Corriva API
Read and write freight data from your own systems.
A small, honest REST API for shipments, quotes, and invoices. JSON in, JSON out. Bearer-token auth. Signed webhooks when data changes.
Authentication
Bearer-token auth, scoped per key
Generate a key in Settings and send it as an Authorization header on every request.
httpAuthorization: Bearer cvk_YOUR_KEYKeys are per organization. Revoke them at any time from Settings → API Keys. Each key has one or more scopes (shipments:read, shipments:write, invoices:read, quotes:read). Missing scopes return 403.
Base URL
Where the API lives
urlhttps://corriva.app/api/v1Endpoints
v1 surface
Start here. More endpoints roll out as we harden them.
| Method | Path | Description | Scope |
|---|---|---|---|
| GET | /v1/shipments | List shipments, filterable and paginated. | shipments:read |
| POST | /v1/shipments | Create a shipment request. | shipments:write |
| GET | /v1/shipments/:id | Read a single shipment by id. | shipments:read |
| GET | /v1/invoices | List customer invoices. | invoices:read |
| GET | /v1/invoices/:id | Read an invoice, including line items. | invoices:read |
| GET | /v1/quotes | List quotes attached to shipments. | quotes:read |
Sample request
List your shipments
Swap the key and go.
curlcurl https://corriva.app/api/v1/shipments \
-H "Authorization: Bearer cvk_YOUR_KEY"Node.jsconst res = await fetch("https://corriva.app/api/v1/shipments", {
headers: { Authorization: `Bearer ${process.env.CORRIVA_API_KEY}` },
});
const { data } = await res.json();Webhooks
Events delivered to your URL
Subscribe from Settings. We sign every payload so you can verify it came from us.
Headers we send
X-Corriva-Event: the event name, e.g.shipment.delivered.X-Corriva-Delivery: a unique id for the delivery attempt. Safe to use for idempotency.X-Corriva-Signature:sha256=<hex>. HMAC-SHA256 of the raw request body, keyed with your endpoint secret.
Event types
| Event | Fires when |
|---|---|
| shipment.created | A new shipment is created. |
| shipment.cancelled | A shipment is cancelled. |
| shipment.status_changed | A shipment moves between statuses. |
| shipment.delivered | A shipment reaches delivered. |
| quote.sent | A quote is emailed to the customer. |
| quote.approved | The customer approves a quote. |
| quote.rejected | The customer rejects a quote. |
| tender.accepted | A carrier accepts a tendered load. |
| tender.declined | A carrier declines a tendered load. |
| tender.countered | A carrier proposes a different rate on a tendered load. |
| pod.received | Proof of delivery is received. |
| invoice.sent | An invoice is sent to a customer. |
| invoice.paid | An invoice is marked paid. |
| settlement.paid | A carrier settlement is paid out. |
Verifying a signature
Node.jsimport crypto from "node:crypto";
// Raw request body as received, not JSON.parse'd.
function verifyCorrivaSignature(rawBody, headerValue, secret) {
const expected = "sha256=" + crypto
.createHmac("sha256", secret)
.update(rawBody)
.digest("hex");
return crypto.timingSafeEqual(
Buffer.from(expected),
Buffer.from(headerValue)
);
}Use the raw body (not a re-serialized JSON string). If the HMAC does not match, return 401 and drop the payload.
Manage endpoints at Settings → Webhooks. Delivery history for every endpoint is kept for inspection.
Rate limits
Fair use, not fine print
No hard quotas in v1. Abusive traffic will be throttled. If you expect sustained high volume, email support@corriva.app so we can plan capacity with you.
Status
v1 — public beta
Published April 20, 2026. Endpoints listed here are stable. New endpoints will be announced before rollout.