API reference

Beacon endpoints (token-auth)

Every endpoint accepts the API token via X-Quickload-Token header OR ?token= query param (for navigator.sendBeacon, which can't set custom headers).

• POST /api/v1/observed — discovered scripts beacon
• POST /api/v1/vitals — CWV samples (LCP, INP, CLS, FCP, TTFB)
• POST /api/v1/tbt-attribution — per-script main-thread time (Long Animation Frames API)
• POST /api/v1/audit — cookies + 3rd-party hosts (privacy ledger)
• POST /api/v1/engagement — bounce-correlation samples on pagehide
• POST /api/v1/psi-runs — PSI before/after upload

License validation

POST /api/v1/license/validate with { key, site, version }. Returns { valid: true|false, plan, expires_at }.

Remote config

GET /api/v1/config with X-Quickload-Token. Returns the site's current runtime configuration (trigger, exclusions, overrides, eager vendors). Cached by the runtime in localStorage with ETag negotiation.

Rate limits

All public endpoints are per-IP rate-limited. License validate: 60 req / 5 min. Beacon ingest: 240 req / min per IP. CORS is wildcard * without credentials.