published.

POST https://ton-endpoint
X-GrowthPilot-Event: checkout.completed
X-GrowthPilot-Signature: sha256=<hmac_hex>

{
  "type": "checkout.completed",
  "createdAt": "2026-05-31T09:00:00.000Z",
  "data": { "plan": "PRO" }
}

Verify authenticity by recomputing the HMAC of the raw body with the endpoint secret:

import crypto from "node:crypto";

const expected =
  "sha256=" +
  crypto.createHmac("sha256", WEBHOOK_SECRET).update(rawBody).digest("hex");
// compare `expected` to the X-GrowthPilot-Signature header
// (ideally with crypto.timingSafeEqual)

OpenAPI spec

Machine-readable specification (for client SDK generation): /api/v1/openapi

API v1 read and write (loops, posts, tests, missions) + AAARRR metrics + signed outbound webhooks + MCP server (see the mcp-server/ folder) to pilot GrowthPilot from your agent.