Aurora API reference

Aurora is a dashboard API for tenants, production lines, machines, DataStone edge PCs, dashboards, API keys, pairing, WebRTC control, and billing.

Base URL and authentication

API family	Base path	Authentication
Browser/session API	/api/tenants/..., /api/dashboard/..., /api/user-preferences	Signed-in user session.
API-key API	/api/lines, /api/machines, /api/edgepcs, /api/api-keys	Authorization: Bearer <API_KEY> or X-API-Key: <API_KEY>.
DataStone host API	/api/webrtc/...	Pairing token or signed host request, depending on endpoint.

Mutating browser/session API calls are protected by same-origin CSRF checks. /api/webrtc/registrations and /api/webrtc/host-session are exempt so DataStone hosts can call them directly.

Error responses use JSON:

{
  "error": "Forbidden."
}

Common status codes are 400 for invalid input, 401 for missing or invalid auth, 403 for insufficient permission or API-key restrictions, 404 for missing resources, 409 for conflicts, 429 for API-key rate limits, and 503 when a required service is not configured.

API keys

API-key authenticated endpoints accept either:

Authorization: Bearer <API_KEY>

or:

X-API-Key: <API_KEY>

API-key responses include these rate-limit headers when a key has a limit configured:

Header	Description
RateLimit-Limit	Allowed requests per window.
RateLimit-Remaining	Remaining requests in the current window.
RateLimit-Reset	UNIX timestamp when the current window resets.

Supported managed scopes:

Scope	Allows
line:read, line:write	Read or manage lines.
machine:read, machine:write	Read or manage machines.
edgepc:read, edgepc:write	Read or manage DataStone edge PCs.
device:read	Read proxied DataStone devices.
data:read	Read proxied DataStone data streams, latest values, and statistics.

API keys may include managed restrictions:

{
  "lineIds": [1],
  "machineIds": [10],
  "edgePcIds": [20]
}

Aurora also understands lower-level restrictions such as deviceIds and dataIds when filtering proxied DataStone responses.

Tenant/session endpoints

These endpoints require a signed-in user and tenant permissions.

Method	Path	Permission	Description
GET	/api/tenants	authenticated	List tenants visible to the user. Admins receive all tenants.
POST	/api/tenants	any tenant:write	Create a tenant with a name string.
GET	/api/tenants/:id	tenant:read	Retrieve a tenant.
PATCH	/api/tenants/:id	tenant:write	Rename a tenant.
DELETE	/api/tenants/:id	tenant:write	Delete a tenant.
GET	/api/user-preferences	authenticated	Read user preferences.
PUT	/api/user-preferences	authenticated plus tenant read for selected tenant	Update active_tenant_id to a tenant ID or null.

Lines

Session endpoints:

Method	Path	Permission	Description
GET	/api/tenants/:tenantId/lines	line:read	List tenant lines.
POST	/api/tenants/:tenantId/lines	line:write	Create a line with a name string.
PATCH	/api/tenants/:tenantId/lines/:lineId	line:write	Rename a line.
DELETE	/api/tenants/:tenantId/lines/:lineId	line:write	Delete a line.

API-key endpoints:

Method	Path	Scope	Description
GET	/api/lines	line:read	List allowed lines.
POST	/api/lines	line:write	Create a line. Disallowed when the key is restricted to specific line IDs.
GET	/api/lines/:lineId	line:read	Retrieve a line.
PATCH	/api/lines/:lineId	line:write	Rename a line.
DELETE	/api/lines/:lineId	line:write	Delete a line.

Machines

Session endpoints:

Method	Path	Permission	Description
GET	/api/tenants/:tenantId/machines	machine:read	List machines.
POST	/api/tenants/:tenantId/machines	machine:write	Create a machine. Accepts JSON or multipart/form-data with optional image.
PATCH	/api/tenants/:tenantId/machines/:machineId	machine:write	Update name, line group, or image.
DELETE	/api/tenants/:tenantId/machines/:machineId	machine:write	Delete a machine.
GET	/api/tenants/:tenantId/machine-images/:fileName	machine:read	Read a private machine image.
GET	/api/tenants/:tenantId/machines/:machineId/aasx	machine:read	Download an AASX export.
POST	/api/tenants/:tenantId/machines/:machineId/aasx	machine:read	Download an AASX export using supplied edge catalog seeds.

