The LakeSail platform API.
Beta Notice: This API is currently in beta. All endpoints, request/response
schemas, and authentication flows are subject to change.
Getting Started
Base URL
All API requests are made to:
https://platform.lakesail.com/api/v1
All requests and responses use application/json.
Authentication
Most endpoints require a Bearer token in the Authorization header:
Authorization: Bearer <token>
User sessions are passed as Bearer tokens.
Contact
License
LakeSail API LicenseServers
authentication
Account signup, login (password, SSO, one-time code), password reset, email verification, and logout.
Operations
List available permissions
Returns all available permission definitions, including their descriptions and applicable resource types.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
List of permission definitions
identity-providers
Configure external identity providers for single sign-on and list available provider types.
List available identity provider types
Returns a list of identity provider types that organizations can configure. Only enabled and visible providers are returned.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
A list of identity provider types is returned.
List identity providers
Returns a paginated list of all identity providers configured for the organization, including their type, status, and issuer information.
Authorizations
Parameters
Query Parameters
The maximum number of items to list.
"int32"0100100The pagination token returned from the previous list operation.
Responses
A list of identity providers is returned.
Create an identity provider
Configures a new external identity provider (e.g. Okta, Azure AD, Google Workspace) for single sign-on. Users can then authenticate through this provider to access the organization.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Request Body
Responses
The identity provider was created successfully.
Auto-setup identity provider
Discovers the OIDC configuration from the provider's base URL and automatically
registers LakeSail as an OAuth client using Dynamic Client Registration (RFC 7591).
The provider URL must be a fully-qualified URL including the scheme (http:// or https://).
Note: Not all identity providers support Dynamic Client Registration. The endpoint
will return an error if the provider does not support it.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Request Body
Responses
Identity provider was successfully auto-configured.
Describe an identity provider
Returns the configuration details of an identity provider, including its type, issuer URL, and client settings.
Authorizations
Responses
The information about the identity provider is returned.
Delete an identity provider
Removes an identity provider configuration. Users who authenticated exclusively through this provider will need an alternative sign-in method.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
The requested operation was done successfully.
Update an identity provider
Modifies an identity provider's configuration, such as its display name, issuer URL, or client settings. Changes take effect for subsequent sign-in attempts.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Request Body
Responses
The identity provider was updated successfully.
Rotate an identity provider's client secret
Updates the client secret for an identity provider. The new secret must be obtained
from the identity provider's admin console first.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Request Body
Responses
The client secret was rotated successfully.
Test an identity provider connection
Validates the identity provider configuration by attempting to discover and fetch
the OIDC configuration from the provider's well-known endpoint.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
The connection test result.
users
User account management and self-service profile operations.
Operations
Get current user profile
Returns the profile and organization membership details of the currently authenticated user.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
The information about the current identity is returned.
Update my profile
Modifies the authenticated user's profile information such as their display name or preferences.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Request Body
Responses
The user profile was updated successfully.
List my email addresses
Returns all email addresses associated with the authenticated user's account, including their verification status.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Query Parameters
The maximum number of items to list.
"int32"0100100The pagination token returned from the previous list operation.
Responses
The email addresses of the current identity are returned.
Add an email address
Adds a new email address to the current user's account and sends a verification email.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Request Body
Responses
The email address was added and a verification email has been sent.
List my logins
Returns all active (non-expired) logins for the currently authenticated user, including device, IP address, and user agent information.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
The logins of the current user are returned.
Revoke a login
Revokes a specific active login for the currently authenticated user. This immediately invalidates the login's access token.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
The requested operation was done successfully.
List my trusted devices
Returns all active (non-expired) trusted devices for the currently authenticated user. Trusted devices bypass two-factor authentication challenges.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
The trusted devices of the current user are returned.
Revoke a trusted device
Revokes a specific trusted device for the currently authenticated user. Future logins from this device will require two-factor authentication.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
The requested operation was done successfully.
List my teams
Returns all teams that the authenticated user is a member of, including their role within each team.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
The teams of the current identity are returned.
List users
Returns a paginated list of all user accounts in the organization.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Query Parameters
The maximum number of items to list.
