Admin API
Every dashboard screen is a thin face over these endpoints, so anything you can click you can script. Authentication and org-scoping conventions are on the API overview; the examples here use break-glass Basic auth for brevity.
The versioned OpenAPI spec is always available from the running product at GET /admin/api-docs.
Providers
Vendor connections with encrypted master credentials. Requires MANAGE_PROVIDERS to write; any org member can read. (org-scoped)
POST/admin/providers
| Field | Type | Required | Notes |
|---|---|---|---|
name | string | yes | Unique per org |
baseUrl | string | yes | The vendor endpoint, e.g. https://api.openai.com/v1 |
apiKey | string | yes | The master credential — AES-256-GCM encrypted at rest, never returned |
protocol | string | no | openai (default), anthropic, gemini, vertex, vertex-anthropic |
orgId | UUID | platform admin only | Members are locked to their own org |
Returns 201 with {"id": "…", "name": "…"}. 409 on a duplicate name or the per-org provider cap (default 50).
GET/admin/providers
Lists the org's providers' non-secret metadata — never the credential.
PUT/admin/providers/{name}
Patch: any present field replaces; a present non-blank apiKey rotates the credential, effective on the next request.
DELETE/admin/providers/{name}
Deletes the provider and its deployments.
Deployments
Model aliases mapping to a provider and upstream model, with optional pricing. Requires MANAGE_DEPLOYMENTS. (org-scoped)
POST/admin/deployments
| Field | Type | Required | Notes |
|---|---|---|---|
alias | string | yes | What applications request as model. Same alias on several providers = load balancing |
providerName | string | yes | An existing provider in the org |
upstreamModel | string | yes | The model id the vendor actually runs |
dropParams | string[] | no | Request parameters to strip for this upstream |
inputCostPerToken, outputCostPerToken | decimal | no | Per-token pricing in the org currency — enables cost metering |
cachedInputCostPerToken, cacheWriteCostPerToken | decimal | no | Cache-read/write rates; fall back to the input rate |
currency | string | no | Defaults to the org base currency |
Returns 201 with {"id": "…", "alias": "…"}. 409 if the alias already exists on that provider, or at the per-provider deployment cap (default 100).
GET/admin/deployments
PUT/admin/deployments/{id}
DELETE/admin/deployments/{id}
Virtual keys
Requires ISSUE_KEYS; visibility is scoped to your teams unless you hold VIEW_SECURITY.
POST/admin/keys
| Field | Type | Required | Notes |
|---|---|---|---|
alias | string | yes | A label for humans |
ownerId | UUID | platform admin only | The owning org; a member's org comes from their session |
teamId, projectId | UUID | no | Placement — fixes the key's scope chain. Org-level placement (no team) needs budget authority |
ttlSeconds | number | no | Expiry; positive |
Response — token is shown once:
{
"id": "8b6f2f2e-4a1c-4b6e-9f0a-2d7c1e5a9b3d",
"token": "sk-aBcDeF...",
"alias": "checkout-service",
"hint": "sk-…b3d",
"ownerId": "11111111-…",
"teamId": "22222222-…",
"projectId": null
}
GET/admin/keys
Paginated non-secret metadata: alias, hint, scope, status, expiry. Also GET /admin/keys/{id} for one.
POST/admin/keys/{id}/suspend
POST/admin/keys/{id}/unsuspend
POST/admin/keys/{id}/revoke
Suspend is reversible (SOAR's quarantine uses it); revoke is permanent and immediate.
POST/admin/key-limits
Per-scope key-count caps (scopeLevel, scopeId, maxKeys) on top of the always-on ceiling (default 200). Read back with GET /admin/key-limits.
