API Overview
The Estratos REST API is a RESTful JSON API covering authentication test endpoints and full webhook endpoint management. The memory surface Estratos is built around is exposed to AI assistants over the MCP server rather than these REST endpoints.
Interactive reference: The full API specification with request/response schemas and a built-in "Try it out" tool lives at the interactive API reference. The raw OpenAPI spec is at
/api/v1/openapi.yaml. This page is a narrative overview -- use the interactive reference for endpoint-level details.
Base URL
All API endpoints are available at:
https://estratos.ai/api/v1/
Authentication
Every request must include an Authorization header with a Bearer token:
Authorization: Bearer YOUR_API_KEY
There are two ways to get a token:
- API keys -- workspace owners create keys under API Keys in the sidebar. Pick the scopes the key needs; the key is shown once at creation and is a long-lived Bearer token — paste it directly into the
Authorizationheader, no token exchange required. Keys can be revoked at any time. - OAuth 2.0 authorization code grant -- for third-party applications that act on behalf of a user. Estratos is a full OAuth 2.0 provider with authorize, token, revoke, and introspect endpoints under
/oauth, dynamic client registration (RFC 7591) atPOST /oauth/register, and discovery documents at/.well-known/oauth-authorization-serverand/.well-known/oauth-protected-resource. During authorization the user picks which workspace to connect, and the issued token is scoped to it.
API access requires the api-access entitlement on the workspace's plan; without it, requests return 403 with type forbidden.
Scopes
Tokens carry scopes that limit which endpoints they can call:
| Scope | Grants access to |
|---|---|
profile:read |
Baseline read access — request this for connections that only need to identify the workspace |
webhooks:manage |
Full CRUD on webhook endpoints, plus test deliveries |
GET /api/v1/ping and GET /api/v1/me accept any valid token, regardless of scope. Calling an endpoint without the required scope returns 403 with type insufficient_scope.
The memories:* scopes (plus the reserved hierarchy:admin, members:admin, and audit:read scopes) power the AI-assistant surface over the MCP server rather than these REST endpoints — see the MCP scopes table for the full list and what each grants.
Quick start
curl -H "Authorization: Bearer YOUR_API_KEY" \
https://estratos.ai/api/v1/ping
{
"status": "ok",
"account": { "id": "…", "name": "Your Workspace" },
"token": { "application": "My integration", "scopes": ["webhooks:manage"] }
}
Available endpoints
| Endpoint | Description | Required scope |
|---|---|---|
GET /api/v1/ping |
Health check; returns account and token metadata | any valid token |
GET /api/v1/me |
The authenticated workspace's id, name, slug, and token scopes | any valid token |
GET /api/v1/webhook_endpoints |
List webhook endpoints | webhooks:manage |
GET /api/v1/webhook_endpoints/:id |
Get an endpoint with its 10 most recent deliveries | webhooks:manage |
POST /api/v1/webhook_endpoints |
Create an endpoint; the response includes the signing secret (only time it's returned) | webhooks:manage |
PATCH /api/v1/webhook_endpoints/:id |
Update an endpoint | webhooks:manage |
DELETE /api/v1/webhook_endpoints/:id |
Delete an endpoint and its delivery history | webhooks:manage |
POST /api/v1/webhook_endpoints/:id/test |
Send a test ping event and return the delivery result |
webhooks:manage |
See Webhooks for payload formats and signature verification.
Rate limits
All authenticated API requests (including the MCP server) are rate-limited per token:
- 60 requests per minute
- 500 requests per hour
Every API response includes:
| Header | Description |
|---|---|
X-RateLimit-Limit |
Maximum requests in the current window |
X-RateLimit-Remaining |
Requests remaining in the current window |
X-RateLimit-Reset |
Unix timestamp when the window resets |
When you exceed a limit you receive 429 Too Many Requests with a Retry-After header and an error envelope of type rate_limited.
Error format
All errors use a consistent JSON envelope:
{
"error": {
"type": "not_found",
"message": "Couldn't find WebhookEndpoint with id=..."
}
}
| Type | Status | Meaning |
|---|---|---|
authentication_required |
401 | Missing or malformed Authorization header |
invalid_token |
401 | Token is unknown, revoked, or its application was revoked |
token_expired |
401 | Token has expired (OAuth flows; refresh it) |
insufficient_scope |
403 | Token lacks the required scope |
forbidden |
403 | Plan does not include API access |
not_found |
404 | Resource doesn't exist in this workspace |
invalid_request |
400 | Malformed request body or missing parameter |
validation_error |
422 | Attributes failed validation; the message lists the failures |
rate_limited |
429 | Too many requests |
Going further
- Webhooks -- receive real-time notifications when events happen in your workspace
- MCP server -- let AI assistants like Claude work with your workspace over the same tokens and scopes
- Interactive API reference -- schemas, examples, and a try-it-out console