"int32"0100100The pagination token returned from the previous list operation.
Responses
A list of users is returned.
Create a user
Creates a new user account in the platform with the specified profile information and credentials.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Request Body
Responses
The user was created successfully.
Describe a user
Returns the full details of a user account, including their profile information and account status.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
The information about the user is returned.
Delete a user
Permanently removes a user account and revokes all their active sessions, organization memberships, and team assignments.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
The requested operation was done successfully.
Update a user
Modifies a user account's profile information or account settings.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Request Body
Responses
The user was updated successfully.
Reset user MFA
Deletes all MFA configurations (TOTP and recovery codes) for the specified user
and revokes all their active sessions. The user will be required to re-authenticate
and set up MFA again.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
The requested operation was done successfully.
Change user password
The current password must be provided in the request body.
For organization administrators, to reset password for a user without their current password, use the ResetPassword operation instead.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Request Body
Responses
The requested operation was done successfully.
Reset user password
Admin operation that generates a new temporary password for a user. To change the current user's own password, use ChangePassword instead.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
The password was reset successfully.
catalogs
Data catalog management, both configured in LakeSail and provisioned into cloud accounts.
Operations
List my catalogs
Returns all catalogs that the current user can access based on their team memberships.
Includes team associations and external catalog references in the normalized response.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Query Parameters
The maximum number of items to list.
"int32"0100100The page number to retrieve (1-indexed). Used with limit to support offset-based pagination.
"int32"11The field to sort by.
"name""updatedAt""name"The direction to sort (ascending or descending).
"asc""desc""asc"Responses
A list of catalogs the current user can access is returned.
List catalogs
Returns all catalogs the caller has permission to view across the organization.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Query Parameters
The maximum number of items to list.
"int32"0100100Responses
A list of catalogs is returned.
Create a catalog
Creates a new catalog with the specified provider and configuration. Returns 409 if a catalog with the same name already exists.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Request Body
Responses
The catalog was created successfully.
Describe a catalog
Returns the full details of a catalog, including its provider configuration.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Path Parameters
A catalog ID.
Responses
The catalog details.
Disconnect a catalog from the organization
Disconnects a catalog from the organization. The catalog record and its team associations are removed from LakeSail; the underlying external data source (for example, an AWS Glue catalog) is not affected. Queries that reference this catalog will need to be updated.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Path Parameters
A catalog ID.
Responses
The requested operation was done successfully.
Update a catalog
Modifies a catalog's name or provider configuration.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Path Parameters
A catalog ID.
Request Body
Responses
The catalog was updated successfully.
List catalog teams
Returns all teams that have been granted access to the specified catalog.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Path Parameters
A catalog ID.
Responses
A list of catalog teams is returned.
Add teams to a catalog
Grants one or more teams access to the specified catalog.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Path Parameters
A catalog ID.
Request Body
Responses
The teams were added to the catalog successfully.
Remove a team from a catalog
Revokes a team's access to the specified catalog.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Path Parameters
A catalog ID.
The team ID.
Responses
The team was removed from the catalog successfully.
List queries that use a catalog
Returns all queries that reference the specified catalog as a data source.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Query Parameters
The maximum number of items to list.
"int32"0100100Responses
A list of queries using this catalog is returned.
List team catalogs
Returns all catalogs that have been assigned to the specified team.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Query Parameters
The maximum number of items to list.
"int32"0100100Responses
A list of team catalogs is returned.
clusters
Kubernetes cluster management, both self-registered and provisioned into cloud accounts.
Operations
List my clusters
Returns all Kubernetes clusters that the current user can access based on their team memberships.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Query Parameters
The maximum number of items to list.
"int32"0100100The page number to retrieve (1-indexed). Used with limit to support offset-based pagination.
"int32"11The field to sort by.
"name""name"The direction to sort (ascending or descending).
"asc""desc""asc"Responses
A list of clusters the current user can access is returned.
Describe an accessible cluster
Returns a single Kubernetes cluster that the current user can access based on their team memberships.