Create machine JSON:

{
  "name": "Compressor 1",
  "group": 2,
  "image_url": "/api/tenants/1/machine-images/example.png"
}

API-key endpoints:

Method	Path	Scope	Description
GET	/api/machines	machine:read	List allowed machines.
POST	/api/machines	machine:write	Create a machine with name, line_id or group, and optional image_url.
GET	/api/machines/:machineId	machine:read	Retrieve a machine.
PATCH	/api/machines/:machineId	machine:write	Update a machine.
DELETE	/api/machines/:machineId	machine:write	Delete a machine.

DataStone edge PCs

Session endpoints:

Method	Path	Permission	Description
GET	/api/tenants/:tenantId/edgepcs	edgepc:read	List DataStones.
POST	/api/tenants/:tenantId/edgepcs	edgepc:write	Create a DataStone.
GET	/api/tenants/:tenantId/edgepcs/:edgeId	edgepc:read	Retrieve a DataStone.
PATCH	/api/tenants/:tenantId/edgepcs/:edgeId	edgepc:write	Update a DataStone.
DELETE	/api/tenants/:tenantId/edgepcs/:edgeId	edgepc:write	Delete a DataStone.

Payload fields for create/update:

Field	Required	Description
name	Yes	Display name.
base_url	Yes on create	DataStone base URL. Update preserves current URL when empty.
network_type	No	Network access type. Empty create uses the default network type.
machine_id	No	Associated machine ID or null.
api_key	No	DataStone API key used by Aurora for proxy calls. Empty update clears the key.
webrtc_host_id	No	Host ID for P2P WebRTC.
signal_analysis_enabled	No	Session API only. Enables signal analysis flag.

API-key endpoints:

Method	Path	Scope	Description
GET	/api/edgepcs	edgepc:read	List allowed DataStones.
POST	/api/edgepcs	edgepc:write	Create a DataStone.
GET	/api/edgepcs/:edgeId	edgepc:read	Retrieve a DataStone.
PATCH	/api/edgepcs/:edgeId	edgepc:write	Update a DataStone.
DELETE	/api/edgepcs/:edgeId	edgepc:write	Delete a DataStone.

Proxied DataStone data

Aurora can proxy DataStone API calls through a registered edge PC. API-key endpoints are scoped to the caller tenant and filtered by API-key restrictions.

Method	Path	Scope	Description
GET	/api/edgepcs/:edgeId/devices	device:read	Proxy DataStone /api/device/.
GET	/api/edgepcs/:edgeId/devices/:deviceId/data	data:read	Proxy and filter DataStone data streams for one device.
GET	/api/edgepcs/:edgeId/data	data:read	Proxy DataStone /api/data/.
GET	/api/edgepcs/:edgeId/data/:dataId	data:read	Proxy one DataStone data stream.
GET	/api/edgepcs/:edgeId/data/:dataId/latest	data:read	Proxy latest value endpoint.
GET	/api/edgepcs/:edgeId/data/:dataId/statistic	data:read	Proxy and cache DataStone statistics. Query parameters are forwarded.

Session users can use the general proxy:

Method	Path	Permission	Description
GET, POST, PATCH, PUT, DELETE	/api/tenants/:tenantId/edgepcs/:edgeId/proxy/:path	Depends on first path segment	Proxy a safe DataStone API path.

Proxy permission mapping:

First path segment	Aurora resource permission
group	line
device	device
data	machine
value	metric
statistic	metric
readyz, healthz	edgepc

GET and HEAD require read permission. Other methods require write permission.

Dashboards

Method	Path	Permission	Description
GET	`/api/tenants/:tenantId/machines/:machineId/dashboard?mode=stats	realtime`	metric:read
PUT	`/api/tenants/:tenantId/machines/:machineId/dashboard?mode=stats	realtime`	metric:write
POST	`/api/tenants/:tenantId/machines/:machineId/dashboard/preflight?mode=stats	realtime`	metric:write
GET	`/api/tenants/:tenantId/machines/:machineId/dashboard/collab?mode=stats	realtime`	metric:read
POST	`/api/tenants/:tenantId/machines/:machineId/dashboard/collab?mode=stats	realtime`	metric:write
GET	/api/tenants/:tenantId/machines/:machineId/dashboard/realtime/video-session	metric:read	Return the current realtime video session state. Currently disabled.
GET	/api/dashboard/search?tenantId=&q=	authenticated	Return dashboard search suggestions. Query length below two characters returns an empty result.

