API Reference
All REST API endpoints served on port 8090.
Breaking Change
Authentication was introduced in version 3.3.0. If you are upgrading from an earlier version, any existing API integrations must be updated to include a bearer token.
Authentication
When authentication is enabled, most API endpoints require a valid session cookie or a bearer token in the Authorization header. Tokens are created in Settings → API.
Endpoints marked PUBLIC in the table below do not require authentication. These include the health check, authentication flow, and initial setup endpoints.
Example: Authenticated Request
curl -H "Authorization: Bearer YOUR_API_TOKEN" \
https://your-host:8090/api/logsEndpoints
/api/logsPaginated log list with all filters (prefix any filter with ! to negate)
/api/logs/aggregateAggregate logs by dimension with CIDR grouping and HAVING thresholds
/api/logs/{id}Single log detail with threat data
/api/statsDashboard aggregations (pass ?time_range=24h)
/api/exportCSV export with current filters (up to 100K rows)
/api/healthPUBLICHealth check with total count and latest timestamp
/api/auth/statusPUBLICCurrent authentication state (logged in, auth enabled, setup complete)
/api/auth/loginPUBLICAuthenticate with username and password
/api/auth/logoutPUBLICEnd the current session
/api/auth/setupPUBLICCreate the first admin account (one-time)
/api/setup/statusPUBLICWhether initial setup has been completed
/api/servicesDistinct service names for filter dropdown
/api/protocolsDistinct protocols seen in logs
/api/interfacesDistinct interfaces seen in logs
/api/configCurrent system configuration (WAN, labels, setup status)
/api/setup/completeSave wizard configuration
/api/setup/wan-candidatesAuto-detected WAN interface candidates
/api/setup/network-segmentsDiscovered network segments with suggested labels
/api/enrich/{ip}Force fresh AbuseIPDB lookup for an IP
/api/settings/unifiCurrent UniFi API settings
/api/settings/unifiUpdate UniFi API settings
/api/settings/unifi/testTest UniFi connection and save on success
/api/settings/uiCurrent UI display preferences
/api/settings/uiUpdate UI display preferences
/api/firewall/policiesAll firewall policies with zone data
/api/firewall/policies/{id}Toggle syslog on a firewall policy
/api/firewall/policies/bulk-loggingBulk-toggle syslog on multiple policies
/api/unifi/clientsCached UniFi client list
/api/unifi/devicesCached UniFi infrastructure devices
/api/unifi/statusUniFi polling status
/api/config/exportExport all settings as JSON
/api/config/importImport settings from JSON backup
/api/config/vpn-networksSave VPN network configuration
/api/config/retentionCurrent retention configuration
/api/config/retentionUpdate retention settings
/api/config/retention/cleanupRun retention cleanup immediately
/api/threatsThreat intelligence cache with IP/date filters
/api/threats/geoGeo-aggregated threat data for Threat Map (GeoJSON)
/api/logs/batchFetch multiple logs by ID (max 50)
/api/mcpMCP JSON-RPC endpoint (bearer token required)
/api/mcpMCP SSE streaming endpoint (bearer token required)
/api/settings/mcpMCP server settings
/api/settings/mcpUpdate MCP settings
/api/tokensList API tokens (filter by client_type: mcp, extension, api)
/api/tokensCreate a new API token
/api/tokens/{id}Revoke an API token
/api/settings/mcp/scopesList available permission scopes
/api/settings/mcp/auditMCP audit trail with pagination