Returns 404 if the cluster does not exist or the user has no access.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
The cluster accessible by the current user is returned.
List provisioned clusters
Returns all provisioned clusters accessible to the organization across all connections, supporting marker-based pagination.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Query Parameters
The maximum number of items to list.
"int32"0100100The pagination token returned from the previous list operation.
Responses
List of External clusters with connection information.
Describe a provisioned cluster
Returns the details of a specific provisioned cluster including its connection information and related entities.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
External cluster details with connection information.
Delete a provisioned cluster record
Permanently deletes a provisioned cluster record. The cluster's infrastructure must
first be destroyed before the record can be deleted. A cluster in a failed state
may still have active infrastructure and should be destroyed first.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
The requested operation was done successfully.
List provisioned clusters by connection
Returns the provisioned clusters within the specified connection.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Query Parameters
The maximum number of items to list.
"int32"0100100The pagination token returned from the previous list operation.
Responses
List of External clusters with connection information.
Create a provisioned cluster
Creates a new EKS cluster in your AWS account via the specified connection. Requires an active connection and an active network.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Request Body
Responses
External cluster created successfully.
Describe a provisioned cluster by connection
Returns the details of a provisioned cluster, including its Kubernetes version, node group configuration, and provisioning status.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
External cluster details with connection information.
Update a provisioned cluster
Update the Kubernetes version or node group configuration of a provisioned cluster. This triggers an asynchronous update process.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Request Body
Responses
External cluster upgrade started
Destroy a provisioned cluster
Initiates destruction of an active provisioned cluster's cloud infrastructure. The cluster record is retained for reference. Returns an operation ID for tracking progress.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
Destruction operation initiated.
Get provisioned cluster health status
Returns the health status of the EKS cluster and its node groups.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
External cluster health status
Get provisioned cluster kubeconfig
Returns a kubeconfig that can be used to access the EKS cluster.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
Kubeconfig for the External cluster.
Get provisioned cluster metrics
Returns CPU and memory utilization metrics for the cluster over a specified period.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Query Parameters
The period for metrics (e.g., "1h", "24h", "7d"). Default is "1h".
"1h"Responses
External cluster metrics.
Provision a cluster
Triggers provisioning of a cluster in pending status. Returns an operation ID for progress tracking.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
Provisioning operation initiated.
jobs
Job definitions, versioning, drafts, and team assignment.
Operations
List my jobs
Returns all jobs that the current user can access based on their team memberships.
Includes team associations and latest job run references in the normalized response.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Query Parameters
The maximum number of items to list.
"int32"0100100The page number to retrieve (1-indexed). Used with limit to support offset-based pagination.
"int32"11The field to sort by.
"jobKey""createdAt""lastRunAt""lastRunAt"The direction to sort (ascending or descending).
"asc""desc""asc"Responses
A list of jobs the current user can access is returned.
List jobs
Returns a paginated list of all jobs in the organization, including their current status, active version, and schedule information.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Query Parameters
The maximum number of items to list.
"int32"0100100The page number to retrieve (1-indexed). Used with limit to support offset-based pagination.
"int32"11Responses
The list of LakeSail jobs is returned.
Create a job
Defines a new job within the organization. The job is created with an initial published version containing the provided configuration, including the target cluster, schedule, and query assignments. Requires an active cluster and at least one team.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Request Body
Responses
The LakeSail job was created successfully.
Describe a job
Returns the full details of a job, including its current active version configuration, schedule, and associated cluster and query information.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Path Parameters
A LakeSail job ID.
Responses
Job details with normalized entity references
Delete a job
Permanently removes a job and all its associated versions, runs, and team assignments. Active or pending runs are cancelled before deletion.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Path Parameters
A LakeSail job ID.
Responses
The requested operation was done successfully.
Update a job
Modifies a job's metadata such as its name or description. To change execution configuration (cluster, schedule, queries), create a new version using the versioning endpoints instead.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Path Parameters
A LakeSail job ID.
Request Body
Responses
The LakeSail job was updated successfully.
Activate a job version
Changes the job's active configuration to a previously published version.
