How do I authenticate with the Sentinel API?

Call POST /sentinel/api/auth/login with your dashboard username and password as JSON. The response contains a JWT token. Include it in subsequent requests as an Authorization: Bearer header. The login endpoint is the only one that does not require authentication.

What is the base URL for the Sentinel API?

All API paths are relative to your configured prefix, which defaults to /sentinel. For example, the threats endpoint is accessed at /sentinel/api/threats. If you set a custom prefix like /admin/security, the full path becomes /admin/security/api/threats.

How is pagination handled in the Sentinel API?

All list endpoints return data in a standard paginated envelope with a data array and a meta object containing total count, current page, and page_size. Use the page and page_size query parameters to navigate results. Default page size is 20.

Does Sentinel have WebSocket endpoints for real-time data?

Yes. Sentinel exposes two WebSocket endpoints: /ws/threats for live threat event streaming and /ws/metrics for real-time performance metrics. Authenticate via a token query parameter instead of the Authorization header since browser WebSocket APIs do not support custom headers.

API Reference

This is the comprehensive reference for every HTTP and WebSocket endpoint exposed by Sentinel's dashboard API. All endpoints are served under your configured prefix (default: /sentinel). For example, the login endpoint is available at /sentinel/api/auth/login.

Authentication Required

Unless otherwise noted, all API endpoints require a valid JWT token in the Authorization header. Obtain a token by calling the POST /api/auth/login endpoint. Include it in subsequent requests as: Authorization: Bearer <token>. If the token is missing, expired, or invalid, the API responds with HTTP 401 Unauthorized.

Standard Response Format

All list endpoints return data in a standard paginated envelope. Single-resource endpoints return the object directly under the data key without pagination metadata.

Paginated Responsejson

{
  "data": [ ... ],
  "meta": {
    "total": 142,
    "page": 1,
    "page_size": 20
  }
}

Action endpoints (resolve, block, delete, etc.) return a simple success response:

Action Responsejson

{
  "success": true,
  "message": "Threat resolved successfully"
}

Error responses use standard HTTP status codes with a JSON body:

Error Responsejson

{
  "error": "Invalid credentials"
}

Base URL

All API paths in this reference are relative to your configured prefix. The default prefix is /sentinel, so an endpoint documented as /api/threats is accessed at /sentinel/api/threats. If you set a custom prefix (e.g., /admin/security), the full path becomes /admin/security/api/threats.

All curl examples in this document use http://localhost:8080/sentinel as the base URL.

Authentication

Endpoints for logging in, logging out, and verifying JWT tokens.

Method	Path	Description
`POST`	`/api/auth/login`	Authenticate with username and password. Returns a JWT token. No auth header required.
`POST`	`/api/auth/logout`	Invalidate the current session token.
`GET`	`/api/auth/verify`	Verify that the current token is still valid. Returns HTTP 200 if valid, 401 if not.

Loginbash

# Authenticate and obtain a JWT token
curl -X POST http://localhost:8080/sentinel/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{"username": "admin", "password": "your-password"}'

# Response:
# {"token": "eyJhbGciOiJIUzI1NiIs..."}

Verify Tokenbash

# Verify that a token is still valid
curl http://localhost:8080/sentinel/api/auth/verify \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIs..."

Dashboard

Endpoints that power the main dashboard overview page.

Method	Path	Description
`GET`	`/api/dashboard/summary`	Returns the dashboard summary including total threats, blocked count, active actors, requests per minute, and recent threat events.
`GET`	`/api/security-score`	Returns the computed security score (0-100) with a component-level breakdown showing how each factor contributes to the overall score.

Dashboard Summarybash

curl http://localhost:8080/sentinel/api/dashboard/summary \
  -H "Authorization: Bearer <token>"

Threats

Endpoints for querying, inspecting, and managing threat events.

Method	Path	Description
`GET`	`/api/threats`	List threat events with pagination and filtering. Supports query parameters: `page`, `page_size`, `severity` (low, medium, high, critical), and `type` (sqli, xss, path_traversal, etc.).
`GET`	`/api/threats/:id`	Get full details for a specific threat event, including request metadata, matched WAF rule, payload, and geographic information.
`POST`	`/api/threats/:id/resolve`	Mark a threat as reviewed and resolved.
`POST`	`/api/threats/:id/false-positive`	Flag a threat detection as a false positive for tuning.

