ProductDocsPricingBlog

API Reference

REST API endpoints and authentication.

Authentication

NjiraAI has two API auth modes:

  • Session auth (Console/control plane): POST /v1/auth/login returns a JWT + cookie used by Console and operator APIs.
  • API key auth (programmatic): Authorization: Bearer nj_live_* or nj_test_* for SDK/governance and programmatic control-plane automation.

Standard Headers

Control behavior and context with these headers:

  • X-Njira-Tier: fast, standard (default), or strong
  • X-Tool-Name: Identifier for the calling tool (e.g., web_search)
  • X-Policy-Id: Specific policy ID to enforce
  • X-Tenant-Id: Tenant ID (Admin-only override)

Correlation Headers

  • x-njira-request-id
  • x-njira-trace-id
  • x-njira-project-id
  • x-njira-env

Enforcement Endpoints (API key)

POST /v1/enforce

Policy enforcement.

POST /v1/traces/events

Trace event ingest.

POST /v1/traces/flush (optional)

Force flush (server-side).

Programmatic Policy & Evaluation Endpoints (API key)

Use these endpoints when you want to manage policies or run evaluations without the Console UI.

Policies

  • GET /v1/sdk/policies
  • POST /v1/sdk/policies
  • GET /v1/sdk/policies/{policyId}
  • GET /v1/sdk/policies/{policyId}/versions/{version}
  • POST /v1/sdk/policies/{policyId}/versions
  • POST /v1/sdk/policies/{policyId}/activate

Simulation / Replay

  • POST /v1/sdk/simulation
  • POST /v1/sdk/simulation/manual
  • POST /v1/sdk/simulation/batch
  • POST /v1/sdk/traces/{traceId}/replay

Benchmarks

  • GET /v1/sdk/benchmarks/runs
  • POST /v1/sdk/benchmarks/runs
  • GET /v1/sdk/benchmarks/runs/{runId}

For lifecycle examples, see Policy Management.

SDK Governance Endpoints

These endpoints support the SDK-governed direct connect pattern, where your agent gets a verdict before calling the LLM/tool directly.

POST /v1/govern

Get a governance verdict for an input before execution.

Request:

{
  "input": "Transfer $50,000 to account 12345678",
  "tool_name": "bank_transfer",
  "policy_id": "finance_guard",
  "metadata": {}
}

Response:

{
  "request_id": "uuid",
  "action": "BLOCK",
  "reason_code": "HAZARD_DETECTED",
  "reason_text": "Financial fraud pattern detected",
  "confidence": 0.95,
  "violations": ["wire_transfer_detected"],
  "hazards_detected": ["financial_fraud"],
  "modified_text": null,
  "fix_explanation": null,
  "judge_mode": "rules",
  "latency_ms": 45
}

POST /v1/audit

Log a completed request/response after calling a tool directly.

Request:

{
  "request_id": "uuid",
  "tool_name": "web_search",
  "input": "search query",
  "output": "search results",
  "verdict_action": "ALLOW",
  "verdict_reason_code": "SAFE",
  "verdict_confidence": 1.0,
  "latency_ms": 120
}

Response (201):

{
  "ok": true,
  "audit_id": "uuid"
}

Raw input/output are not stored. Only input_length and a 200-char redacted snippet are persisted.