Admin API

Admin API

Every dashboard screen is a thin face over these endpoints, so anything you can click you can script. Authentication and org-scoping conventions are on the API overview; the examples here use break-glass Basic auth for brevity.

The versioned OpenAPI spec is always available from the running product at GET /admin/api-docs.

Providers

Vendor connections with encrypted master credentials. Requires MANAGE_PROVIDERS to write; any org member can read. (org-scoped)

POST/admin/providers

FieldTypeRequiredNotes
namestringyesUnique per org
baseUrlstringyesThe vendor endpoint, e.g. https://api.openai.com/v1
apiKeystringyesThe master credential — AES-256-GCM encrypted at rest, never returned
protocolstringnoopenai (default), anthropic, gemini, vertex, vertex-anthropic
orgIdUUIDplatform admin onlyMembers are locked to their own org

Returns 201 with {"id": "…", "name": "…"}. 409 on a duplicate name or the per-org provider cap (default 50).

GET/admin/providers

Lists the org's providers' non-secret metadata — never the credential.

PUT/admin/providers/{name}

Patch: any present field replaces; a present non-blank apiKey rotates the credential, effective on the next request.

DELETE/admin/providers/{name}

Deletes the provider and its deployments.

Deployments

Model aliases mapping to a provider and upstream model, with optional pricing. Requires MANAGE_DEPLOYMENTS. (org-scoped)

POST/admin/deployments

FieldTypeRequiredNotes
aliasstringyesWhat applications request as model. Same alias on several providers = load balancing
providerNamestringyesAn existing provider in the org
upstreamModelstringyesThe model id the vendor actually runs
dropParamsstring[]noRequest parameters to strip for this upstream
inputCostPerToken, outputCostPerTokendecimalnoPer-token pricing in the org currency — enables cost metering
cachedInputCostPerToken, cacheWriteCostPerTokendecimalnoCache-read/write rates; fall back to the input rate
currencystringnoDefaults to the org base currency

Returns 201 with {"id": "…", "alias": "…"}. 409 if the alias already exists on that provider, or at the per-provider deployment cap (default 100).

GET/admin/deployments

PUT/admin/deployments/{id}

DELETE/admin/deployments/{id}

Virtual keys

Requires ISSUE_KEYS; visibility is scoped to your teams unless you hold VIEW_SECURITY.

POST/admin/keys

FieldTypeRequiredNotes
aliasstringyesA label for humans
ownerIdUUIDplatform admin onlyThe owning org; a member's org comes from their session
teamId, projectIdUUIDnoPlacement — fixes the key's scope chain. Org-level placement (no team) needs budget authority
ttlSecondsnumbernoExpiry; positive

Response — token is shown once:

JSON
{
  "id": "8b6f2f2e-4a1c-4b6e-9f0a-2d7c1e5a9b3d",
  "token": "sk-aBcDeF...",
  "alias": "checkout-service",
  "hint": "sk-…b3d",
  "ownerId": "11111111-…",
  "teamId": "22222222-…",
  "projectId": null
}

GET/admin/keys

Paginated non-secret metadata: alias, hint, scope, status, expiry. Also GET /admin/keys/{id} for one.

POST/admin/keys/{id}/suspend

POST/admin/keys/{id}/unsuspend

POST/admin/keys/{id}/revoke

Suspend is reversible (SOAR's quarantine uses it); revoke is permanent and immediate.

POST/admin/key-limits

Per-scope key-count caps (scopeLevel, scopeId, maxKeys) on top of the always-on ceiling (default 200). Read back with GET /admin/key-limits.

