Alerts
Read and resolve port-exposure alerts ("security issues").
Read and resolve port-exposure alerts ("security issues"). These endpoints power the client-area alert pages: pass whmcs_customer_id to scope results to one customer. An alert is raised for every open port that is not covered by an Allowed Ports rule, and auto-resolves when the port closes.
Error responses in this group carry the HTTP status as error.code (a number) and a human-readable error.message, rather than the string codes used by the provisioning group.
List alerts
/api/v1/alertsList port-exposure alerts, newest first. Filter by customer, endpoint, status or severity. Results are windowed with limit/offset; has_more tells you when to page again.
Query parameters
| Name | Type | Required | Notes |
|---|---|---|---|
whmcs_customer_id | integer | Optional | Limit results to one customer's endpoints. |
status | string | Optional | Filter by alert status.one of: open, acknowledged, resolved, false_positive |
severity | string | Optional | Filter by severity.one of: critical, high, medium, low |
endpoint_id | uuid | Optional | Limit results to a single endpoint. |
limit | integer | Optional | Page size (default 20, max 100).min:1 · max:100 |
offset | integer | Optional | Number of results to skip.min:0 |
sort | string | Optional | Sort column.one of: created_at, severity, last_detected_at |
order | string | Optional | Sort direction.one of: asc, desc |
curl -X GET 'https://portal.example.com/api/v1/alerts?whmcs_customer_id=1042&status=open&severity=critical&endpoint_id=9f2c1e4a-5b6d-4e7f-8a9b-0c1d2e3f4a5b&limit=20&offset=0&sort=created_at&order=desc' \
-H 'Authorization: Bearer $AEGIS_API_KEY'{
"success": true,
"data": {
"alerts": [
{
"id": "4d3c2b1a-0f9e-4d8c-7b6a-5f4e3d2c1b0a",
"endpoint_id": "9f2c1e4a-5b6d-4e7f-8a9b-0c1d2e3f4a5b",
"ip_address": "203.0.113.10",
"port": 3306,
"protocol": "tcp",
"service": "mysql",
"severity": "critical",
"status": "open",
"risk_level": "critical",
"title": "Database port 3306 (mysql) exposed",
"explanation": "MySQL is reachable from the public internet…",
"created_at": "2026-07-12T08:15:00+00:00",
"first_detected_at": "2026-07-12T08:15:00+00:00",
"last_detected_at": "2026-07-12T09:15:00+00:00"
}
],
"total": 1,
"has_more": false
},
"meta": {
"version": "v1",
"timestamp": "2026-07-12T09:30:00+00:00"
}
}Alert counts by severity
/api/v1/alerts/summaryOpen-alert counts for one customer, broken down by severity: the numbers behind a dashboard's severity tiles.
Query parameters
| Name | Type | Required | Notes |
|---|---|---|---|
whmcs_customer_id | integer | Required | The customer to summarize. |
status | string | Optional | Status to count (defaults to open).one of: open, acknowledged, resolved, false_positive |
curl -X GET 'https://portal.example.com/api/v1/alerts/summary?whmcs_customer_id=1042&status=open' \
-H 'Authorization: Bearer $AEGIS_API_KEY'{
"success": true,
"data": {
"critical": 1,
"high": 2,
"medium": 0,
"low": 3,
"total": 6
},
"meta": {
"version": "v1",
"timestamp": "2026-07-12T09:30:00+00:00"
}
}Alert counts per endpoint
/api/v1/alerts/endpoint-summaryOpen-alert counts for each of a customer's endpoints, plus an overall total, used to render a per-server issue overview.
Query parameters
| Name | Type | Required | Notes |
|---|---|---|---|
whmcs_customer_id | integer | Required | The customer to summarize. |
curl -X GET 'https://portal.example.com/api/v1/alerts/endpoint-summary?whmcs_customer_id=1042' \
-H 'Authorization: Bearer $AEGIS_API_KEY'{
"success": true,
"data": {
"endpoints": [
{
"endpoint_id": "9f2c1e4a-5b6d-4e7f-8a9b-0c1d2e3f4a5b",
"ip_address": "203.0.113.10",
"nickname": "Web server",
"total_open": 3,
"critical": 1,
"high": 1,
"medium": 0,
"low": 1
}
],
"totals": {
"port_alerts_open": 3
}
},
"meta": {
"version": "v1",
"timestamp": "2026-07-12T09:30:00+00:00"
}
}Get an alert
/api/v1/alerts/{id}Fetch one alert with its full explanation. Pass whmcs_customer_id when acting on a customer's behalf. The call is refused if the alert's endpoint does not belong to that customer.
