API reference

The public plane is authenticated with an ingest key (ik_live_…). The console's admin API (/admin/api/*) is session-authenticated and used by the app — sign in to explore it.

Ingest

POST /v1/ingest/{ingest_key}            # route via your rules
POST /v1/ingest/{ingest_key}/{dataset}  # route straight to {dataset}
POST /v1/webhooks/{ingest_key}/{slug}   # a configured webhook endpoint

Bodies are JSON. Without a {dataset} the payload runs your mapping rules; with one it's stored as a single record in that dataset. The webhook route uses the mapping configured for that endpoint's slug (append -v2 etc. to target a version).

Streaming

GET  /v1/stream                         # live tail (SSE or WebSocket)

See Live streaming for SSE/WebSocket details and resume.

Request headers

HeaderPurpose
Content-Typeapplication/json (request bodies are JSON).
Idempotency-KeyOptional. Dedupes retries; the same submission is returned and never double-counted.
X-Hookie-SignatureRequired only for keys with signature enforcement. t=<unix>,v1=<hex> over <t>.<body>.
AuthorizationBearer <ingest_key> for GET /v1/stream (or ?key= for EventSource).

Response codes

StatusMeaning
201 CreatedEvent stored and routed.
200 OKIdempotent replay — the original submission is returned.
400 Bad RequestBody isn't valid JSON.
401 UnauthorizedMissing/invalid inbound signature (when required), or missing stream key.
403 ForbiddenSource IP not in the allowlist.
404 Not FoundUnknown ingest key or webhook endpoint.
429 Too Many RequestsEdge rate limit or monthly quota exceeded (see Retry-After).

Outbound (to your endpoints)

Deliveries are signed and carry Hookie-Signature, Hookie-Event-Id, and Hookie-Delivery-Id. Delivery is at-least-once and unordered — dedupe on the event id and verify the signature.