40 questions, real answers.

About Hoist Assets

What it is, who built it, why.

01What is Hoist Assets?

Hoist Assets is the asset-finance surface of Hoist, an Australian evidence layer for AI agents, operated by HoistAI Pty Ltd (ABN 11 695 718 659). Today (S1 validation) we ship a marketing site, in-browser sandbox fixtures, and a fixture-backed MCP server at mcp.assets.hoistai.com. The production REST API, real AFSA PPSR organisation and serial-number searches, real ABN/GST verification, batch CSV uploads, paid plans, and the production Due Diligence Record PDF all ship at S2-gate. See /trust/afsa-b2g/ for the current AFSA access posture.

02Who is it for?

Asset finance brokers, insolvency practitioners, business brokers, equipment dealers, SME lenders, and integrators building agents or platforms that need register-level due diligence. Brokers running 10+ searches a month are the primary buyer.

03Who built it?

HoistAI Pty Ltd. Same team that built Quokkafi (open-banking trust runtime). We share infrastructure and the underlying audit-and-consent code between the two products.

04Is this an MCP-only thing?

No. Hoist ships across three surfaces: REST API (the canonical contract), CLI, and MCP server. MCP is live today against fixture flows at mcp.assets.hoistai.com; the production REST API and CLI ship at S2-gate. No paying customers yet - we are in S1 validation and pre-registering design partners. See /roadmap for the sequencing.

05Why "Assets"?

Personal Property Securities registrations exist to identify whose assets carry what claims. The whole product is about answering questions on assets and the entities that own or finance them — so we named it that.

PPSR searches

01What is the PPSR?

The Personal Property Securities Register. A single national register operated by AFSA that records security interests in tangible and intangible personal property (vehicles, equipment, inventory, intellectual property). See /glossary/ppsr.

02Can I run organisation searches?

Sandbox fixture searches today via the ppsr_search_organisation tool shape. Real AFSA organisation searches ship at S2-gate via the partner-intermediary or approved AFSA pathway. See /trust/afsa-b2g/ for the current AFSA standing and /roadmap for sequencing.

03Can I run serial-number searches?

Sandbox fixture searches today via the ppsr_search_serial_number tool shape (VIN, chassis number, or aircraft serial). Real serial searches ship at S2-gate alongside organisation searches. See /roadmap.

04Can I search a person?

No. Our org-only scope covers organisations and serial numbers only — not individuals. We rejected building around the rule. See /trust/npii-boundary.

05How fresh is the data?

At S1 today, sandbox fixtures only - no real register traffic. At S2-gate the contract is per-search live to AFSA via the partner intermediary or approved direct pathway, with no cache on the registration data itself. See /trust/afsa-b2g/ for the current AFSA access posture.

06Do you store the certificate?

Yes, for 90 days minimum (longer on Team tier). You can download a PDF of the official AFSA certificate any time during that window. After 90 days, certificate retrieval requires a re-search at the AFSA pass-through rate.

07Can I run a search retrospectively for a date in the past?

Sort of. AFSA returns a 'point in time' search certificate; we ask for today's certificate by default. We can run a historical-as-at search via the API (extra parameter), but it costs the same A$2 because AFSA charges per certificate regardless of date.

08What if AFSA is down?

We queue your search and retry. The dashboard tells you within 30 seconds if AFSA has hit a longer outage; we credit you the workflow fee for any search that fails to complete within 60 minutes.

ABN / GST lookups

01Are ABN/GST lookups official?

At S1 today, sandbox fixtures only - no production ABR traffic. At S2-gate, lookups hit the Australian Business Register (ABR) directly and the data is the same as you'd get from abr.business.gov.au; we normalise the response and attach it to a record. See /roadmap.

02Why pay you for ABN when ABR is free?

ABR's free service is rate-limited and the response is XML with a few quirks. We cache, retry, normalise, attach to the audit chain, and bundle with PPSR in one workflow. If you're doing one-off ABN lookups, abr.business.gov.au is genuinely free — go there.

03Can I bulk-verify ABNs?

Planned for S2-gate. Batch CSV (up to 500 rows on Pro, unlimited on Team) ships alongside the production REST API; the CSV in / ZIP out pattern is designed to keep ABN, GST status, and the trading-name history aligned per row. Not live today - see /roadmap.

04What's in an ABN history?

Registration date, cancellation date if applicable, trading name(s) over time, ABN status (active / cancelled / suspended), and GST status with effective dates. Same fields as ABR's XML feed; we just present them as JSON.

The Due Diligence Record

01What's in the Due Diligence Record?

A one-page PDF showing: search type, counterparty (with ACN/ABN), search reference, AFSA certificate URL, certificate hash, timestamp (UTC + AEST), Hoist Assets record ID, the audit-chain ID, your user ID, and a verification footer. Designed to drop straight into a deal file or attach to a CRM record.

02Why call it a Record, not a Receipt?

Receipt means "paid for it" in most business contexts. Brokers file receipts in expenses, not deal files. Record signals "evidence of the search," which is closer to what brokers actually do with it. (Internally we still call the underlying data structure a receipt; that's a Quokkafi heritage thing.)

