Skip to main content
Lazynext
Start Free
API

REST API

A small, honest REST surface. Bearer-token auth, scoped keys, JSON in / JSON out. v1 covers the read paths your CI runner needs and one write path for logging decisions from external tooling.

Machine-readable spec: /api/v1/openapi.json (OpenAPI 3.1)

Typed client lives at lib/sdk in the repo — copy client.ts into your project. Zero deps, ~150 lines, types map 1:1 to the OpenAPI schema.

Authentication

Every API request must carry a workspace-scoped API key. Keys are minted from Settings → Integrations → API Access on the Enterprise plan. You see the plaintext exactly once at creation; we store only a SHA-256 hash.

# Authorization header (RFC 6750):
curl https://lazynext.com/api/v1/audit-log?workspaceId=<id> \
  -H "Authorization: Bearer lzx_..."

# X-Api-Key header is also accepted:
curl https://lazynext.com/api/v1/audit-log?workspaceId=<id> \
  -H "X-Api-Key: lzx_..."

Cookie-session callers (the dashboard) use the same endpoints with no bearer header — your browser session handles it.

Scopes

Each key is minted with one or both scopes. Default is least-privilege.

  • read — call any GET endpoint.
  • write — also call POST/PATCH/DELETE endpoints.

A request whose key is missing the required scope returns 403 INSUFFICIENT_SCOPE with a requiredScope field naming what it would have needed.

Rate limits

Buckets are keyed by the key id (cookie sessions: per user) so a leaked key burns its own budget. Each endpoint family has its own limit:

  • read endpoints — 100 / minute.
  • export endpoints (workspace dump, CSV) — 10 / minute.
  • mutation endpoints (POST/PATCH/DELETE) — 30 / minute.

Exceeding the bucket returns 429 with a Retry-After header.

Endpoints

GET/api/v1/exportscope: read

Full workspace export (workflows, nodes, decisions) as JSON. Pass ?workspaceId=<uuid> — for bearer requests this must match the key's workspace.

GET/api/v1/audit-logscope: read

Cursor-paginated audit log. Filterable by action, resourceType. Includes api_key.create and api_key.revoke entries. Requires the audit-log feature gate (Business plan and up).

GET/api/v1/decisionsscope: read

Lists every decision in the workspace, newest first.

GET/api/v1/decisions/export-csvscope: read

Same data as /decisions rendered as a CSV stream — useful for dropping into a spreadsheet or BI tool.

POST/api/v1/decisionsscope: write

Log a new decision. Body is JSON: workspaceId, question (required), plus optional resolution, rationale, optionsConsidered, decisionType, tags, expectedBy. The Decision DNA scorer runs server-side and the score is in the response.

GET/api/v1/decisions/{id}scope: read

Single decision by id. Bearer keys must target the workspace that owns the decision — cross-workspace lookups return 403 WORKSPACE_MISMATCH.

PATCH/api/v1/decisions/{id}scope: write

Update resolution, rationale, status, outcome, outcomeNotes, outcomeConfidence, or tags. Setting an outcome (other than pending) bumps the workspace WMS.

DELETE/api/v1/decisions/{id}scope: write

Permanently remove a decision. Cascades to all linked outcomes.

Errors

Errors are JSON: { "error": "CODE", "message"?: "..." }.

  • 401 UNAUTHORIZED — no key, malformed key, expired key.
  • 403 FORBIDDEN — cookie user isn't a workspace member.
  • 403 WORKSPACE_MISMATCH — bearer key targets a different workspace than the request.
  • 403 INSUFFICIENT_SCOPE — key lacks the required scope.
  • 402 PLAN_GATE — feature requires a higher plan.
  • 429 — rate-limit exceeded.
  • 503 DATABASE_NOT_CONFIGURED — only on misconfigured self-host installs.
More endpoints land as we wire them to bearer auth. See the changelog for the per-version rollout.