diff --git a/api/v1/documents/update.php b/api/v1/documents/update.php
index 44d8ca18..1cd987eb 100644
--- a/api/v1/documents/update.php
+++ b/api/v1/documents/update.php
@@ -1,41 +1,121 @@
 <?php
 
 require_once '../validate_api_key.php';
-
 require_once '../require_post_method.php';
 
 // Parse ID
-$document_id = intval($_POST['document_id']);
+$document_id = intval($_POST['document_id'] ?? 0);
 
 // Default
 $update_count = false;
 
 if (!empty($document_id)) {
 
-    $document_row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT * FROM documents WHERE document_id = '$document_id' AND document_client_id = $client_id LIMIT 1"));
-
-    // Variable assignment from POST - assigning the current database value if a value is not provided
-    require_once 'document_model.php';
-
-    $processed_content = mysqli_escape_string(
+    // 1) Load the current document (scoped to this client)
+    $sql_original_document = mysqli_query(
         $mysqli,
-        saveBase64Images(
-            $content,
+        "SELECT * FROM documents
+         WHERE document_client_id = $client_id
+           AND document_id = $document_id
+         LIMIT 1"
+    );
+
+    if ($sql_original_document && mysqli_num_rows($sql_original_document) === 1) {
+
+        $row = mysqli_fetch_assoc($sql_original_document);
+
+        // Pull original fields for versioning
+        $original_document_name        = sanitizeInput($row['document_name']);
+        $original_document_description = sanitizeInput($row['document_description']);
+        $original_document_content     = mysqli_real_escape_string($mysqli, $row['document_content']);
+        $original_document_created_by  = intval($row['document_created_by']);
+        $original_document_updated_by  = intval($row['document_updated_by']);
+        $original_document_created_at  = sanitizeInput($row['document_created_at']);
+        $original_document_updated_at  = sanitizeInput($row['document_updated_at']);
+
+        // Determine who/when created the version (same logic as app)
+        if (!empty($original_document_updated_at)) {
+            $document_version_created_at = $original_document_updated_at;
+        } else {
+            $document_version_created_at = $original_document_created_at;
+        }
+
+        if (!empty($original_document_updated_by)) {
+            $document_version_created_by = $original_document_updated_by;
+        } else {
+            $document_version_created_by = $original_document_created_by;
+        }
+
+        // 2) Save the current version into document_versions
+        mysqli_query(
+            $mysqli,
+            "INSERT INTO document_versions SET
+                document_version_name        = '$original_document_name',
+                document_version_description = '$original_document_description',
+                document_version_content     = '$original_document_content',
+                document_version_created_by  = $document_version_created_by,
+                document_version_created_at  = '$document_version_created_at',
+                document_version_document_id = $document_id"
+        );
+
+        $document_version_id = mysqli_insert_id($mysqli);
+
+        // 3) Variable assignment from POST (uses	trigger you already have)
+        // This should set: $name, $description, $content (raw html), $folder, etc.
+        require_once 'document_model.php';
+
+        // Process NEW HTML content: save base64 images to /uploads/documents/<document_id>/
+        // In-app uses $_POST['content'] as raw; in API you likely map to $content in document_model.php
+        $raw_post_content = $content;
+
+        $processed_html = saveBase64Images(
+            $raw_post_content,
             $_SERVER['DOCUMENT_ROOT'] . "/uploads/documents/",
             "uploads/documents/",
             $document_id
-        )
-    );
+        );
 
-    $update_insert_sql = mysqli_query($mysqli,"UPDATE documents SET document_name = '$name', document_description = '$description', document_content = '$processed_content', document_content_raw = '$content_raw', document_folder_id = $folder, document_updated_by = 0, document_client_id = $client_id");
+        // Escape for DB
+        $content_db = mysqli_real_escape_string($mysqli, $processed_html);
 
-    // Logging
-    logAction("Document", "Edit", "$name via API ($api_key_name)", $client_id, $document_id);
-    logAction("API", "Success", "Edited document $name via API ($api_key_name)", $client_id);
+        // Rebuild content_raw for full-text search (same technique as app)
+        $content_raw = sanitizeInput($name . " " . str_replace("<", " <", $processed_html));
+        $content_raw = mysqli_real_escape_string($mysqli, $content_raw);
 
-    // Override update count to 1 for API to report a success (as we inserted a document, not "updated" an existing row)
-    $update_count = 1;
+        // Escape name/description too (document_model.php may already sanitize; do DB escaping here regardless)
+        $name_db        = mysqli_real_escape_string($mysqli, $name);
+        $description_db = mysqli_real_escape_string($mysqli, $description);
+        $folder_id      = intval($folder);
 
+        // 4) Update the document (IMPORTANT: proper WHERE + scope to client)
+        mysqli_query(
+            $mysqli,
+            "UPDATE documents SET
+                document_name        = '$name_db',
+                document_description = '$description_db',
+                document_content     = '$content_db',
+                document_content_raw = '$content_raw',
+                document_folder_id   = $folder_id,
+                document_updated_by  = 0
+             WHERE document_id = $document_id
+               AND document_client_id = $client_id
+             LIMIT 1"
+        );
+
+        // For API: treat success as "updated row" OR "query ran but values unchanged"
+        if (mysqli_errno($mysqli) === 0) {
+            $update_count = 1;
+        }
+
+        // Logging
+        logAction("Document", "Edit", "$name_db via API ($api_key_name), previous version kept", $client_id, $document_version_id);
+        logAction("API", "Success", "Edited document $name_db via API ($api_key_name)", $client_id);
+
+    } else {
+        // Not found (or not this client's doc)
+        $update_count = false;
+        logAction("API", "Error", "Document update failed (not found or unauthorized) via API ($api_key_name)", $client_id);
+    }
 }
 
 // Output