Skip to main content

API reference

Public

MethodPathPurpose
GET/healthHealth probe
POST/ or /{source}Webhook ingest
GET/config/endpointPublic/ngrok endpoint
GET/config/oauthGoogle OAuth status
GET/api/auth/googleRedirect to Google OAuth
GET/api/auth/callback/googleCallback Google OAuth
GET/api/auth/meProbe session/token/basic auth
POST/api/auth/loginLogin password
POST/api/auth/logoutLogout

Authenticated endpoints

MethodPathRole
GET/events, /events/{id}viewer+
GET/events/{id}/attemptsviewer+
GET/events/sources, /events/streamviewer+
GET/rules, /statsviewer+
POST/PATCH/DELETE/rules...admin
POST/events/{id}/retry, /events/{id}/ackadmin
DELETE/events/{id}admin
POST/events/bulk/retry, /events/bulk/deleteadmin
POST/config/default-targetadmin
POST/api/sendadmin
GET/api/organizationviewer+
GET/POST/DELETE/api/domains...admin + organization:manage
GET/POST/DELETE/api/api-keys...admin + organization:manage
GET/api/auditviewer+
GET/api/usersadmin
PATCH/api/users/{id}/roleadmin
GET/POST/DELETE/api/auth/tokens...own tokens

Use Authorization: Bearer ts_... or Basic auth. API keys can carry events:read, webhooks:send, rules:read, rules:write, and organization:manage scopes. Event listing supports search, status, source, from, to, page, and per_page (maximum 200).

Platform operator provisioning

Bootstrap the first operator with POST /api/platform/bootstrap/operator and Authorization: Bearer $PLATFORM_ADMIN_TOKEN:

{ "username": "admin" }

This endpoint only works while no operator exists. After bootstrap, sign in normally as the operator and use the internal /platform dashboard or these session-protected APIs:

  • GET /api/platform/overview
  • GET /api/platform/organizations
  • GET /api/platform/organizations/{id}
  • POST /api/platform/organizations
  • PATCH /api/platform/organizations/{id}/subscription

Hosted organizations cannot be created by a tenant admin. A platform operator creates an organization and its initial admin, plus subscriber and billing-contact data:

{
"name": "Acme",
"slug": "acme",
"username": "acme-admin",
"password": "a-long-initial-password",
"email": "admin@acme.example",
"subscriber_name": "Acme Inc.",
"billing_contact_name": "Jane Doe",
"billing_contact_email": "billing@acme.example"
}

Custom ingest domains

An admin creates a domain through POST /api/domains, then adds CNAME <domain> to INGEST_CANONICAL_HOST and TXT _terusin-verification.<domain> with the API-returned token. POST /api/domains/{id}/verify activates the domain only when both records are valid. Only an active domain accepts webhooks.

Send webhook

POST /api/send is available only to admins. Select an active provider with provider_id, or send manually with source and target_url. target_url may be empty in manual mode when a default target is configured.

{
"provider_id": "uuid-provider",
"body": { "event": "payment.success" }
}

Manual targets must use http or https, must not include URL credentials, and must pass the target network policy. X-Target-Url is disabled by default on public ingest.

Audit entry

GET /api/audit?page=1&per_page=25 returns:

{
"entries": [
{
"id": "uuid",
"actor_user_id": "uuid",
"actor_email": "admin@example.com",
"action": "rule.updated",
"resource_type": "rule",
"resource_id": "uuid",
"metadata": {},
"created_at": "2026-07-15T10:00:00"
}
],
"total": 1,
"page": 1,
"per_page": 25,
"pages": 1
}