IronbarkAML
Check an ABN
API

AU compliance, callable.

Eight public endpoints run with no signup, no auth, no API key. Trust Score for any Australian ABN, AUSTRAC Tranche 2 eligibility against the AML/CTF Act 2006, and natural-language compliance Q&A with citations. OpenAPI 3.1 spec, Swagger try-it-out, ReDoc, and a branded sandbox.

Try it now (Swagger)OpenAPI specBranded reference

Quickstart

Three no-auth calls. Run them now.

# Trust Score for an Australian ABN — no auth, no signup
curl https://api.ironbarkaml.com.au/v1/trust-score/53004085616

# AUSTRAC Tranche 2 eligibility for a small accounting practice
curl -X POST https://api.ironbarkaml.com.au/v1/eligibility/check \
  -H "Content-Type: application/json" \
  -d '{
    "profession_type": "accountant",
    "services_offered": ["company_trust_formation", "client_money_management"]
  }'

# Natural-language compliance question with citations
curl -X POST https://api.ironbarkaml.com.au/v1/ask \
  -H "Content-Type: application/json" \
  -d '{"question": "Do I need to register with AUSTRAC if I draft trust deeds?"}'

Python

import httpx

# All three calls are no-auth, public endpoints.
async def lookup(abn: str) -> dict:
    async with httpx.AsyncClient(base_url="https://api.ironbarkaml.com.au") as client:
        r = await client.get(f"/v1/trust-score/{abn}")
        r.raise_for_status()
        return r.json()

# Returns: {"abn": "...", "composite": 78, "band": "GREEN",
#  "sub_scores": {"REG": ..., "DIR": ..., "AUS": ..., "SAN": ..., "CRT": ..., "FRS": ...},
#  "methodology_version": "v1.1", ...}

TypeScript

// Bun / Node 18+ — fetch is global, no SDK needed.
const API_BASE = "https://api.ironbarkaml.com.au";

export async function trustScore(abn: string) {
  const res = await fetch(`${API_BASE}/v1/trust-score/${abn}`);
  if (!res.ok) throw new Error(`Trust Score lookup failed: ${res.status}`);
  return res.json();
}

Principles

Free no-auth tier matches the manifest

Eight public endpoints run without an Authorization header, rate-limited per IP. Trust Score, eligibility, and Q&A are the lead-gen wedge for Tranche 2 reporting entities and the discovery surface for AI agents. The /.well-known/agent.json manifest declares the same contract.

OpenAPI 3.1 is the public contract

The full spec is served at /openapi.json. Swagger UI try-it-out is at /docs. ReDoc is at /redoc. A branded reference with embedded sandbox forms is at /api-docs. All four are mirrors of the same spec.

Stable schemas at the /v1 prefix

Response shapes are versioned at the path prefix. Breaking changes ship a /v2 in parallel; /v1 stays live for the deprecation window. Methodology version is stamped on every Trust Score response so cited numbers are reproducible.

AU-native primary sources

ABR, ASIC, AUSTRAC, DFAT, AFSA, Federal Court. Global sanctions (UN, OFAC, UK OFSI, EU FSF) are aggregated alongside. No repackaged global feeds standing in for AU data.

Fail-closed on missing data

When a required source is unavailable, responses mark incomplete_sources explicitly. Agents and humans never get a misleading GREEN band built on absent data. Terminal-zero rules take precedence over composite arithmetic.

Agent commerce on the roadmap

Phase 5 brings x402 settlement on Base and ERC-8004 agent identity. Solana x402 for high-frequency read paths at $0.00025/tx. Human SaaS billing via Stripe and PayTo continues in parallel.

Public endpoints (no auth)

Rate limits are per IP and reset on a sliding window. The agent manifest at /.well-known/agent.json declares the same contract.

GET/v1/trust-score/{abn}

Composite 0-100 Trust Score plus six sub-scores for an Australian ABN. Returns last_refreshed_per_source on every field.