List Threatsbash

# List high-severity SQL injection threats, page 1
curl "http://localhost:8080/sentinel/api/threats?page=1&page_size=20&severity=high&type=sqli" \
  -H "Authorization: Bearer <token>"

# Response:
# {
#   "data": [
#     {
#       "id": "abc123",
#       "type": "sqli",
#       "severity": "high",
#       "ip": "203.0.113.42",
#       "route": "/api/users",
#       "blocked": true,
#       "timestamp": "2025-01-15T10:30:00Z"
#     },
#     ...
#   ],
#   "meta": { "total": 47, "page": 1, "page_size": 20 }
# }

Resolve a Threatbash

# Mark threat abc123 as resolved
curl -X POST http://localhost:8080/sentinel/api/threats/abc123/resolve \
  -H "Authorization: Bearer <token>"

Actors

Endpoints for viewing threat actor profiles aggregated by IP address.

Method	Path	Description
`GET`	`/api/actors`	List all threat actors with pagination. Supports `page` and `page_size` query parameters. Each actor includes risk score, event count, and first/last seen timestamps.
`GET`	`/api/actors/:ip`	Get the full profile for a specific threat actor by IP address, including risk score, severity breakdown, and geographic location.
`GET`	`/api/actors/:ip/threats`	List all threat events associated with a specific actor IP.
`POST`	`/api/actors/:ip/block`	Block an actor by adding their IP to the blacklist immediately.

Block an Actorbash

# Block the actor at 203.0.113.42
curl -X POST http://localhost:8080/sentinel/api/actors/203.0.113.42/block \
  -H "Authorization: Bearer <token>"

IP Management

Endpoints for managing IP whitelists and blacklists.

Method	Path	Description
`GET`	`/api/ip-lists`	List all whitelist and blacklist entries with their type, creation timestamp, and reason.
`POST`	`/api/ip-lists`	Add an IP address or CIDR range to the whitelist or blacklist. Body requires `ip`, `type` (block or allow), and optional `reason`.
`DELETE`	`/api/ip-lists/:id`	Remove an IP entry from the whitelist or blacklist by its ID.

Add IP to Blacklistbash

# Block an IP range
curl -X POST http://localhost:8080/sentinel/api/ip-lists \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"ip": "198.51.100.0/24", "type": "block", "reason": "Known botnet range"}'

WAF

Endpoints for managing Web Application Firewall rules.

Method	Path	Description
`GET`	`/api/waf/rules`	List all WAF rules including built-in and custom rules. Shows rule ID, name, pattern, severity, enabled status, and strictness level.
`POST`	`/api/waf/rules`	Create a new custom WAF rule. Body requires rule name, regex pattern, severity, and action.
`PUT`	`/api/waf/rules/:id`	Update an existing WAF rule. Can toggle enabled/disabled status, change pattern, severity, or strictness.
`DELETE`	`/api/waf/rules/:id`	Delete a custom WAF rule by its ID. Built-in rules cannot be deleted, only disabled.
`POST`	`/api/waf/test`	Test arbitrary input against the active rule set. Returns which rules would match and their details. Useful for validating rules before deployment.

Test WAF Rulesbash

# Test an input string against all active WAF rules
curl -X POST http://localhost:8080/sentinel/api/waf/test \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"input": "SELECT * FROM users WHERE id=1 OR 1=1"}'

Rate Limits

Endpoints for viewing and managing rate limit configuration and live counter states.

Method	Path	Description
`GET`	`/api/rate-limits`	Get the current rate limit configuration including requests per window, window duration, and per-route overrides.
`PUT`	`/api/rate-limits`	Update the rate limit configuration. Changes take effect immediately.
`GET`	`/api/rate-limits/current`	Get live counter states showing current window usage per IP, user, route, and global counters.
`POST`	`/api/rate-limits/reset/:key`	Reset a specific rate limit counter by key. Useful for unblocking a legitimate user who hit a limit.

View Live Countersbash

# Get current rate limit counter states
curl http://localhost:8080/sentinel/api/rate-limits/current \
  -H "Authorization: Bearer <token>"

AI

AI-powered analysis endpoints. These require an AI provider (Claude, OpenAI, or Gemini) to be configured. If no provider is configured, these endpoints return HTTP 503.

AI Provider Required

All /api/ai/* endpoints require an AI provider to be configured in your Sentinel config. Without one, these endpoints return 503 Service Unavailable. See the AI Configuration section for setup instructions.