Dashboard PUT payload:

{
  "baseRevision": 7,
  "widgets": []
}

Preflight payload:

{
  "edgeId": 20,
  "dataId": 300,
  "dataMode": "realtime"
}

Managed API-key administration

Session endpoints require tenant:write. API-key endpoints require apikeys:read or apikeys:write; those scopes are supported for legacy keys even though they are not part of the managed UI scope list.

Method	Path	Auth	Description
GET	/api/tenants/:tenantId/api-keys	session	List tenant API keys.
POST	/api/tenants/:tenantId/api-keys	session	Create an API key. Response includes secret once.
PATCH	/api/tenants/:tenantId/api-keys/:keyId	session	Update label, scopes, restrictions, expiry, or rate limit.
POST	/api/tenants/:tenantId/api-keys/:keyId/revoke	session	Revoke a key.
DELETE	/api/tenants/:tenantId/api-keys/:keyId	session	Delete a key after revocation.
GET	/api/api-keys	API key	List API keys for the caller tenant.
POST	/api/api-keys	API key	Create an API key.
PATCH	/api/api-keys/:keyId	API key	Update an API key.
POST	/api/api-keys/:keyId/revoke	API key	Revoke an API key.
DELETE	/api/api-keys/:keyId	API key	Delete a revoked API key.

Create API key payload:

{
  "label": "Line A reader",
  "scopes": ["line:read", "machine:read", "edgepc:read", "device:read", "data:read"],
  "restrictions": {
    "lineIds": [1]
  },
  "expires_at": "2026-12-31T00:00:00Z",
  "rate_limit_limit": 600,
  "rate_limit_period_seconds": 60
}

Pairing and WebRTC

Method	Path	Auth	Description
POST	/api/tenants/:tenantId/edgepcs/pairing-tokens	session edgepc:write	Create a pairing token. Payload: optional label, expiresInSeconds with a minimum of 300.
POST	/api/webrtc/registrations	pairing token	Register or refresh a pending DataStone host request.
POST	/api/tenants/:tenantId/edgepcs/registrations/:requestId/approve	session edgepc:write	Approve a pending registration for edgePcId.
POST	/api/tenants/:tenantId/edgepcs/registrations/:requestId/reject	session edgepc:write	Reject a pending registration.
POST	/api/webrtc/host-session	signed host request	Return signaling URL, host token, ICE servers, and refresh timing.
POST	/api/tenants/:tenantId/edgepcs/:edgeId/webrtc/listener-session	session edgepc_shell:write or edgepc_control:write	Return browser listener signaling token and ICE servers.
GET	/api/tenants/:tenantId/edgepcs/:edgeId/webrtc/control-lease	session edgepc_control:write	Read the active control lease.
POST	/api/tenants/:tenantId/edgepcs/:edgeId/webrtc/control-lease	session edgepc_control:write	Acquire or renew a control lease.
DELETE	/api/tenants/:tenantId/edgepcs/:edgeId/webrtc/control-lease	session edgepc_control:write	Release the current session lease.
POST	/api/tenants/:tenantId/edgepcs/:edgeId/webrtc/control-grant	session edgepc_control:write plus active lease	Issue a short-lived host control JWT.

Host registration payload:

{
  "pairingToken": "pair_...",
  "hostId": "edge-host-01",
  "machineId": "optional-local-machine-id",
  "proposedName": "Edge host 01",
  "controlJwtSecret": "shared-control-secret"
}

Host session payload:

{
  "hostId": "edge-host-01",
  "timestamp": 1777363200,
  "nonce": "unique-per-request",
  "signature": "hmac-signature"
}

Billing and cron jobs

Method	Path	Auth	Description
POST	/api/billing/checkout	session	Create a checkout flow.
POST	/api/billing/confirm	session	Confirm a payment.
GET	/api/tenants/:tenantId/cronjobs	session tenant:read	List scheduled automation jobs. Returns an empty items array if scheduling is not configured.
POST	/api/tenants/:tenantId/cronjobs	session tenant:write	Create a scheduled automation job with key, schedule, and optional is_active.
PATCH	/api/tenants/:tenantId/cronjobs/:cronJobId	session tenant:write	Update a scheduled automation job.
DELETE	/api/tenants/:tenantId/cronjobs/:cronJobId	session tenant:write	Delete a scheduled automation job.

Downloads and sign-in

Method	Path	Auth	Description
GET	/downloads/installer/latest	public	Download the latest installer artifact.
GET, POST	/auth/login	public	Start or submit login.
GET	/auth/callback	public	Complete sign-in callback.
GET	/auth/register	public	Start registration flow.
GET, POST	/sign-out	session	Sign out.