Every Nova UI surface, alerts, incidents, runbooks, services, agents, on-call, is also reachable via REST. JSON in, JSON out, bearer-token auth, OpenAPI 3.1 spec available. The launch surface covers read + most writes; expanded write coverage and an interactive playground are on the roadmap.
https://api.novaaiops.com/v1
All endpoints are under the /v1 prefix. Versioning is date-pinned in the API-Version request header for breaking-change isolation; the URL path version increments only on full v2 cuts.
Authenticate every request with a bearer token. Tokens are issued from the admin UI under Settings → API Tokens, scoped per role (Read-Only, Operator, Admin), and rotatable without downtime.
curl https://api.novaaiops.com/v1/incidents \
# bearer token, scoped to your tenant
-H "Authorization: Bearer $NOVA_TOKEN" \
-H "API-Version: 2026-04-01"
Tokens never expire on their own; rotate them on a schedule that matches your security policy. Compromised tokens revoke instantly via the same Settings UI.
The incident lifecycle endpoints. Cover the same surface the on-call UI uses: create, ack, resolve, timeline, autogen postmortems, and inline comments.
| Method | Path | Description |
|---|---|---|
| GET | /incidents | List incidents; filter by ?status=open, ?severity=sev1, ?service=... |
| POST | /incidents | Create an incident with title, severity, affected services |
| GET | /incidents/{id} | Fetch a single incident with current state and metadata |
| POST | /incidents/{id}/ack | Acknowledge a paged incident |
| POST | /incidents/{id}/resolve | Mark an incident resolved with a closing note |
| GET | /incidents/{id}/timeline | Full event stream: pages, agent actions, comments, status changes |
| GET | /incidents/{id}/postmortem | Auto-generated postmortem draft (root cause, contributing factors, action items) |
| POST | /incidents/{id}/comments | Add a comment to the incident timeline |
Read alert state, manage silences, and define alert rules. Silencing returns a deterministic ID so you can revoke it programmatically from the same client.
| Method | Path | Description |
|---|---|---|
| GET | /alerts | List alerts; ?firing=true for active, ?service=... to filter |
| GET | /alerts/{id} | Fetch a single alert with rule, history, and routing |
| POST | /alerts/{id}/silence | Silence an alert for a duration with a required reason |
| DELETE | /alerts/{id}/silence | Un-silence (lift an active silence early) |
| POST | /alerts/{id}/notify | Manually re-fire notifications to all routed channels |
| GET | /alert-rules | List alert rules with thresholds and notification routing |
| POST | /alert-rules | Create a new alert rule (PromQL or NovaQL expression) |
The service catalog and SLO posture. /services/{name}/dependencies returns the resolved upstream/downstream graph used by the topology view.
| Method | Path | Description |
|---|---|---|
| GET | /services | List services tracked in the platform |
| POST | /services | Register a new service with team owner and tier |
| GET | /services/{name} | Service detail: owner, tier, runbooks, recent incidents |
| GET | /services/{name}/health | Golden signals snapshot (latency, traffic, errors, saturation) |
| GET | /services/{name}/dependencies | Resolved dependency graph (upstream/downstream services) |
| GET | /slo | SLO posture across all services with current burn rates |
| GET | /slo/{service} | Per-service SLO target, current attainment, error budget |
| POST | /slo/{service} | Set or update an SLO target (objective + window) |
Runbooks define safe automated remediations; agents are the policy-bound executors. Every /runbooks/{id}/run writes to the agent audit ledger so an external system can replay or review the action.
| Method | Path | Description |
|---|---|---|
| GET | /runbooks | List runbooks; ?service=X filters by service |
| POST | /runbooks | Create a runbook (steps, guardrails, approval policy) |
| POST | /runbooks/{id}/run | Execute a runbook through the agent within policy |
| GET | /runbooks/{id}/runs | Execution history with status, duration, and operator |
| GET | /agents | List agent fleet with current trust scores and roles |
| GET | /agents/{id} | Agent detail: capabilities, scope, approval policy |
| POST | /agents/{id}/actions | Approve or reject a queued agent action |
| GET | /agents/{id}/audit | Tamper-evident audit ledger for one agent |
Read who is on call right now, manage schedules, apply overrides, and define escalation policies. Same data model the on-call UI and Slack/Teams bots consume.
| Method | Path | Description |
|---|---|---|
| GET | /oncall | Current on-call across all rotations with contact info |
| GET | /oncall/schedules | List schedules with rotations and members |
| POST | /oncall/schedules | Create a schedule (members, rotation cadence, timezone) |
| POST | /oncall/overrides | Apply a temporary override (cover for someone) |
| GET | /escalation-policies | List escalation policies with steps and timeouts |
| POST | /escalation-policies | Create or update an escalation policy |
Create black-box probes that hit a URL or TCP port from one or more regions on a schedule. Results stream into the same alert pipeline as agent telemetry, so a failed probe pages on-call.
| Method | Path | Description |
|---|---|---|
| GET | /synthetics | List synthetic checks with last result and uptime |
| POST | /synthetics | Create a check (HTTP / TCP / browser-flow), regions, cadence |
| GET | /synthetics/{id}/results | Recent run results with latency, status, and screenshot URLs |
| POST | /synthetics/{id}/run | Trigger a one-off run outside the schedule |
| DELETE | /synthetics/{id} | Delete a synthetic check |
Every privileged action lands in the audit log: agent executions, alert silences, user role changes, runbook approvals. Each entry includes actor, target, before/after, and a request ID that ties back to the originating API call.