Method	Path	Description
`POST`	`/api/ai/analyze-threat/:id`	Perform AI-powered deep analysis of a specific threat event. Returns analysis of the attack vector, potential impact, and recommended mitigations.
`GET`	`/api/ai/analyze-actor/:ip`	Generate an AI assessment of a threat actor's behavior pattern, risk level, and recommended response.
`GET`	`/api/ai/daily-summary`	Get an AI-generated summary of the past 24 hours of security activity with notable trends and recommendations.
`POST`	`/api/ai/query`	Ask a natural-language question about your security data. Body requires a `query` string.
`GET`	`/api/ai/waf-recommendations`	Get AI-generated suggestions for WAF rule improvements based on recent threat data.

AI Natural Language Querybash

# Ask a question about your security data
curl -X POST http://localhost:8080/sentinel/api/ai/query \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"query": "What were the most common attack types this week?"}'

Analyze a Threatbash

# Get AI analysis for threat abc123
curl -X POST http://localhost:8080/sentinel/api/ai/analyze-threat/abc123 \
  -H "Authorization: Bearer <token>"

Reports

Compliance report generation endpoints. Reports are generated on demand based on current system state and threat data within the specified time window.

Method	Path	Description
`GET`	`/api/reports/gdpr`	Generate a GDPR compliance report. Supports optional `window` query parameter (e.g., `720h` for 30 days). Covers data protection, access logging, retention policies, and breach notification readiness.
`GET`	`/api/reports/pci-dss`	Generate a PCI-DSS compliance report. Covers WAF status, access controls, audit logging, rate limiting on sensitive endpoints, and encryption posture.
`GET`	`/api/reports/soc2`	Generate a SOC 2 compliance report. Supports optional `window` query parameter. Covers security monitoring, incident response, access management, and anomaly detection.

Generate GDPR Reportbash

# Generate a GDPR report for the last 30 days
curl "http://localhost:8080/sentinel/api/reports/gdpr?window=720h" \
  -H "Authorization: Bearer <token>"

Analytics

Endpoints for security analytics and trend data used by the Analytics dashboard page.

Method	Path	Description
`GET`	`/api/analytics/trends`	Get attack trend data over time. Supports `window` (e.g., `24h`, `7d`) and `interval` (e.g., `hour`, `day`) query parameters. Returns time-series data broken down by attack type.
`GET`	`/api/analytics/geographic`	Get geographic breakdown of threat sources by country with event counts and percentages.
`GET`	`/api/analytics/top-routes`	Get the most targeted routes in your application ranked by attack volume.
`GET`	`/api/analytics/time-pattern`	Get attack distribution by hour of day and day of week to identify automated attack patterns.

Attack Trendsbash

# Get hourly attack trends for the last 24 hours
curl "http://localhost:8080/sentinel/api/analytics/trends?window=24h&interval=hour" \
  -H "Authorization: Bearer <token>"

Users, Audit Logs & Alerts

Endpoints for user tracking, audit trail, and alert management.

Method	Path	Description
`GET`	`/api/users`	List tracked users extracted by your `UserExtractor` function. Shows request counts, last active timestamps, and associated security events.
`GET`	`/api/audit-logs`	List audit log entries recording all administrative and security actions including dashboard logins, IP list changes, threat resolutions, and WAF rule modifications.
`GET`	`/api/alerts`	List dispatched alert history with timestamps, severity, triggering event, delivery channel, and delivery status.
`PUT`	`/api/alerts/config`	Update alert configuration including minimum severity threshold and notification channel settings.

Performance

Endpoints for route-level performance metrics and latency tracking.

Method	Path	Description
`GET`	`/api/performance/overview`	Get an overview of system performance including aggregate latency percentiles, error rates, and throughput metrics.
`GET`	`/api/performance/routes`	Get per-route performance metrics including p50, p95, and p99 latency percentiles, error rates, and request counts. Routes exceeding the slow request threshold are flagged.

Route Performancebash

# Get per-route latency metrics
curl http://localhost:8080/sentinel/api/performance/routes \
  -H "Authorization: Bearer <token>"

WebSocket

Sentinel exposes two WebSocket endpoints for real-time streaming. WebSocket connections authenticate via the token query parameter rather than the Authorization header, since the browser WebSocket API does not support custom headers.

Method	Path	Description
`WS`	`/ws/threats`	Streams live threat events as they are detected. Each message is a JSON object with the full threat event payload including IP, route, threat type, severity, and timestamp.
`WS`	`/ws/metrics`	Streams real-time performance and system metrics including request rates, latency percentiles, active connections, and resource usage.

