APIs for the headless MGA

Headless when you need it.

A REST API for rating, quoting, binding, and policy management. Webhooks on every state change. JSON in and out, with clear errors at every step.

How we work

Here to help

Insurance is not a product you can ship in a box. Off-the-shelf SaaS asks you to bend around their software. We don't work that way.

InsureOS is a bespoke service built on shared infrastructure. The platform is the same for every insurer. The setup never is.

Bespoke setup

We partner with each insurer one by one. We map your rates, build your forms, and wire your integrations, all the way through to production.

Yours to own

Everything we set up is editable from the admin portal. Change rates, tweak forms, adjust rules. No tickets, no waiting.

Support when you want it

Independent doesn't mean alone. We're a message away whenever you'd rather have a hand on the wheel.

One API for
everything

Request rates, create quotes, issue policies, fetch history. JSON in and out, with clear errors at every step.

POST /products/CAR/calculate

{
  "rating_factors": {
    "cover_start_date": "2025-01-20",
    "sum_insured": 10000,
    "cover_type": "comprehensive",
    "driver_age": 18
  }
}

→ 200 OK

{
  "calculation_id": "c-x7dhe",
  "premium": "2970.0000",
  ...
}

Fully documented, always up to date

Every endpoint ships with an OpenAPI spec and an interactive Swagger UI. Browse the resource model, the request and response shapes, and every error code. Try a real request from the docs themselves with your own API token.

OpenAPI 3 spec generated from the engine, never out of sync
Interactive Swagger UI with try-it-now requests
Payload examples for every endpoint and every webhook event

Webhooks on every state change

Every meaningful change in the platform fires an event. Subscribe with webhooks and your downstream systems stay in sync without polling. Deliveries are asynchronous, HMAC-signed, and replayable from a timestamp if your receiver was down.

See automation

Asynchronous webhook delivery, HMAC-signed
Stable event taxonomy: quote.*, payment.*, policy.*, document.*
Replay-from-timestamp to catch up after downtime

Event stream

acme-auto · production

Live · last 30s

Time

Event

Subscriber

Latency

quote.created

14:32:18 qx_7f3a92 124ms

14:32:18 quote.created qx_7f3a92 acme-auto.example.com 124ms
quote.rated

14:32:19 qx_7f3a92 98ms

14:32:19 quote.rated qx_7f3a92 acme-auto.example.com 98ms
payment.initiated

14:32:24 pay_8b1c4 142ms

14:32:24 payment.initiated pay_8b1c4 acme-auto.example.com 142ms
payment.succeeded

14:32:48 pay_8b1c4 108ms

14:32:48 payment.succeeded pay_8b1c4 acme-auto.example.com 108ms
quote.paid

14:32:48 qx_7f3a92 116ms

14:32:48 quote.paid qx_7f3a92 acme-auto.example.com 116ms
policy.bound

14:32:49 pol_3d9f7 132ms

14:32:49 policy.bound pol_3d9f7 acme-auto.example.com 132ms
document.generated

14:32:50 doc_2a4e1 94ms

14:32:50 document.generated doc_2a4e1 acme-auto.example.com 94ms
webhook.dispatched

14:32:51 whk_5g8h2 88ms

14:32:51 webhook.dispatched whk_5g8h2 acme-auto.example.com 88ms

Frequently asked questions

Is the API REST or GraphQL?

REST, with JSON payloads and conventional verbs. We considered GraphQL and decided REST is the better fit for the integration shapes we see (webhooks, idempotent state changes, partner integrations). If you need a GraphQL gateway you can wrap our REST surface; we have customers who do.
Are the embedded widget and the API the same engine?

Yes. The widget is a client of the API. Anything the widget does, the API can do. There is no second rating engine.
How are webhook deliveries authenticated?

HMAC-SHA256 signatures with a per-organisation secret. The receiving system verifies the signature; we retry with exponential backoff on non-2xx responses and dead-letter after a configurable threshold.
Can we replay webhook events after downtime?

Yes. Each event has a monotonic ID and a timestamp; the replay endpoint re-emits events from a starting point. We typically combine that with idempotency keys on the receiving side so replay is safe.
How are API tokens scoped?

Per-organisation, per-environment (test / live), and per-permission-set (read, quote, bind, manage). Tokens can be rotated without downtime and every call is logged with the issuing token for audit.

Insurance infrastructure
for the modern insurer

Define your products, connect your systems, and launch a branded quote experience, all from one platform.