API Reference

REST API endpoints for license management, policy distribution, and audit collection.

Endpoints

Method	Path	Description
GET	/api/license	Get or issue license
POST	/api/license/refresh	Force-refresh license
GET	/api/policy	List policies
POST	/api/policy	Create policy
GET	/api/policy/:id	Get policy by ID
PUT	/api/policy/:id	Update policy
DELETE	/api/policy/:id	Soft-delete policy
GET	/api/policy/fetch	Fetch active YAML
GET	/api/audit	Query audit events
POST	/api/audit/ingest	Ingest audit events
GET	/api/keys	List API keys
POST	/api/keys	Create API key
DELETE	/api/keys/:id	Revoke API key
GET	/api/admin/members	List members
PATCH	/api/admin/members/:id	Change member role

Authentication

API requests are authenticated with Bearer tokens. Web dashboard uses session cookies. CLI uses API keys with the Authorization: Bearer tirith_... header.

shell

# Bearer token authentication

$ curl -H "Authorization: Bearer tirith_sk_..." \

https://api.tirith.sh/api/license

License

GET/api/license

Get or issue a license key for the authenticated user's org.

Auth:Session / API Key

Returns the signed license token and expiry. Creates a new one if none exists or the current one is expired.

response.json

{

"token": "eyJhbGciOiJFZDI1NTE5...",

"expires_at": "2026-03-21T00:00:00Z",

"tier": "pro",

"org_id": "org_abc123"

}

POST/api/license/refresh

Force-refresh the license key for the org.

Auth:Session / API Key

Policy

GET/api/policy

List all policies for the org.

Auth:Session / API KeyTier:Team+

POST/api/policy

Create a new policy.

Auth:Session (admin/owner)Tier:Team+

GET/api/policy/:id

Get a specific policy including YAML content.

Auth:Session / API KeyTier:Team+

PUT/api/policy/:id

Update a policy. Increments version automatically.

Auth:Session (admin/owner)Tier:Team+

DELETE/api/policy/:id

Soft-delete a policy (sets active=false).

Auth:Session (admin/owner)Tier:Team+

GET/api/policy/fetch

Fetch the active policy YAML for CLI consumption.

Auth:API KeyTier:Team+

Audit

GET/api/audit

Query audit events with pagination and filtering.

Auth:Session (admin/owner)Tier:Team+

Query params: since, until, action, rule_id, session_id, page, limit (max 200).

POST/api/audit/ingest

Ingest audit events from CLI clients.

Auth:API KeyTier:Team+

API Keys

GET/api/keys

List all non-revoked API keys for the org (prefix only, never the hash).

Auth:Session

POST/api/keys

Create a new API key. Returns the raw key once. Max 10 per org.

Auth:Session

DELETE/api/keys/:id

Revoke an API key (soft-delete). Must belong to your org.

Auth:Session

Members

GET/api/admin/members

List org members.

Auth:Session (admin/owner)Tier:Team+

PATCH/api/admin/members/:id

Change a member's role. Only owners can change roles.

Auth:Session (owner)Tier:Team+