Documentation menu

Docs

API Overview

Base URL, authentication, response envelopes, rate limits and conventions for the AegisWhite REST API.

The AegisWhite REST API is the same interface our WHMCS module is built on. Everything the module does, your own integration can do. Use it to provision monitoring from any billing system, embed security data in your own dashboards, or automate customer sign-in.

Base URL

All endpoints are relative to your portal domain, the same domain your customers use, for example https://yourbrand.portal.aegiswhite.com or your custom portal domain. Your API key is bound to that domain: calls to any other portal domain are rejected with 403 TENANT_MISMATCH.

Base URL
https://{your-portal-domain}/api/v1

Your portal domain and API key are shown together in the portal under WHMCS Integration settings. Use exactly that pairing.

Authentication

Authenticate with a bearer token: your partner API key, generated in the portal (Settings → WHMCS Integration). The key authenticates as your whole partner account, so treat it like a root credential: store it server-side, never in client-side code, and regenerate it immediately if it leaks. It is shown only once at generation time.

Request headers
Authorization: Bearer {your-api-key}
Content-Type: application/json
Accept: application/json

On the endpoints that read or change customer-level data, pass whmcs_customer_id to scope the call to one customer. The API refuses cross-customer access on those calls with 403 Access denied.

Response envelopes

The provisioning, SSO, alerts, domain-monitoring and sandbox groups wrap results in a success envelope. The Allowed Ports and Endpoints groups return standard Laravel resource envelopes (data / links / meta) instead. Each group page notes which applies.

Success envelope
{
  "success": true,
  "data": { },
  "meta": {
    "version": "v1",
    "timestamp": "2026-07-12T09:30:00+00:00"
  }
}
Error envelope
{
  "success": false,
  "error": {
    "code": "ENDPOINT_NOT_FOUND",
    "message": "No endpoint with that ID belongs to your account.",
    "details": { }
  },
  "meta": {
    "version": "v1",
    "timestamp": "2026-07-12T09:30:00+00:00"
  }
}

Validation failures return 422 with Laravel's standard shape: a message plus an errors map of field names to problems.

Errors every endpoint can return

StatusMeaning
401Missing or invalid API key (Unauthenticated.).
403 TENANT_MISMATCHThe API key does not belong to the portal domain you called. Check your base URL.
403 ACCOUNT_SUSPENDEDYour partner account is suspended.
422Request validation failed. See the errors map.
429Rate limit exceeded. Retry after the Retry-After header.

Rate limits

Provisioning, SSO, alerts, domain-monitoring and firewall-ingest endpoints allow 60 requests per minute per API key. Endpoints without a stricter limit fall back to the platform default of 100 requests per minute. Sandbox endpoints are not rate limited. 429 responses include a Retry-After header. Back off and retry.

Versioning

The current API version is v1, carried in every path and echoed in the meta.version of enveloped responses. Backwards-incompatible changes will ship under a new version prefix.

Sandbox mode

With sandbox mode enabled on your account, send X-Aegis-Sandbox: true on provisioning calls to simulate them end-to-end: no real scans run. See the Sandbox endpoints for scenario control, and the WHMCS troubleshooting guide for the module-driven flow.

Health check

Verify connectivity and your base URL with the unauthenticated health endpoint before wiring credentials:

Health check

GET/api/v1/health
No authenticationRate limit: 100 requests / minute (platform default)

Unauthenticated liveness check. Use it to verify connectivity and your base URL before wiring credentials.

Example request
curl -X GET 'https://portal.example.com/api/v1/health'
Response: 200
{
  "success": true,
  "status": "ok",
  "timestamp": "2026-07-12T09:30:00+00:00",
  "meta": {
    "version": "v1"
  }
}

Compiled from the AegisWhite platform (build 6bffe04, module v1.7.3, 2026-07-14).