v1). This page covers the conventions that apply
to every endpoint. The individual endpoints — with request/response schemas and a live
playground — are listed in the sidebar.
Base URL
All endpoints are served under/api/v1. In the sandbox that is:
https://molesignal.example.com/api/v1).
Authentication
Every endpoint requires a bearer token unless noted otherwise:- a JWT obtained from
POST /api/v1/auth/login, or - an API token shaped
ms_<prefix>_<secret>(see Security).
Only three routes are unauthenticated:
/api/v1/healthz, /api/v1/auth/login, and /metrics.Requests
- Request bodies are JSON (
Content-Type: application/json), except the ingest endpoints that emulate other protocols (Elasticsearch_bulk, Loki, Prometheus remote_write), which take their native formats. - Timestamps are microseconds since the Unix epoch — both in ingested records (
_timestamp) and in query time ranges (time_range.start/time_range.end). - Tenancy: every request is scoped to your
org_id. The server rewrites anorg_idpredicate into every query plan, so data never crosses orgs.
Successful responses
2xx responses return JSON. The shape depends on the endpoint (each is documented on its own page).
For example, the query endpoint returns:
Accept: application/x-ndjson; streaming
bypasses the query_result cache.
Error responses
Errors return a uniform JSON envelope with a singleerror message:
Status codes
| Code | Meaning |
|---|---|
200 | Success |
400 | Invalid argument |
401 | Unauthorized — token missing or invalid |
403 | Forbidden — insufficient role or license |
404 | Not found, or a cross-org lookup |
409 | Conflict — unique constraint or state conflict |
413 | Quota exhausted (storage cap) |
429 | Rate limited (ingest/query QPS quota) |
Rate limits & quotas
Each org has per-tenant quotas on ingest QPS, query QPS, and storage. Exceeding them returns429
(rate) or 413 (storage), each accompanied by an audit entry and an alert. See
Security.