Query parameters
| Name | Type | Required | Notes |
|---|---|---|---|
whmcs_customer_id | integer | Optional | Customer making the request, for ownership checks. |
curl -X GET 'https://portal.example.com/api/v1/alerts/4d3c2b1a-0f9e-4d8c-7b6a-5f4e3d2c1b0a?whmcs_customer_id=1042' \
-H 'Authorization: Bearer $AEGIS_API_KEY'{
"success": true,
"data": {
"alert": {
"id": "4d3c2b1a-0f9e-4d8c-7b6a-5f4e3d2c1b0a",
"endpoint_id": "9f2c1e4a-5b6d-4e7f-8a9b-0c1d2e3f4a5b",
"ip_address": "203.0.113.10",
"port": 3306,
"protocol": "tcp",
"service": "mysql",
"severity": "critical",
"status": "open",
"risk_level": "critical",
"title": "Database port 3306 (mysql) exposed",
"explanation": "MySQL is reachable from the public internet…",
"created_at": "2026-07-12T08:15:00+00:00",
"first_detected_at": "2026-07-12T08:15:00+00:00",
"last_detected_at": "2026-07-12T09:15:00+00:00"
}
},
"meta": {
"version": "v1",
"timestamp": "2026-07-12T09:30:00+00:00"
}
}Errors
| Code | Status | Meaning |
|---|---|---|
404 | 404 | Alert not found in your account. |
403 | 403 | Access denied: the alert's endpoint does not belong to the given customer. |
Get remediation commands
/api/v1/alerts/{id}/remediationReady-to-run commands that close the alerted port, for a chosen firewall platform. platform_options lists everything available; omit platform to get the default suggestion.
warningis set when closing the port could lock you out (for example SSH). Surface it to the user before they run the commands.
Query parameters
| Name | Type | Required | Notes |
|---|---|---|---|
platform | string | Optional | Firewall platform to generate commands for.one of: ufw, iptables, aws_sg, gcp_fw, azure_nsg, generic |
whmcs_customer_id | integer | Optional | Customer making the request, for ownership checks. |
curl -X GET 'https://portal.example.com/api/v1/alerts/4d3c2b1a-0f9e-4d8c-7b6a-5f4e3d2c1b0a/remediation?platform=ufw&whmcs_customer_id=1042' \
-H 'Authorization: Bearer $AEGIS_API_KEY'{
"success": true,
"data": {
"platform_options": {
"ufw": "UFW (Ubuntu/Debian)",
"iptables": "iptables",
"aws_sg": "AWS Security Group",
"gcp_fw": "GCP Firewall",
"azure_nsg": "Azure NSG",
"generic": "Generic"
},
"selected_platform": "ufw",
"commands": {
"deny_incoming_traffic": "sudo ufw deny 3306/tcp",
"reload_firewall": "sudo ufw reload"
},
"warning": null,
"docs_url": "https://help.ubuntu.com/community/UFW"
},
"meta": {
"version": "v1",
"timestamp": "2026-07-12T09:30:00+00:00"
}
}Errors
| Code | Status | Meaning |
|---|---|---|
404 | 404 | Alert not found in your account. |
403 | 403 | Access denied: the alert's endpoint does not belong to the given customer. |
Resolve an alert
/api/v1/alerts/{id}/resolveMark an alert as resolved ("I've fixed this"). If the port is still open on a later scan, a new alert is raised.
Body parameters
| Name | Type | Required | Notes |
|---|---|---|---|
whmcs_customer_id | integer | Optional | Customer making the request, for ownership checks. |
curl -X POST 'https://portal.example.com/api/v1/alerts/4d3c2b1a-0f9e-4d8c-7b6a-5f4e3d2c1b0a/resolve' \
-H 'Authorization: Bearer $AEGIS_API_KEY' \
-H 'Content-Type: application/json' \
-d '{
"whmcs_customer_id": 1042
}'{
"success": true,
"data": {
"alert": {
"id": "4d3c2b1a-0f9e-4d8c-7b6a-5f4e3d2c1b0a",
"endpoint_id": "9f2c1e4a-5b6d-4e7f-8a9b-0c1d2e3f4a5b",
"ip_address": "203.0.113.10",
"port": 3306,
"protocol": "tcp",
"service": "mysql",
"severity": "critical",
"status": "resolved",
"risk_level": "critical",
"title": "Database port 3306 (mysql) exposed",
"explanation": "MySQL is reachable from the public internet…",
"created_at": "2026-07-12T08:15:00+00:00",
"first_detected_at": "2026-07-12T08:15:00+00:00",
"last_detected_at": "2026-07-12T09:15:00+00:00"
},
"message": "Alert resolved successfully"
},
"meta": {
"version": "v1",
"timestamp": "2026-07-12T09:30:00+00:00"
}
}Errors
| Code | Status | Meaning |
|---|---|---|
404 | 404 | Alert not found in your account. |
403 | 403 | Access denied: the alert's endpoint does not belong to the given customer. |