The target version must exist and be published. Any existing draft version
must be discarded or published before activating a different version.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Path Parameters
A LakeSail job ID.
Request Body
Responses
The specified version was activated successfully.
Describe the draft version of a job
Returns the current draft version for the specified job.
Returns 404 if no draft version exists.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Path Parameters
A LakeSail job ID.
Responses
The draft version details.
Create a new draft version for a job
Creates a new draft version by copying the currently published version's
configuration. Fields provided in the request body override the copied values.
A job can have at most one draft version at a time. If a draft already exists,
returns 409 Conflict.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Path Parameters
A LakeSail job ID.
Request Body
Responses
A new draft version was created successfully.
Discard the draft version of a job
Discards (deletes) the current draft version without publishing it.
The job continues running its current published version unchanged.
Returns 404 if no draft version exists.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Path Parameters
A LakeSail job ID.
Responses
The draft version was discarded successfully.
Update the draft version of a job
Updates fields on the current draft version. Only provided fields are modified;
omitted fields retain their current values. Returns 404 if no draft version exists.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Path Parameters
A LakeSail job ID.
Request Body
Responses
The draft version was updated successfully.
Publish the draft version of a job
Publishes the current draft version, making it the new active configuration.
The draft version's status changes to 'published' and the job's version pointer
is updated. Returns 400 if no draft version exists, 404 if the job does not exist.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Path Parameters
A LakeSail job ID.
Responses
The draft version was published successfully.
List job teams
Returns the teams that have been granted access to the specified job.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Query Parameters
The maximum number of items to list.
"int32"0100100The page number to retrieve (1-indexed). Used with limit to support offset-based pagination.
"int32"11Responses
The list of teams associated with the job is returned.
Add teams to a job
Grants one or more teams access to a job. Team members inherit the ability to view the job and its runs based on their team role permissions.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Path Parameters
A LakeSail job ID.
Request Body
Responses
The teams were added to the job successfully.
Remove a team from a job
Revokes a team's access to a job. Team members will no longer be able to view or interact with the job unless they have access through another team.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Path Parameters
A LakeSail job ID.
The team ID.
Responses
The team was removed from the job successfully.
List job versions
Returns a paginated list of all published versions for a job, ordered by version number. Each version represents a point-in-time configuration snapshot.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Query Parameters
The maximum number of items to list.
"int32"0100100The page number to retrieve (1-indexed). Used with limit to support offset-based pagination.
"int32"11Responses
The list of LakeSail job versions is returned.
Create a job version
Creates and publishes a new version for the job in a single request. This is
equivalent to creating a draft, updating fields, and publishing. The job must
not have an existing draft version.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Path Parameters
A LakeSail job ID.
Request Body
Responses
The job version was created and published successfully.
Describe a job version
Returns the full configuration snapshot for a specific version of a job, including cluster assignment, schedule, queries, and dependency settings.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Path Parameters
A LakeSail job ID.
A LakeSail job version.
"int32"1Responses
Job details for the specified version, with normalized entity references
List team jobs
Returns a paginated list of jobs that the specified team has been granted access to.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Query Parameters
The maximum number of items to list.
"int32"0100100The page number to retrieve (1-indexed). Used with limit to support offset-based pagination.
"int32"11Responses
The list of LakeSail jobs accessible to the team is returned.
List jobs on a cluster
Returns a paginated list of jobs whose active version is configured to execute on the specified cluster.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Query Parameters
The maximum number of items to list.
"int32"0100100The page number to retrieve (1-indexed). Used with limit to support offset-based pagination.
"int32"11Responses
The list of LakeSail jobs configured to run on the cluster is returned.
List my job runs
Returns all job runs that the authenticated user can access based on their team memberships and role permissions.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Query Parameters
The maximum number of items to list.
"int32"0100100The pagination token returned from the previous list operation.
Responses
The list of job runs accessible by the current user is returned.
List job runs
Returns a paginated list of runs for a specific job, ordered by creation time. Includes status, timing, and trigger information for each run.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Query Parameters
The maximum number of items to list.
"int32"0100100The pagination token returned from the previous list operation.
Responses
The list of LakeSail job runs is returned.
