API v1 · stable

REST + MCP API

Base URL: https://api.triago.com/v1. JSON request/response. Bearer auth. Rate-limited per workspace.

Authentication

# Bearer token in header
curl https://api.triago.com/v1/alerts \
-H "Authorization: Bearer trg_live_xxx" \
-H "Content-Type: application/json"

POST /alerts

Submit an alert for investigation. Returns an investigation id.

POST /v1/alerts
{
  "source": "splunk",
  "workflow": "phishing.user_report",
  "payload": { ... },
  "context": { "user_id": "kdavis" }
}
// 202 Accepted
{ "investigation_id": "inv_01H...", "status": "queued" }

GET /investigations/:id

Returns full trace, verdict, evidence, and actions taken.

{
  "id": "inv_01H...",
  "status": "resolved",
  "verdict": { "label": "benign", "confidence": 0.94 },
  "trace": [ ... ],
  "actions": ["notify_user", "require_mfa_step_up"],
  "latency_ms": 11234,
  "credits": 3
}

GET /verdicts

List verdicts with filters: workflow, label, confidence range, time window.

PUT /policies/:workflow

Upsert a policy. Returns the new version id. Old versions remain queryable.

GET /workflows

List available workflows and their schemas.

GET /audit

Stream the immutable audit log. Supports cursor pagination and webhook export.

Webhooks

Subscribe to investigation.resolved, verdict.abstained, policy.changed, action.executed. Signed with HMAC-SHA256.

Errors

All errors return a JSON body with code, message, and request_id. Standard HTTP codes: 400, 401, 403, 404, 409, 422, 429, 5xx.

SDKs

Official: @triago/sdk (TypeScript), triago (Python). Community: Go, Ruby. MCP server: triago-mcp.