Organizations, teams, projects
Directory entities and membership. Requires MANAGE_TEAMS / MANAGE_MEMBERS / MANAGE_ORG per operation. (org-scoped)
GET/admin/orgs
POST/admin/orgs
GET/admin/teams
POST/admin/teams
GET/admin/projects
POST/admin/projects
Search/create for the entity pickers. Membership and invitations live under the entity:
GET/admin/orgs/{id}/members
POST/admin/orgs/{id}/invitations
POST/admin/teams/{id}/members
Invitations are role-carrying email invites; team membership supports the lead flag. Hard-deleting an org or team is allowed only when empty and cascades a tenant purge — prefer archive.
Budgets
Requires MANAGE_BUDGETS (or team lead, for a project in their team).
POST/admin/budgets
| Field | Type | Required | Notes |
|---|---|---|---|
scopeLevel | enum | yes | ORG / TEAM / PROJECT / KEY |
scopeId | UUID | yes | The org tenant id, team/project id, or key id |
model | string | no | Omit for an all-models cap; set to cap one alias |
provider | string | no | Set to make it a per-deployment cap (cost-aware failover) |
tokenLimit | number | no* | Hard token cap |
costLimit | decimal | no* | Hard cost cap (at least one of the two) |
softCostLimit | decimal | no | Warn-only threshold |
currency | string | with costLimit | Must match the org currency |
period | enum | yes | none / hourly / daily / weekly / monthly |
GET/admin/budgets/{scopeLevel}/{scopeId}
Returns the scope's budgets with caps, current window, spend, and remaining headroom. Delete one by id: DELETE /admin/budgets/{id}. Cross-org exploration for platform admins via ?orgId=.
Rate limits
Requires MANAGE_GATEWAY.
POST/admin/rate-limits
Body: scopeLevel, scopeId, rpmLimit and/or tpmLimit. Enforced as per-minute sliding windows across the scope chain; over-limit calls get 429 + Retry-After.
GET/admin/rate-limits/{scopeLevel}/{scopeId}
Returns the caps and current per-minute usage. DELETE removes a limit. A temporary SOAR-style throttle can be applied and lifted via the /throttle sub-resource.
Guardrails
Requires MANAGE_GATEWAY. (org-scoped)
POST/admin/guardrails/categories
POST/admin/guardrails/detectors
POST/admin/guardrails/policies
CRUD for the three building blocks — categories (named content buckets), detectors (REGEX in-process, REMOTE AI classifiers), and policies (category → ALLOW/FLAG/REDACT/BLOCK per scope and direction, with mask strategy and fail-closed posture). Each has matching GET/PUT/DELETE.
POST/admin/guardrails/screen
The dry-run: screen text as if it were a request or response, without calling any model.
{ "scopeLevel": "ORG", "scopeId": "ORG-UUID", "direction": "REQUEST", "text": "my email is a@b.com" }
Usage & audit
Org-scoped reads; optional team/project filters. See Audit, usage & reports.
GET/admin/usage/calls
GET/admin/usage/spend
GET/admin/usage/spend-series
GET/admin/usage/activity
Filterable audit rows; spend grouped by model; the same per time bucket; and call/token density heatmap data. Admin sign-ins: GET /admin/auth-events (requires VIEW_SECURITY).
Reports
Requires MANAGE_REPORTS to author and run.
POST/admin/reports/definitions
POST/admin/reports/definitions/{id}/run
Definitions carry dataset, scope, window, format, schedule, delivery mode, and optional password; a run produces a TTL'd artifact downloaded through the gated endpoint.
SIEM & security actions (Pro)
Requires VIEW_SECURITY; rule management requires MANAGE_GATEWAY.
GET/admin/siem/events
Match-expression search over the normalized event stream, plus /admin/siem/spend, /timeline, /breakdown aggregations. Detection and Sigma rule CRUD under /admin/siem/detections and /admin/siem/sigma.
GET/admin/security-actions
POST/admin/security-actions/{id}/disposition
The SOAR containment feed and its triage — mark CONFIRMED or FALSE_POSITIVE.
Session & identity
GET/admin/me
The signed-in principal, org, role, and capabilities — what the dashboard renders from. POST /admin/login / POST /admin/logout drive the browser session; onboarding and profile live under /admin/me/*.