API Reference¶
Complete reference for the AegisAI REST API at /api/v1. Interactive documentation is available at http://localhost:8000/docs.
Base URL¶
Authentication¶
| Header | Value | Scope |
|---|---|---|
X-API-Key |
Tenant or user API key | Agent, policy, audit operations |
Authorization |
Bearer <jwt> |
User management, API keys |
X-Admin-Key |
Admin provisioning key | Tenant creation |
All requests should include Content-Type: application/json for POST/PUT bodies.
Common Response Codes¶
| Code | Meaning |
|---|---|
| 200 | Success |
| 201 | Created |
| 202 | Accepted (async job) |
| 204 | No content (delete, logout) |
| 401 | Missing or invalid credentials |
| 403 | Insufficient permissions |
| 404 | Resource not found |
| 422 | Validation error |
Auth¶
POST /auth/login¶
Authenticate with email and password. Returns JWT and session API key.
Body:
Response: LoginResponse — access_token, expires_in, user, api_key
POST /auth/logout¶
Invalidate session. Requires JWT.
Response: 204 No Content
GET /auth/me¶
Get current user profile. Requires JWT.
Response: UserResponse
GET /auth/sso/providers¶
List enabled SSO Identity Providers (no auth required).
Response: { "providers": [{ "id": "keycloak", "name": "Keycloak", "enabled": true }] }
GET /auth/sso/login¶
Start OIDC flow. Redirects browser to IdP.
Query: provider (keycloak, okta, google, microsoft), redirect (post-login path, default /dashboard)
GET /auth/sso/callback¶
OIDC callback from IdP. Redirects to frontend with one-time sso_code.
POST /auth/sso/exchange¶
Exchange one-time SSO code for session credentials.
Body: { "code": "<sso_code>" }
Response: Same as LoginResponse
Users¶
Requires JWT with Admin or Super Admin role unless noted.
| Method | Endpoint | Description |
|---|---|---|
GET |
/users/me |
Get own profile |
PUT |
/users/me |
Update own profile |
POST |
/users/me/change-password |
Change own password |
POST |
/users |
Create user |
GET |
/users |
List users (paginated) |
GET |
/users/{user_id} |
Get user by ID |
PUT |
/users/{user_id} |
Update user |
POST |
/users/{user_id}/reset-password |
Admin password reset |
PUT |
/users/{user_id}/role |
Change user role |
POST |
/users/{user_id}/block |
Block user |
POST |
/users/{user_id}/unblock |
Unblock user |
DELETE |
/users/{user_id} |
Delete user |
List query parameters: role, search, is_active, limit (max 200), offset
API Keys¶
Requires JWT.
| Method | Endpoint | Description |
|---|---|---|
POST |
/api-keys |
Create API key (raw key shown once) |
GET |
/api-keys |
List user's API keys |
DELETE |
/api-keys/{key_id} |
Revoke API key |
Tenants¶
Requires X-Admin-Key for creation; Super Admin JWT for listing.
| Method | Endpoint | Description |
|---|---|---|
GET |
/tenants |
List all tenants (Super Admin) |
POST |
/tenants |
Create tenant (returns api_key) |
Create body:
Agents¶
Requires X-API-Key. Write operations require Developer+ role.
| Method | Endpoint | Description |
|---|---|---|
POST |
/agents/register |
Register new agent |
POST |
/agents/{agent_id}/heartbeat |
Send heartbeat (also refreshes embeddings if stale) |
GET |
/agents |
List agents (includes predicted_type / risk_score when available) |
GET |
/agents/search |
Semantic search ?q= |
GET |
/agents/{agent_id} |
Get agent |
GET |
/agents/{agent_id}/details |
Get agent with details + embedding summary |
PUT |
/agents/{agent_id} |
Update agent |
DELETE |
/agents/{agent_id} |
Delete agent |
Register body:
Discovery (Shadow AI)¶
Requires X-API-Key. Write operations require agents:update.
| Method | Endpoint | Description |
|---|---|---|
GET |
/discovery/candidates |
List discovery candidates |
POST |
/discovery/ingest |
Ingest unknown-agent event |
POST |
/discovery/ingest/batch |
Batch ingest (+ optional cluster) |
POST |
/discovery/cluster |
Schedule async cluster merge |
POST |
/discovery/candidates/{id}/confirm |
Confirm → register agent |
POST |
/discovery/candidates/{id}/dismiss |
Dismiss candidate |
Policies¶
Requires X-API-Key. Write operations require Admin role.
| Method | Endpoint | Description |
|---|---|---|
POST |
/policies |
Create policy |
GET |
/policies |
List policies |
GET |
/policies/templates |
List Rego templates |
POST |
/policies/check |
Evaluate policy for action |
GET |
/policies/{policy_id} |
Get policy |
PUT |
/policies/{policy_id} |
Update policy |
DELETE |
/policies/{policy_id} |
Delete policy |
Policy check body:
{
"agent_id": "uuid",
"action": "read_data",
"resource": "customer_pii",
"context": {"consent": true}
}
Policy check response:
{
"allowed": true,
"reason": "GDPR check passed",
"severity": null,
"required_approval": false,
"risk_score": 0.15,
"risk": {"level": "low"},
"anomaly": {"is_anomaly": false}
}
List query parameters: active_only, skip, limit
Audit¶
Requires X-API-Key. Export requires Security Analyst+ role.
