API reference
The public plane is authenticated with an ingest key (ik_live_…).
The console's admin API (/admin/api/*) is session-authenticated and used by the
app — sign in to explore it.
Ingest
POST /v1/ingest/{ingest_key} # route via your rules
POST /v1/ingest/{ingest_key}/{dataset} # route straight to {dataset}
POST /v1/webhooks/{ingest_key}/{slug} # a configured webhook endpoint
Bodies are JSON. Without a {dataset} the payload runs your mapping rules;
with one it's stored as a single record in that dataset. The webhook route uses the mapping
configured for that endpoint's slug (append -v2 etc. to target a version).
Streaming
GET /v1/stream # live tail (SSE or WebSocket) See Live streaming for SSE/WebSocket details and resume.
Request headers
| Header | Purpose |
|---|---|
Content-Type | application/json (request bodies are JSON). |
Idempotency-Key | Optional. Dedupes retries; the same submission is returned and never double-counted. |
X-Hookie-Signature | Required only for keys with signature enforcement. t=<unix>,v1=<hex> over <t>.<body>. |
Authorization | Bearer <ingest_key> for GET /v1/stream (or ?key= for EventSource). |
Response codes
| Status | Meaning |
|---|---|
201 Created | Event stored and routed. |
200 OK | Idempotent replay — the original submission is returned. |
400 Bad Request | Body isn't valid JSON. |
401 Unauthorized | Missing/invalid inbound signature (when required), or missing stream key. |
403 Forbidden | Source IP not in the allowlist. |
404 Not Found | Unknown ingest key or webhook endpoint. |
429 Too Many Requests | Edge rate limit or monthly quota exceeded (see Retry-After). |
Outbound (to your endpoints)
Deliveries are signed and carry Hookie-Signature, Hookie-Event-Id, and
Hookie-Delivery-Id. Delivery is at-least-once and unordered — dedupe on the event id
and verify the signature.