03Can I verify the record wasn't altered?

Yes. The PDF contains a SHA-256 hash. The same hash is published to the audit chain and accessible at /api/v1/records/{id}/verify — pass the hash and we return whether it matches. If you alter a byte of the PDF, the hash stops matching.

04Can I brand the PDF with my logo?

Yes, on Pro and Team. Upload a logo in dashboard settings; it appears in the header of every record you generate. The hash is computed on the unbranded content so verification still works regardless.

05Is the AFSA certificate inside the record?

The Hoist record links to the AFSA certificate (which has its own URL) and embeds the certificate's hash. We don't merge the two PDFs because the AFSA certificate is the legal artefact and we don't want to alter it. For evidence packs, both PDFs export together.

API & MCP

01Where's the API documentation?

OpenAPI 3.1 spec at /.well-known/openapi.json. Human-readable docs at /docs. Live SDKs for TypeScript, Python, and Ruby in /docs/sdks.

02What's the MCP endpoint?

https://mcp.assets.hoistai.com — discoverable via /.well-known/mcp.json. Install guides for Claude Desktop, Claude.ai, ChatGPT, Cursor, Cline, Codex CLI, Gemini CLI, and curl live at /docs/mcp/install/{host}.

03Is OAuth required for the API?

API keys for direct REST. OAuth 2.1 + Resource Indicators for MCP, so the AI host can manage scopes per session. Both are documented at /docs/auth.

04Does every MCP tool ask for confirmation?

Paid actions (any AFSA search) post a price confirmation to the host before executing. Read-only actions (record retrieval, ABN history) skip the confirmation. The cost-hint annotation in our MCP tool descriptions lets compatible hosts surface a native confirmation card.

05How do I get an API key?

Sign in, go to dashboard → API keys → Create. Keys are scoped (read-only, read-write, batch-only). Test keys are free and unlimited against fixtures; live keys count against your subscription.

Pricing & billing

01How do you charge?

Three subscription tiers (A$99 / A$199 / A$249) or per-search API (A$2.50/PPSR call). Subscription tiers include an AFSA-search allowance; overages bill at the per-search rate. All prices in AUD ex GST.

02Why is your price higher than AFSA's A$2?

We add a workflow fee for the record, the audit chain, the integration glue, and the dashboard. If A$2 was all you needed and you wanted to roll your own PDF, AFSA direct is cheaper — that's a serious recommendation, not a hedge.

03Can I get a refund?

Pro-rated refunds on cancellation within 14 days for Pro and Team. Practice tier is non-refundable but cancellable any time. We don't do refunds on consumed AFSA searches because we already paid AFSA for them.

04Do you have a free tier?

Sandbox is free and unlimited against fixture ACNs. No real AFSA searches. We didn't ship a free tier with real searches because every search costs us A$2 of AFSA money.

Trust, compliance, org-only scope

01Are you AFSA-authorised?

Hoist's current AFSA access status is tracked at /trust/afsa-b2g/. Refer there for the authoritative posture. Our B2G Account application is lodged and AFSA Discovery (sandbox) access was requested 2026-05-17; we are not yet an approved B2G Account holder.

02What's "org-only" scope?

Organisation-grantor and serial-number PPSR searches with no PII. AFSA's B2G program is the framework Hoist is applying to operate under, which would let approved account holders run these searches without each end-user needing their own AFSA contract, provided no individual searches are run. We are not yet an approved B2G Account holder - see /trust/afsa-b2g/ for current status and /glossary/npii for a full disambiguation (the term "NPII" has two meanings in AU register circles).

03Can the records be used as evidence in court?

The AFSA certificate is the primary evidence. The Hoist Record is contemporaneous documentation of when the search was run, by whom, and what the certificate hash was at the time — which strengthens the certificate's chain of custody. We don't claim it's a statutory declaration; talk to your lawyer if you're using it in litigation.

04Where's the data stored?

Cloudflare D1 + R2, AU best-effort residency. Records, audit chain, certificate copies. We don't store payment details (Stripe holds those). Full residency model at /trust/residency.

05Do you sell the data?

No. We never sell, share, or use your search history for marketing. Aggregated stats (e.g., "X searches per month industry-wide") may appear in our blog, never with any per-customer breakdown.

Data handling & privacy

01Who owns the records I create?

You. Export any time, delete on request, portable in standard formats. We hold them so we can show them to you and to satisfy our audit-chain commitments; we have no commercial right to use them.

02What happens to data when I cancel?

Active access for 30 days after cancellation. After that, records are deleted from production storage. Cold-storage backups roll off at 90 days. Audit-chain entries (which contain hashes only, no PII) persist indefinitely so historic records can still be verified.

03Do you log every search?

Yes. Every search creates an audit-chain entry with the searcher's user ID, target ACN/serial, timestamp, certificate hash, and IP. The chain is append-only and tamper-evident (each entry's hash includes the previous entry's hash).

04GDPR / Privacy Act compliance?

Australian Privacy Principles apply to us. The records you generate may contain personal information about the entities you searched (Australian businesses are usually represented by individuals as directors, etc.) — handle accordingly. Our DPA template is at /trust/dpa.