WebSocket Authentication

Pass the JWT token as a token query parameter when connecting: ws://localhost:8080/sentinel/ws/threats?token=<jwt>. The protocol is automatically upgraded to wss: when your application uses HTTPS.

WebSocket Connectionjavascript

// Connect to the live threat stream
const proto = window.location.protocol === 'https:' ? 'wss:' : 'ws:';
const ws = new WebSocket(
  `${proto}//${window.location.host}/sentinel/ws/threats?token=${jwt}`
);

ws.onmessage = (event) => {
  const threat = JSON.parse(event.data);
  console.log('New threat:', threat.type, threat.severity, threat.ip);
};

ws.onclose = () => {
  // Reconnect with backoff
  setTimeout(() => connect(), 5000);
};

WebSocket via curlbash

# Connect to WebSocket using curl (for testing)
curl --include \
  --no-buffer \
  --header "Connection: Upgrade" \
  --header "Upgrade: websocket" \
  --header "Sec-WebSocket-Version: 13" \
  --header "Sec-WebSocket-Key: $(openssl rand -base64 16)" \
  "http://localhost:8080/sentinel/ws/threats?token=<jwt>"

Quick Reference

Complete endpoint listing at a glance. All paths are relative to your configured prefix (default: /sentinel).

Method	Path	Auth
`POST`	`/api/auth/login`	No
`POST`	`/api/auth/logout`	Yes
`GET`	`/api/auth/verify`	Yes
`GET`	`/api/dashboard/summary`	Yes
`GET`	`/api/security-score`	Yes
`GET`	`/api/threats`	Yes
`GET`	`/api/threats/:id`	Yes
`POST`	`/api/threats/:id/resolve`	Yes
`POST`	`/api/threats/:id/false-positive`	Yes
`GET`	`/api/actors`	Yes
`GET`	`/api/actors/:ip`	Yes
`GET`	`/api/actors/:ip/threats`	Yes
`POST`	`/api/actors/:ip/block`	Yes
`GET`	`/api/ip-lists`	Yes
`POST`	`/api/ip-lists`	Yes
`DELETE`	`/api/ip-lists/:id`	Yes
`GET`	`/api/waf/rules`	Yes
`POST`	`/api/waf/rules`	Yes
`PUT`	`/api/waf/rules/:id`	Yes
`DELETE`	`/api/waf/rules/:id`	Yes
`POST`	`/api/waf/test`	Yes
`GET`	`/api/rate-limits`	Yes
`PUT`	`/api/rate-limits`	Yes
`GET`	`/api/rate-limits/current`	Yes
`POST`	`/api/rate-limits/reset/:key`	Yes
`POST`	`/api/ai/analyze-threat/:id`	Yes
`GET`	`/api/ai/analyze-actor/:ip`	Yes
`GET`	`/api/ai/daily-summary`	Yes
`POST`	`/api/ai/query`	Yes
`GET`	`/api/ai/waf-recommendations`	Yes
`GET`	`/api/reports/gdpr`	Yes
`GET`	`/api/reports/pci-dss`	Yes
`GET`	`/api/reports/soc2`	Yes
`GET`	`/api/analytics/trends`	Yes
`GET`	`/api/analytics/geographic`	Yes
`GET`	`/api/analytics/top-routes`	Yes
`GET`	`/api/analytics/time-pattern`	Yes
`GET`	`/api/users`	Yes
`GET`	`/api/audit-logs`	Yes
`GET`	`/api/alerts`	Yes
`PUT`	`/api/alerts/config`	Yes
`GET`	`/api/performance/overview`	Yes
`GET`	`/api/performance/routes`	Yes
`WS`	`/ws/threats`	Token param
`WS`	`/ws/metrics`	Token param

Prefix Applies to All Paths

Every path listed above is relative to your configured prefix. The default prefix is /sentinel, so /api/threats becomes /sentinel/api/threats. WebSocket paths follow the same pattern: /ws/threats becomes /sentinel/ws/threats.

Next Steps

The Dashboard -- Visual walkthrough of every dashboard page
Configuration -- Full reference for all config fields
WAF Deep Dive -- Advanced WAF configuration and custom rules
Rate Limiting -- Rate limit configuration and strategies
Alerting -- Configure Slack, email, and webhook notifications

Built with by JB