UBava API Documentation
Integrate privacy-first AI into your application. Every request passes through our 7-Docker Privacy Cascade before reaching any provider.
API Keys
All API requests require authentication via an API key passed in the request header. Keys are generated automatically upon account activation.
- Include your key in the
X-Container-API-Keyheader on every request - API keys are generated upon account activation
- All requests must be made over
HTTPS - Never expose your API key in client-side code
X-Container-API-Key: your-api-key-hereAPI Endpoints
Main relay endpoint for authenticated users. Sends a prompt through the privacy cascade to your chosen AI provider and returns the response.
{
"text": "Your prompt here",
"provider": "claude | gpt | gemini | grok",
"model": "optional specific model name"
}{
"response": "AI response text",
"provider": "claude",
"model": "claude-sonnet-4-6",
"tokenUsage": {
"input": 150,
"output": 300
}
}Streaming version of the relay endpoint. Accepts the same request body as /api/relay/process. Returns Server-Sent Events (SSE) for real-time token streaming.
// Each event delivers a chunk of the response
data: {"token": "Hello"}
data: {"token": ", how"}
data: {"token": " can I help?"}
data: [DONE]Public health check endpoint. No authentication required.
{
"status": "operational",
"timestamp": "2026-04-09T12:00:00.000Z"
}Supported Providers & Pricing
All prices include UBava's 50% infrastructure markup covering the full privacy cascade, GDPR compliance layer, and EU hosting.
| Provider | Model | Input / 1M tokens | Output / 1M tokens |
|---|---|---|---|
| Claude | Sonnet 4.6 | € 4.50 | € 22.50 |
| GPT | GPT-4.1 | € 3.00 | € 12.00 |
| Gemini | 2.5 Flash | € 0.45 | € 3.75 |
| Grok | 4.1 Fast | € 0.30 | € 0.75 |
Rate Limits
| Scope | Limit | Window |
|---|---|---|
| Relay (per user API key) | 10 requests | 1 minute |
| Cascade (per subscriber token) | 30 requests | 1 minute |
When you exceed the rate limit, the API returns 429 Too Many Requests with a Retry-After header indicating when you can retry.
Error Codes
| Code | Meaning |
|---|---|
400 |
Bad request — missing or invalid fields |
401 |
Authentication required — no API key provided |
403 |
Forbidden — invalid or revoked API key |
429 |
Rate limit exceeded — slow down and retry after the indicated interval |
451 |
Unavailable for legal reasons — blocked under EU AI Act Annex III |
500 |
Internal server error — contact support if persistent |
Code Examples
curl -X POST https://api.ubava.ee/v1/api/relay/process \
-H "Content-Type: application/json" \
-H "X-Container-API-Key: your-api-key" \
-d '{
"text": "Explain GDPR Article 25 in plain English",
"provider": "claude"
}'import requests
response = requests.post(
"https://api.ubava.ee/v1/api/relay/process",
headers={
"Content-Type": "application/json",
"X-Container-API-Key": "your-api-key",
},
json={
"text": "Explain GDPR Article 25 in plain English",
"provider": "claude",
},
)
data = response.json()
print(data["response"])const response = await fetch("https://api.ubava.ee/v1/api/relay/process", {
method: "POST",
headers: {
"Content-Type": "application/json",
"X-Container-API-Key": "your-api-key",
},
body: JSON.stringify({
text: "Explain GDPR Article 25 in plain English",
provider: "claude",
}),
});
const data = await response.json();
console.log(data.response);Privacy Cascade
All prompts are processed through UBava's 7-Docker Privacy Cascade. Personal data is detected, tokenized, and replaced with synthetic data before reaching any AI provider. Your PII never leaves your infrastructure.
Every API request automatically benefits from the full cascade. There is no opt-out and no additional configuration needed -- privacy is the default, not a feature toggle.