API Reference
BidStacker's REST API for programmatic access to RFPs, proposals, templates, and AI features.
Authentication
Every endpoint accepts a Supabase session cookie (when calling from the web app). Endpoints marked Cookie or Bearer PAT additionally accept a scoped Personal Access Token for server-to-server, MCP, and CLI access: create a PAT under Settings → Integrations and send it in the Authorization: Bearer header. PATs are tenant-isolated and respect row-level security — never use a Supabase service-role key.
curl "https://www.bidstacker.xyz/api/proposals?status=draft&limit=5" \
-H "Authorization: Bearer pat_YOUR_PERSONAL_ACCESS_TOKEN"
# 200 OK
{
"proposals": [
{
"id": "1f0c9b2e-8a41-4f3d-9c27-5b1e6d8a0c42",
"title": "Proposal: IT Support Services — Dept. of Energy",
"status": "draft",
"organization_id": "7a52e9d1-03bc-48f6-b210-9e4f7c1d5a88",
"rfp_id": "c3d41b76-2e9f-4a05-8d13-f6a07b92c001",
"collaboration_mode": "solo",
"is_joint": false,
"created_at": "2026-06-10T18:22:31.000Z",
"updated_at": "2026-06-11T09:14:02.000Z"
}
]
}Looking for AI agent integration?
The MCP server provides 29 tools for Claude Code, Claude Desktop, and other AI agents.
/api/rfpsSearch and filter RFPs
Auth: Cookie (Supabase session)
keywordstring— Full-text search across title, description, agencylimitnumber— Max results (default: 50)/api/rfpsTrigger an RFP sync from SAM.gov
Auth: Cookie (Supabase session)
keywordstring— Search keyword for SAM.govlimitnumber— Max results to fetch/api/saved-rfpsList bookmarked RFPs for the authenticated user
Auth: Cookie (Supabase session)
/api/saved-rfpsBookmark an RFP
Auth: Cookie (Supabase session)
rfpIdstring (UUID)— RFP to bookmark/api/saved-rfpsRemove an RFP bookmark
Auth: Cookie (Supabase session)
rfpIdstring (UUID)— RFP to unbookmark/api/notificationsList notifications for authenticated user
Auth: Cookie (Supabase session)
/api/notificationsMark notifications as read
Auth: Cookie (Supabase session)
idsstring[] (UUIDs)— Notification IDs to mark read/api/proposalsList the proposals visible to the caller
Auth: Cookie or Bearer PAT
statusenum— draft | review | submitted | awarded | lostrfp_idstring (UUID)— Only proposals linked to this RFPlimitnumber— Max results (1-200, default: 200)offsetnumber— Pagination offset (default: 0)/api/proposals/[id]Get one proposal including its content sections
Auth: Cookie or Bearer PAT
/api/proposals/[id]/complianceRun compliance checks on a proposal and return the scored results
Auth: Cookie or Bearer PAT
/api/organizationGet the caller's organization profile
Auth: Cookie or Bearer PAT
/api/proposals/[id]/statusChange proposal status with transition validation
Auth: Cookie (Supabase session)
statusenum— draft | review | submitted | awarded | lost/api/proposals/generate-draftGenerate AI content for a proposal section
Auth: Cookie or Bearer PAT + Rate limit (10/min)
rfpIdstring (UUID)— Target RFPsectionTitlestring— Section to generateproposalIdstring (UUID, optional)— Existing proposal — injects its uploaded documents as grounding contexttoneenum— formal | technical | persuasive/api/aiAI text processing (improve, shorten, expand, etc.)
Auth: Cookie (Supabase session) + Rate limit
actionenum— professional | shorten | expand | summarize | customcontentstring— Text to process/api/templatesList proposal templates (default + organization)
Auth: Cookie (Supabase session)
/api/templatesCreate a new proposal template
Auth: Cookie (Supabase session)
namestring— Template namesectionsarray— Section definitions [{title, body?}]/api/sync/statusGet recent sync run history
Auth: Cookie (Supabase session)
/api/sync/triggerManually trigger a data sync
Auth: Cookie (Supabase session) + Rate limit (3/min)
sourceenum— federal | statedaysBacknumber— Days to look back (1-7)/api/matching-framework/generateGenerate AI matching framework from org profile
Auth: Cookie (Supabase session)
/api/contactSubmit a contact form message
Auth: Public (rate limited by IP)
namestring— Sender nameemailstring— Sender emailsubjectstring— Message subjectmessagestring— Message body