/api/v2/). Additive changes (new endpoints,
new optional response fields) are not breaking. Removing a field, changing a
type, or tightening a scope is breaking and ships under a new path version.
2026-06-23 — reads authenticate over TLS only
v1 reads now authenticate with the API key as a Bearer token over TLS; request signing has been dropped from all reads. HMAC request signing is retained for the v2 write surface (deferred and currently disabled) and, as a separate scheme, for outbound webhook delivery verification. See Authentication. No request or response shapes changed; only the read auth requirement is relaxed.2026-06 — v1 management read surface + webhooks
The v1 management-company surface: read-only plus webhooks, on top of the auth → scope → rate-limit → HMAC → isolation → consent → audit spine. Your fleet is derived from your CrewPass employer account; there is nothing to attach. EndpointsGET /api/v2/partners/me— identity + granted scopes.GET /api/v2/employers/me/vessels— your vessels (vessels:fleet:read).GET /api/v2/employers/me/fleet— crew across your vessels, with verification + background-check status and documents-expiring counts, paginated (vessels:fleet:read+ per-crewcrew:status:read).POST /api/v2/employers/me/crew/lookup— resolve a crew member by email (crew:status:read).GET /api/v2/employers/me/crew/{id}/profile— base profile, plus an identity block undercrew:profile:full:read.GET /api/v2/employers/me/crew/{id}/photo— branded photo proxy (crew:profile:read).GET /api/v2/employers/me/crew/{id}/documents— documents with issuer + verification status (crew:documents:read).GET /api/v2/employers/me/crew/{id}/documents/{document_id}/download— short-lived, branded file link (crew:documents:download).POST /api/v2/employers/me/crew/{id}/compliance-checks— compliance with the role / STCW / medical breakdown (crew:compliance:read).
crew.document.processed,crew.document.updated,crew.compliance.changed,crew.status.changed,crew.profile.updated. See Webhooks.
- Crew onboarding & invites, vessel-placement writes, vessel self-attach, and API-initiated background checks. Background-check status is read-only in v1, and the verification provider’s name is never exposed.