A deterministic API for the full test lifecycle.
Integrate the authoritative GSA catalog, locked quotes, laboratory orders, payment state, inbound shipping, published COAs, released raw data, and signed lifecycle events.
Base URL and authentication
https://www.goldstandardanalytics.com/api/v1/agent
Send the raw key as a bearer token on every request. GSA displays a new secret once and stores only a peppered verifier. Keep the token in your server-side secret manager.
export GSA_AGENT_TOKEN='gsa_live_REPLACE_ME' curl 'https://www.goldstandardanalytics.com/api/v1/agent/catalog?limit=100' \ -H "Authorization: Bearer $GSA_AGENT_TOKEN"
Canonical order flow
- Read the catalog and retain its
catalogRevision. - Create a server-priced quote. Quotes normally expire after 15 minutes.
- Create the order from that quote with
confirm: trueand a stable, unique idempotency key. - Poll the order or subscribe to signed webhooks, then retrieve only published COAs.
curl 'https://www.goldstandardanalytics.com/api/v1/agent/quotes' \
-H "Authorization: Bearer $GSA_AGENT_TOKEN" \
-H 'Content-Type: application/json' \
-d '{
"categoryId": "peptides",
"compoundNames": ["BPC-157"],
"testIds": ["sterility", "endotoxin"],
"turnaround": "standard",
"conformitySamples": 0
}'curl 'https://www.goldstandardanalytics.com/api/v1/agent/orders' \
-H "Authorization: Bearer $GSA_AGENT_TOKEN" \
-H 'Content-Type: application/json' \
-H 'Idempotency-Key: your-system-order-000001' \
-d '{
"quoteId": "REPLACE_WITH_QUOTE_UUID",
"paymentMethod": "mercury_invoice",
"clientReference": "your-system-order-000001",
"sampleMetadata": [{
"compoundName": "BPC-157",
"lotNumber": "LOT-2026-0042",
"matrixNotes": "Lyophilized powder"
}],
"publishRawData": true,
"confirm": true
}'Endpoint reference
| Method | Path | Purpose |
|---|---|---|
| GET | /catalog | Authoritative cursor-paginated catalog |
| POST | /quotes | Immutable server-priced quote |
| GET / POST | /orders | List or create orders |
| GET | /orders/{reference} | Order detail, timeline, scoped related resources |
| GET | /invoices | List safe invoice metadata |
| GET | /invoices/{reference} | Read one invoice |
| GET | /payments | List payment state |
| GET | /payments/{reference} | Read one payment |
| POST | /payments/prepare | Safely retry payment preparation |
| POST | /payments/usdc/submit | Submit an Ethereum transaction hash for verification |
| GET | /shipments | List labels and shipments |
| GET | /shipments/{reference} | Read tracking and carrier events |
| GET | /results | List QA-published COAs only |
| GET | /results/{reference} | Read one published COA and structured results |
| GET | /orders/{reference}/raw-data | Released one-hour instrument manifests |
| GET / POST | /webhooks | List or create signed endpoints |
| DELETE | /webhooks/{endpointId} | Delete a signed endpoint |
| POST | /webhooks/{endpointId}/rotate-secret | Rotate an endpoint secret |
| POST | /webhooks/{endpointId}/test | Send a signed test event |
Scopes
| Scope | Capability |
|---|---|
catalog:read | Browse tests, matrices, bundles, pricing, and requirements |
quotes:write | Create immutable, expiring server quotes |
orders:read / orders:write | Read or place customer-owned laboratory orders |
invoices:read / payments:read | Read invoice and payment state |
payments:write | Retry preparation or submit a USDC transaction for verification |
shipments:read | Read labels, tracking, and carrier history |
results:read | Read QA-published COAs and structured results |
raw_data:read | Read released instrument-file manifests after publication |
webhooks:read / webhooks:write | List or manage signed endpoints; subscriptions also require each event's resource-read scope |
Idempotency and money
Where an endpoint requires an idempotency key, it must be 8–255 characters and binds the exact request to its first result. Reusing a key with different input fails as a conflict. All commercial totals use integer USD cents. Ethereum USDC instructions separately return an integer atomic amount and an exact six-decimal display amount; neither may be rounded. The service never accepts a private key or broadcasts a transaction.
Signed webhooks
Endpoint registration performs public-HTTPS and SSRF validation. Deliveries are at least once, so deduplicate with X-GSA-Event-Id. Verify the timestamp tolerance and HMAC over the exact raw body before parsing JSON. Creating a subscription requires webhooks:write plus the matching read scope for every selected event: for example, results:read for COA events and orders:read for order or sample-status events.
X-GSA-Signature: t=<unix-seconds>,v1=<hex-hmac-sha256> signed bytes: <unix-seconds>.<exact raw HTTP body>
Never persist a signed COA or instrument download URL as a permanent public link. Fetch the current result, copy the authorized file into your controlled storage when needed, and retain the accession/COA identifiers for future reconciliation.