Base URL

https://api.auo.com.au
All REST endpoints are under /v1. The MCP server is at /mcp (not under /v1).

Authentication

Every REST request requires a bearer token in the Authorization header:
Authorization: Bearer auo_sk_live_your_key_here
Use auo_sk_test_... for sandbox fixtures (free, no quota consumed). Use auo_sk_live_... for real government data. See Authentication for the full guide including key rotation and webhook signature verification.

Response conventions

Provenance on every field

Every substantive field in a /resolve response is wrapped in a provenance object:
{
  "entity_name": {
    "value": "ACME PTY LTD",
    "source": "ASIC-Companies",
    "as_of": "2026-07-01T00:00:00+10:00"
  }
}
  • value: the field value (may be null if the source has no record).
  • source: the register that produced this value (e.g. ABR, ASIC-Companies, ACNC, GLEIF).
  • as_of: when the source was last read (ISO 8601 with timezone). Present where the source provides a date; omitted otherwise.

Inter-source conflicts

When two sources disagree on the same field (due to cadence skew between registers), the response flags the conflict rather than silently picking one value. The conflict is visible in the response so you can decide how to handle it.

Empty candidates is not an error

A query that finds no matching entity returns a clean 200 with an empty candidates array. Only an upstream source outage returns a 502. See Error handling for the full error reference.

Error envelope

All errors use the same shape:
{
  "error": {
    "type": "invalid_request",
    "message": "abn must be an 11-digit string.",
    "request_id": "req_01abc..."
  }
}

Pagination

List endpoints use a cursor-based pagination pattern:
  • GET /v1/watch: returns all active subscriptions for the account. No cursor required for typical account sizes.
  • GET /v1/entity/:id/changes: accepts a since query parameter (ISO 8601 timestamp, exclusive) to page through events. Returns events created after the cursor, in ascending order.

Rate limits

Rate limiting applies per account. If you exceed the limit, the API returns a 429 with type: "rate_limited". Back off and retry. The soft-cap overage policy (plan allowance exceeded) does not block requests. See Pricing for the allowance model.

Endpoints

Resolve

POST /v1/resolveTurn an ABN, ACN, or name into a canonical entity joined across all sources, with provenance on every field and enrichment blocks for charity, licensing, and screening.

Screen

POST /v1/screenCheck a name or identifier against the DFAT sanctions consolidated list and ASIC banned-persons and organisations registers. Returns review, no_match, or unavailable. Never pass or fail.

Validate

GET /v1/validate/{identifier}Check the format and check digit of an ABN or ACN. Does not hit the ABR or any live source. Fast, always available.

Watch

POST /v1/watch, GET /v1/watch, GET /v1/watch/:id, PATCH /v1/watch/:id, DELETE /v1/watch/:id, POST /v1/watch/:id/rollCreate and manage watch subscriptions. AUO posts a signed webhook to your endpoint when a monitored entity changes.

Changes (polling)

GET /v1/entity/:id/changesPoll for pending, delivered, and failed events for a watched entity. Useful when your webhook endpoint is temporarily unavailable.

MCP

The MCP server at /mcp exposes 6 read-only tools that call the same core functions as the REST endpoints. See MCP guide for connection instructions and the tool list.