| Method | Endpoint | Description |
|---|---|---|
POST |
/audit/log |
Create audit log entry |
GET |
/audit |
List audit logs |
GET |
/audit/{log_id} |
Get audit log by ID |
GET |
/audit/export/csv |
Export as CSV |
GET |
/audit/export/json |
Export as JSON |
GET |
/audit/export |
Export with format param |
POST |
/audit/export/async |
Start async export job |
GET |
/audit/export/status/{job_id} |
Check export job status |
GET |
/audit/export/download/{job_id} |
Download export file |
Log body:
{
"agent_id": "uuid",
"action": "query_database",
"resource": "customers",
"input": {},
"output": {},
"reasoning": ["step 1", "step 2"],
"risk_score": 0.2,
"is_approved": true
}
List query parameters: agent_id, action, skip, limit
Anomalies¶
Requires X-API-Key. Security Analyst+ for read.
| Method | Endpoint | Description |
|---|---|---|
GET |
/anomalies |
List anomaly reports |
GET |
/anomalies/stats |
Anomaly statistics |
POST |
/anomalies/report |
Report anomaly manually |
GET |
/anomalies/detector/status |
Detector status |
GET |
/anomalies/detector/metrics |
Detector metrics |
GET |
/anomalies/detector/versions |
Model versions |
POST |
/anomalies/detector/train |
Train detector |
GET |
/anomalies/detector/training/status |
Current training status |
GET |
/anomalies/detector/training-status/{task_id} |
Training task status |
POST |
/anomalies/detector/rollback/{version} |
Rollback model version |
DELETE |
/anomalies/detector/cancel |
Cancel training |
HITL¶
Requires X-API-Key. Approve/reject requires Security Analyst+ role.
| Method | Endpoint | Description |
|---|---|---|
POST |
/hitl/request |
Create approval request |
POST |
/hitl/approve/{approval_id} |
Approve request |
POST |
/hitl/reject/{approval_id} |
Reject request |
GET |
/hitl/status/{approval_id} |
Get request status |
GET |
/hitl/pending |
List pending requests |
Stats & Status¶
| Method | Endpoint | Auth | Description |
|---|---|---|---|
GET |
/stats |
X-API-Key |
Dashboard KPI statistics (includes Guard counters) |
GET |
/status |
X-API-Key |
Platform health and uptime |
Prompt Guard¶
| Method | Endpoint | Auth | Description |
|---|---|---|---|
GET |
/guard/health |
— | Guard liveness and config |
POST |
/guard/validate |
X-API-Key |
Validate a prompt (injection / jailbreak / leakage) |
GET |
/guard/stats |
X-API-Key |
In-process Guard metrics |
GET |
/guard/detector/status |
X-API-Key |
Per-tenant detector status |
GET |
/guard/detector/metrics |
X-API-Key |
Detector precision/recall |
GET |
/guard/detector/versions |
X-API-Key |
Model version history |
POST |
/guard/detector/train |
X-API-Key + guard:manage |
Start background training |
GET |
/guard/detector/training/status |
— | Training task progress (task_id) |
POST |
/guard/detector/rollback/{version} |
X-API-Key + guard:manage |
Roll back model version |
DELETE |
/guard/detector/cancel |
X-API-Key + guard:manage |
Cancel training |
POST |
/guard/detector/feedback |
X-API-Key + guard:manage |
Manual label (FP / attack) |
See Prompt Guard for architecture, thresholds, and SDK usage.
Health¶
No authentication required.
| Method | Endpoint | Description |
|---|---|---|
GET |
/health |
Liveness check |
GET |
/health/ready |
Readiness (DB, Redis, OPA) |
Integrations¶
| Method | Endpoint | Description |
|---|---|---|
GET |
/integrations/langchain/status |
LangChain integration status |
GET |
/integrations/openai/status |
OpenAI integration status |
SIEM (Admin)¶
Requires Super Admin JWT or X-Admin-Key.
| Method | Endpoint | Description |
|---|---|---|
GET |
/siem/status |
SIEM configuration and transport |
POST |
/siem/test |
Send test event and flush batch |
See SIEM Integration.
WebSocket¶
WS /ws?token=<jwt>¶
Real-time notification channel. Authenticate with JWT access token as query parameter.
Server events: policy.violated, anomaly.detected, hitl.requested, hitl.resolved, system.status
Webhooks (outside /api/v1)¶
| Method | Endpoint | Auth | Description |
|---|---|---|---|
POST |
/webhooks/agent |
X-Webhook-Signature |
Receive agent events |
See Webhooks for payload format and signing.
Root¶
| Method | Endpoint | Description |
|---|---|---|
GET |
/ |
Platform info and links |
Rate Limiting¶
Rate limiting is not enforced in the default development configuration. Configure at the reverse proxy level for production.