Organizations, teams, projects

Directory entities and membership. Requires MANAGE_TEAMS / MANAGE_MEMBERS / MANAGE_ORG per operation. (org-scoped)

GET/admin/orgs

POST/admin/orgs

GET/admin/teams

POST/admin/teams

GET/admin/projects

POST/admin/projects

Search/create for the entity pickers. Membership and invitations live under the entity:

GET/admin/orgs/{id}/members

POST/admin/orgs/{id}/invitations

POST/admin/teams/{id}/members

Invitations are role-carrying email invites; team membership supports the lead flag. Hard-deleting an org or team is allowed only when empty and cascades a tenant purge — prefer archive.

Budgets

Requires MANAGE_BUDGETS (or team lead, for a project in their team).

POST/admin/budgets

FieldTypeRequiredNotes
scopeLevelenumyesORG / TEAM / PROJECT / KEY
scopeIdUUIDyesThe org tenant id, team/project id, or key id
modelstringnoOmit for an all-models cap; set to cap one alias
providerstringnoSet to make it a per-deployment cap (cost-aware failover)
tokenLimitnumberno*Hard token cap
costLimitdecimalno*Hard cost cap (at least one of the two)
softCostLimitdecimalnoWarn-only threshold
currencystringwith costLimitMust match the org currency
periodenumyesnone / hourly / daily / weekly / monthly

GET/admin/budgets/{scopeLevel}/{scopeId}

Returns the scope's budgets with caps, current window, spend, and remaining headroom. Delete one by id: DELETE /admin/budgets/{id}. Cross-org exploration for platform admins via ?orgId=.

Rate limits

Requires MANAGE_GATEWAY.

POST/admin/rate-limits

Body: scopeLevel, scopeId, rpmLimit and/or tpmLimit. Enforced as per-minute sliding windows across the scope chain; over-limit calls get 429 + Retry-After.

GET/admin/rate-limits/{scopeLevel}/{scopeId}

Returns the caps and current per-minute usage. DELETE removes a limit. A temporary SOAR-style throttle can be applied and lifted via the /throttle sub-resource.

Guardrails

Requires MANAGE_GATEWAY. (org-scoped)

POST/admin/guardrails/categories

POST/admin/guardrails/detectors

POST/admin/guardrails/policies

CRUD for the three building blocks — categories (named content buckets), detectors (REGEX in-process, REMOTE AI classifiers), and policies (category → ALLOW/FLAG/REDACT/BLOCK per scope and direction, with mask strategy and fail-closed posture). Each has matching GET/PUT/DELETE.

POST/admin/guardrails/screen

The dry-run: screen text as if it were a request or response, without calling any model.

JSON
{ "scopeLevel": "ORG", "scopeId": "ORG-UUID", "direction": "REQUEST", "text": "my email is a@b.com" }

Usage & audit

Org-scoped reads; optional team/project filters. See Audit, usage & reports.

GET/admin/usage/calls

GET/admin/usage/spend

GET/admin/usage/spend-series

GET/admin/usage/activity

Filterable audit rows; spend grouped by model; the same per time bucket; and call/token density heatmap data. Admin sign-ins: GET /admin/auth-events (requires VIEW_SECURITY).

Reports

Requires MANAGE_REPORTS to author and run.

POST/admin/reports/definitions

POST/admin/reports/definitions/{id}/run

Definitions carry dataset, scope, window, format, schedule, delivery mode, and optional password; a run produces a TTL'd artifact downloaded through the gated endpoint.

SIEM & security actions (Pro)

Requires VIEW_SECURITY; rule management requires MANAGE_GATEWAY.

GET/admin/siem/events

Match-expression search over the normalized event stream, plus /admin/siem/spend, /timeline, /breakdown aggregations. Detection and Sigma rule CRUD under /admin/siem/detections and /admin/siem/sigma.

GET/admin/security-actions

POST/admin/security-actions/{id}/disposition

The SOAR containment feed and its triage — mark CONFIRMED or FALSE_POSITIVE.

Session & identity

GET/admin/me

The signed-in principal, org, role, and capabilities — what the dashboard renders from. POST /admin/login / POST /admin/logout drive the browser session; onboarding and profile live under /admin/me/*.