# Not AI Public REST API

## Description
Read-only, customer-facing REST API for the Not AI AI-agent detection platform. Authenticate every request with the aik_v1_ API key minted in the Not AI dashboard, via 'Authorization: Bearer aik_v1_...' or the 'x-api-key' header. All routes are versioned under /v1 and return stable, self-describing JSON.

## Servers
- https://api.isnotai.com: Production (US)
- https://api-eu.isnotai.com: Production (EU)

## Endpoints and operations

### [Analytics](/developers/analytics.md)
- [Aggregated analytics for the integration](/developers/analytics/getanalytics.md)
### [Courses](/developers/courses.md)
- [List LMS courses extracted from session URLs](/developers/courses/listcourses.md)
### [Health](/developers/health.md)
- [Health probe](/developers/health/health.md)
### [Self](/developers/self.md)
- [Get the integration this API key resolved to](/developers/self/getintegration.md)
### [Sessions](/developers/sessions.md)
- [Get a single tracking session by id](/developers/sessions/getsession.md)
- [Get detailed session data (timeline + event counts + page history)](/developers/sessions/getsessiondetails.md)
- [List event-level metadata for a session](/developers/sessions/listevents.md)
- [List tracking sessions for the caller's integration](/developers/sessions/listsessions.md)
### [Stats](/developers/stats.md)
- [Get high-level integration stats](/developers/stats/getstats.md)
### [Usage](/developers/usage.md)
- [Get API consumption metrics for the integration over a date range](/developers/usage/getusage.md)
### [Users](/developers/users.md)
- [Get sessions for an LMS user (paginated)](/developers/users/getusersessions.md)
- [List LMS users correlated with sessions](/developers/users/listusers.md)

---

# Introduction

<!-- api-info -->

The Not AI Public REST API is a read-only, customer- and AI-agent-facing wrapper on top of the data the Not AI platform already collects. If your application or agent needs to read sessions, users, courses, events, or analytics out of Not AI, this is the surface to call.

Not AI is an AI-agent detection platform. The browser pixel collects behavioral signals, the edge and ingest tiers score them, and the dashboard at `dash.isnotai.com` lets your team review what was detected. This API exposes that same scored data over standard HTTPS + JSON so you can pull it into your own systems.

## What it does

The v1 surface is read-only and exposes the following resources:

- **Sessions**. `/v1/sessions`, `/v1/sessions/{id}`, `/v1/sessions/{id}/details`, `/v1/sessions/{id}/events`
- **Users**. `/v1/users`, `/v1/users/{id}/sessions` (integration-neutral identifiers)
- **Courses**. `/v1/courses` (extracted from session URLs)
- **Analytics**. `/v1/analytics` (time-series + summary)
- **Stats**. `/v1/stats` (high-level integration counters)
- **Usage**. `/v1/usage` (your own API consumption)
- **Self**. `/v1/integration` (the integration the presented key resolved to)
- **Health**. `/health` (unauthenticated liveness probe)
- **Spec**. `/openapi/v3.json` and `/swagger` (OpenAPI 3 document and UI)

Every authenticated route is prefixed with `/v1/`. The full path list and response schemas live in the [OpenAPI document](/developers/spec/swagger.json).

## What it does not do

The v1 surface is deliberately small. It does not:

- Mutate state. There are no `POST`, `PUT`, `PATCH`, or `DELETE` endpoints in v1.
- Provision API keys, manage subscriptions, configure notifications, or onboard integrations. Those flows live in the dashboard at `dash.isnotai.com`.
- Authenticate end-users. API keys are integration-scoped. One key represents one customer integration, not a single human.
- Expose internal fields. Anything not in the OpenAPI document stays on the dashboard side.

If you need any of the above, use the dashboard.

## Production servers

```
https://api.isnotai.com      Production (US)
https://api-eu.isnotai.com   Production (EU)
```

The two apexes are fully isolated stacks. EU and US data never share storage. An API key minted in the US dashboard works only against `https://api.isnotai.com`; an EU key works only against `https://api-eu.isnotai.com`. Pick the base URL that matches the region your integration was provisioned in. The region toggle at the top of these docs rewrites the `https://api.isnotai.com` placeholder in every code sample on the site.

## Design principles

These are locked for v1. They are not subject to negotiation inside the v1 series.

- **Versioned.** Every authenticated route is under `/v1/`. Adding fields is non-breaking; removing or renaming a field requires `/v2/`.
- **JSON only.** Request and response bodies are `application/json`. Field names are camelCase, timestamps are ISO-8601, enums are strings.
- **Uniform envelopes.** Single items are `{ "data": { ... } }`. Collections are `{ "data": [...], "pagination": { ... } }`. Errors are `{ "error": { "code", "message", "details" } }`.
- **Key implies integration.** The integration is resolved from the validated `aik_v1_*` key. There is no `{integrationHash}` segment in any URL.
- **OpenAPI is the contract.** The spec at `/openapi/v3.json` is generated from source. The copy on this site is the artifact published by the release pipeline.
- **Standard HTTP semantics.** 200/204 for success, 400/401/403/404/429 for client problems, 5xx for server problems. Codes are stable strings, not numeric ids.
- **Idempotent and safe.** All v1 endpoints are `GET`.

## Where to go next

- [Getting Started](/developers/getting-started). Call the API end-to-end in five minutes.
- [Authentication](/developers/authentication). How `aik_v1_*` keys are presented and validated.
- [Pagination](/developers/pagination). The cursor envelope used by every list endpoint.
- [Error Handling](/developers/error-handling). The error envelope and the stable code list.
- [Rate Limits](/developers/rate-limits). Per-tier quotas, the `x-isnotai-tier` echo header, and backoff guidance.