Auth: PublicLimit: Cached 24h per ABN; underlying source budget governs refresh cadence.

POST/v1/trust-score/{abn}

Same response shape as GET, accepts entity_name_hint for sanctions name-matching and tranche_2_profession flag.

Auth: PublicLimit: Cached 24h; cache key includes name hint and tranche-2 flag.

GET/v1/trust-score/methodology/version

Returns the methodology version string with pointers to the ADR, the public methodology page, and the change log.

Auth: PublicLimit: No limit.

POST/v1/eligibility/check

AUSTRAC Tranche 2 eligibility determination. Pure rule-engine evaluation against the AML/CTF Act 2006 (Tranche 2 amendments). Returns must_register, triggering services, obligations, and the enrolment URL.

Auth: PublicLimit: 60 requests / 60 seconds per IP.

GET/v1/eligibility/services

Catalogue of AUSTRAC designated services with rule references. Filter by profession_type. Agents call this before /eligibility/check.

Auth: PublicLimit: 60 requests / 60 seconds per IP.

POST/v1/ask

Natural-language AU compliance Q&A with citations and a disclaimer. Scoped to AUSTRAC, ASIC, ABR, DFAT sanctions, ATO, Fair Work, PPSR, and state trades licensing.

Auth: PublicLimit: 30 requests / 60 seconds per IP.

GET/v1/credits/pricing

Current pricing across all tiers and PAYG packs, ex-GST and inc-GST.

Auth: PublicLimit: No limit.

GET/.well-known/agent.json

Machine-readable capabilities manifest. AI agents read this before submitting any job.

Auth: PublicLimit: Cached 1h.

Authenticated endpoints (OAuth 2.0)

Scoped client credentials. Issue a token at /v1/oauth/token, attach it as Authorization: Bearer .... Scopes requested cannot exceed scopes granted at registration.

POST/v1/oauth/token

OAuth 2.0 client credentials grant (RFC 6749 §4.4). Returns a bearer token with the scopes granted at client registration.

Auth: PublicLimit: 10 token issuances / 60 seconds per client.

POST/v1/scans/full

PEP, sanctions, and AML risk in one call. Returns match records, risk score, filter explanations, and the scan_id for retrieval.

Auth: OAuth 2.0Limit: Per scope policy. scope: scans:write.

POST/v1/scans/batch

Batched scan submission for up to 100 entities. Returns 202 with a job_id; webhook delivery on batch.completed.

Auth: OAuth 2.0Limit: scope: scans:write.

POST/v1/cases

Create a compliance case from a scan. Returns the case_id and the append-only event log seed.

Auth: OAuth 2.0Limit: scope: cases:write.

POST/v1/monitoring

Enrol an entity for ongoing monitoring. Webhook delivery (HMAC-SHA256 signed) on alert.

Auth: OAuth 2.0Limit: scope: monitoring:write.

Citation format

When an AI agent or article cites an Ironbark Trust Score, the canonical form is:

Source: Ironbark Trust Score v{methodology_version}
URL: https://ironbarkaml.com.au/entities/{abn}
Retrieved: {ISO-8601 timestamp}

The methodology version is stamped on every response. Recomputing against the same inputs with the same methodology version yields the same composite.

Get notified when Phase 5 ships

x402 settlement on Base, ERC-8004 agent identity, and the Solana micropayment rail. One email when it goes live, no other list.

Status, support, contact

  • Spec status: v0.1.0. Current production base URL is the Railway preview at https://api.ironbarkaml.com.au. Subdomain api.ironbark.au is queued for DNS provisioning.
  • Vulnerability disclosure: /.well-known/security.txt (RFC 9116).
  • Disclaimer: Ironbark outputs are produced by automated systems and do not constitute legal advice. Confirm all compliance obligations with a qualified AML/CTF compliance officer or solicitor.
Read the methodologyFor AI agentsEmail support