| Method | Path | Description |
|---|---|---|
| GET | /audit | Search audit events; filter by ?actor=, ?target=, ?since= |
| GET | /audit/{id} | Fetch a single audit event with full diff and request context |
| POST | /audit/export | Export a date range to CSV or JSON; returns a signed download URL |
Subscribe to events for incidents, alerts, agent actions, and audit. Each delivery is signed with HMAC-SHA256; rotate the secret without dropping in-flight deliveries via the rotate endpoint.
| Method | Path | Description |
|---|---|---|
| GET | /webhooks | List webhook subscriptions with event filters and last delivery |
| POST | /webhooks | Create a subscription (URL, event types, secret) |
| POST | /webhooks/{id}/rotate-secret | Rotate the signing secret; previous secret valid for 24h |
| POST | /webhooks/{id}/test | Send a test event to the configured URL |
| DELETE | /webhooks/{id} | Delete a subscription |
User management and API token rotation. SCIM 2.0 is exposed at /scim/v2 for automated provisioning from Okta, Azure AD, or any SCIM-capable IdP.
| Method | Path | Description |
|---|---|---|
| GET | /users | List users in the tenant with role and last-active timestamp |
| POST | /users | Invite a user by email; assigns role on accept |
| DELETE | /users/{id} | Deactivate a user and revoke all their tokens |
| GET | /tokens | List API tokens (metadata only, never returns the secret) |
| POST | /tokens/{id}/rotate | Rotate a token; new secret returned once, old valid for 1h |
| GET | /scim/v2/ServiceProviderConfig | SCIM 2.0 service config (point your IdP here) |
NovaQL is Nova's metric query language. Run ad-hoc queries against the same TSDB the UI uses, and persist results as panels inside dashboards.
| Method | Path | Description |
|---|---|---|
| GET | /dashboards | List dashboards with owner and last-edited timestamp |
| POST | /dashboards | Create or save a dashboard with panels and layout |
| GET | /dashboards/{id} | Fetch a dashboard with its panel definitions |
| POST | /novaql | Run a NovaQL query; returns timeseries results with metadata |
| GET | /panels/{id}/data | Fetch the resolved data for a single panel (CSV or JSON) |
Connect, test, and sync provider integrations programmatically. /integrations/{provider}/connect returns an OAuth or device-flow URL the user has to complete in a browser; everything else is callable headless.
| Method | Path | Description |
|---|---|---|
| GET | /integrations | List connected providers with health and last-sync time |
| POST | /integrations/{provider}/connect | Start a connect flow; returns OAuth URL or device code |
| POST | /integrations/{provider}/test | Probe credentials and report success / specific failure reason |
| POST | /integrations/{provider}/sync | Trigger an out-of-band sync (pull resources, services, alerts) |
| GET | /integrations/{provider}/status | Integration health, sync lag, and last error if any |
| DELETE | /integrations/{provider} | Disconnect and delete stored credentials |
import os, requests
resp = requests.get(
"https://api.novaaiops.com/v1/incidents",
params={"status": "open"},
headers={
"Authorization": f"Bearer {os.environ['NOVA_TOKEN']}",
"API-Version": "2026-04-01",
},
)
resp.raise_for_status()
for inc in resp.json()["data"]:
print(inc["id"], inc["severity"], inc["title"])
const res = await fetch("https://api.novaaiops.com/v1/incidents?status=open", {
headers: {
"Authorization": `Bearer ${process.env.NOVA_TOKEN}`,
"API-Version": "2026-04-01",
},
});
const { data } = await res.json();
data.forEach(inc => console.log(inc.id, inc.severity, inc.title));
Defaults: 100 requests/minute per token, 10K requests/day per tenant. Bursts above the per-minute cap return 429 Too Many Requests with a Retry-After header. Enterprise plans raise both limits; ask sales if you need more.
Every non-2xx response uses the same envelope so clients can switch on error.code without inspecting the HTTP status. request_id is the right thing to quote when you email support.
{
"error": {
"code": "incident_not_found",
"message": "No incident with id=inc_12abf3 in tenant=acme-prod.",
"request_id": "req_01HXY8N9V2W4M2A0Q9P1B2C3D4"
}
}
Status codes you'll see: 400 validation, 401 bad token, 403 token lacks scope, 404 resource missing, 409 state conflict (e.g. acking a resolved incident), 422 semantic conflict, 429 rate limit, 500 on our side.
List endpoints are cursor-paginated. Pass ?limit=N (max 200, default 50) and ?cursor=X (the value returned in next_cursor on the previous page). When next_cursor is omitted you've reached the end.
{
"data": [ /* ... up to N items ... */ ],
"next_cursor": "eyJpZCI6Imluc18xMjNhYmYzIn0"
}
POST endpoints accept an optional Idempotency-Key header. If you replay the same key within 24 hours, Nova returns the original response instead of creating a duplicate. Use it for any write that you might retry on a network blip.
The full spec lives at api.novaaiops.com/v1/openapi.json. Drop it into Swagger UI, Postman, Insomnia, or any OpenAPI client to generate types and SDKs.
If you're integrating against the API and run into anything weird, email developers@novaaiops.com. Same-day reply during business hours, faster on Slack if you're an enterprise customer.