Introduction

https://api.isnotai.com

The Not AI Public REST API is a read-only, customer- and AI-agent-facing wrapper on top of the data the Not AI platform already collects. If your application or agent needs to read sessions, users, courses, events, or analytics out of Not AI, this is the surface to call.

Not AI is an AI-agent detection platform. The browser pixel collects behavioral signals, the edge and ingest tiers score them, and the dashboard at dash.isnotai.com lets your team review what was detected. This API exposes that same scored data over standard HTTPS + JSON so you can pull it into your own systems.

What it does

The v1 surface is read-only and exposes the following resources:

• Sessions. /v1/sessions, /v1/sessions/{id}, /v1/sessions/{id}/details, /v1/sessions/{id}/events
• Users. /v1/users, /v1/users/{id}/sessions (integration-neutral identifiers)
• Courses. /v1/courses (extracted from session URLs)
• Analytics. /v1/analytics (time-series + summary)
• Stats. /v1/stats (high-level integration counters)
• Usage. /v1/usage (your own API consumption)
• Self. /v1/integration (the integration the presented key resolved to)
• Health. /health (unauthenticated liveness probe)
• Spec. /openapi/v3.json and /swagger (OpenAPI 3 document and UI)

Every authenticated route is prefixed with /v1/. The full path list and response schemas live in the OpenAPI document.

What it does not do

The v1 surface is deliberately small. It does not:

• Mutate state. There are no POST, PUT, PATCH, or DELETE endpoints in v1.
• Provision API keys, manage subscriptions, configure notifications, or onboard integrations. Those flows live in the dashboard at dash.isnotai.com.
• Authenticate end-users. API keys are integration-scoped. One key represents one customer integration, not a single human.
• Expose internal fields. Anything not in the OpenAPI document stays on the dashboard side.

If you need any of the above, use the dashboard.

Production servers

https://api.isnotai.com      Production (US)
https://api-eu.isnotai.com   Production (EU)

The two apexes are fully isolated stacks. EU and US data never share storage. An API key minted in the US dashboard works only against https://api.isnotai.com; an EU key works only against https://api-eu.isnotai.com. Pick the base URL that matches the region your integration was provisioned in. The region toggle at the top of these docs rewrites the https://api.isnotai.com placeholder in every code sample on the site.

Design principles

These are locked for v1. They are not subject to negotiation inside the v1 series.

• Versioned. Every authenticated route is under /v1/. Adding fields is non-breaking; removing or renaming a field requires /v2/.
• JSON only. Request and response bodies are application/json. Field names are camelCase, timestamps are ISO-8601, enums are strings.
• Uniform envelopes. Single items are { "data": { ... } }. Collections are { "data": [...], "pagination": { ... } }. Errors are { "error": { "code", "message", "details" } }.
• Key implies integration. The integration is resolved from the validated aik_v1_* key. There is no {integrationHash} segment in any URL.
• OpenAPI is the contract. The spec at /openapi/v3.json is generated from source. The copy on this site is the artifact published by the release pipeline.
• Standard HTTP semantics. 200/204 for success, 400/401/403/404/429 for client problems, 5xx for server problems. Codes are stable strings, not numeric ids.
• Idempotent and safe. All v1 endpoints are GET.

Where to go next

• Getting Started. Call the API end-to-end in five minutes.
• Authentication. How aik_v1_* keys are presented and validated.
• Pagination. The cursor envelope used by every list endpoint.
• Error Handling. The error envelope and the stable code list.
• Rate Limits. Per-tier quotas, the x-isnotai-tier echo header, and backoff guidance.