API reference
The Nolixan REST API surface — base URL, auth, the response envelope, and a catalog of every endpoint group.
All endpoints are mounted under /api/v1. Public (SDK) routes authenticate with an API key; admin routes authenticate with a JWT and (where noted) an Environment-Id header. See Authentication for the three auth methods.
Response envelope
Successful responses return the resource directly. Errors are always normalized to a single envelope:
- Validation errors →
{ "error": { "code": "validation_error", "message": "Invalid request", "details": [...] } }(HTTP 422). - Unhandled errors →
{ "error": { "code": "internal_server_error", "message": "An unexpected error occurred" } }(HTTP 500).
Stack traces and SQL never reach the client. See Troubleshooting for status codes and Rate limits for 429 + X-RateLimit-* headers.
Execution & connections (API-Key)
| Method | Path | Purpose |
|---|---|---|
POST | /actions/execute | Run a governed action (Executing actions) |
POST | /actions/execute-async | Run asynchronously; pair with /actions/await-webhook |
POST | /actions/{provider}/{action_name}/policy-check | Dry-run the policy decision |
GET | /catalog, /catalog/{provider} | Browse providers and actions |
GET | /actions/{provider}/{action_name} | Action schema + risk classification |
GET/POST | /connections, /connections/{provider}/{connection_id} | Manage connections |
POST | /connections/{provider}/{connection_id}/test | Health-check a connection |
* | /proxy/{provider}/{connection_id}/... | Governed passthrough to the provider API |
POST | /mcp/, GET /mcp/config | MCP gateway (JSON-RPC) |
Governance (JWT)
| Group | Base path | Docs |
|---|---|---|
| Policies (allow/deny/approval/transform, simulate, lineage) | /governance/policies | Policies |
| Approvals (list, approve, deny) | /governance/approvals | Approvals |
| Tool-poisoning scan | /governance/tool-scan | Tool scanner |
| Data redaction (DLP) | /redaction/* | Redaction |
| Compliance, data export, retention, SIEM | /compliance/* | Compliance |
| Spend budgets | /cost/* | Spend budgets |
| SLOs | /slo/* | SLOs |
| Agent identity + JIT credentials | /agents/* | Agent identity |
Platform (JWT)
| Group | Base path | Docs |
|---|---|---|
| API keys & grants | /api-keys/* | API keys |
| Team & roles | /team/*, /roles/* | Team & RBAC |
| MCP OAuth (AS+RS) | /oauth-server/*, /.well-known/oauth-* | MCP OAuth |
| Webhooks & triggers | /webhook*, /triggers/* | Webhooks · Triggers |
| Audit export | /admin/audit-events/export | Audit export |
| Usage & metering | /admin/usage/* | Observability |
The backend also serves an OpenAPI schema at
/openapi.jsonand interactive docs at/docson the API host — useful for exploring exact request/response models.