Create a job run
Triggers a new execution of the job using its currently active version configuration. The run is placed in a pending state until released or automatically dispatched by the scheduler.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Path Parameters
A LakeSail job ID.
Request Body
Responses
The LakeSail job run was created successfully.
Describe a job run
Returns the full details of a job run, including its current status, timing information, and execution results.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Path Parameters
A LakeSail job ID.
A LakeSail job run ID.
Responses
The LakeSail job run is returned.
Delete a job run
Permanently removes a job run record. Only completed, failed, or cancelled runs can be deleted.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Path Parameters
A LakeSail job ID.
A LakeSail job run ID.
Responses
The requested operation was done successfully.
Release a pending job run for execution
Transitions a job run from pending to ready, making it eligible for execution.
Use this when orchestrating job runs that were created in pending status and
should be released once their dependencies are satisfied.
Returns 409 if the run is not currently in pending status.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
The job run has been released and is now in ready status.
Retry a job run
Resets a terminal job run so it can be executed again.
The run keeps its original ID, version, parameters, and audit trail.
The run's status must be failed, timeout, or cancelled. By default
the run transitions to ready (immediately eligible for execution).
If hold is true in the request body, the run transitions to pending
instead, requiring a subsequent Release call before execution.
Returns 409 if the run is not in an allowed terminal status.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Request Body
Responses
The job run has been reset. Its status is ready (eligible for execution) or pending (held until released) depending on the hold flag in the request.
Reset my MFA
Deletes all MFA configurations (TOTP and recovery codes) for the currently
authenticated user and revokes all active sessions, requiring re-authentication.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
The requested operation was done successfully.
List my queries
Returns all queries that the current user can access based on their team memberships.
Includes team associations for each query in the normalized response.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Query Parameters
The maximum number of items to list.
"int32"0100100The page number to retrieve (1-indexed). Used with limit to support offset-based pagination.
"int32"11The field to sort by.
"name""updatedAt""updatedAt"The direction to sort (ascending or descending).
"asc""desc""asc"Responses
A list of queries the current user can access is returned.
List queries
Returns a paginated list of all queries in the organization, including their SQL statements and catalog configuration.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Query Parameters
The maximum number of items to list.
"int32"0100100Responses
A list of queries is returned.
Create a query
Defines a new reusable SQL query within the organization. Queries can be referenced by one or more jobs and shared with teams for collaborative use.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Request Body
Responses
The query was created successfully.
Describe a query
Returns the full details of a query, including its SQL statement, catalog provider, schema, and associated teams.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Path Parameters
A query ID.
Responses
Query details with normalized entity references.
Delete a query
Permanently removes a query and its team assignments. Queries that are still referenced by active jobs cannot be deleted.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Path Parameters
A query ID.
Responses
The requested operation was done successfully.
Update a query
Modifies a query's properties such as its name, SQL statement, catalog provider, or schema configuration.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Path Parameters
A query ID.
Request Body
Responses
The query was updated successfully.
List query teams
Returns the teams that have been granted access to the specified query.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Query Parameters
The maximum number of items to list.
"int32"0100100Responses
The list of teams associated with the query is returned.
Add teams to a query
Grants one or more teams access to a query. Team members inherit the ability to view and use the query based on their team role permissions.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Path Parameters
A query ID.
Request Body
Responses
The teams were added to the query successfully.
Remove a team from a query
Revokes a team's access to a query. Team members will no longer be able to view or use the query unless they have access through another team.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Path Parameters
A query ID.
The team ID.
Responses
The team was removed from the query successfully.
List team queries
Returns a paginated list of queries that the specified team has been granted access to.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Query Parameters
The maximum number of items to list.
"int32"0100100Responses
A list of queries accessible to the team is returned.
List teams
Returns all teams within the organization, including their member counts and descriptions.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Query Parameters
The page number to retrieve (1-indexed). Used with limit to support offset-based pagination.
"int32"11The maximum number of items to list.
"int32"0100100The field to sort by.
"name""email""name"The direction to sort (ascending or descending).
"asc""desc""asc"Responses
A list of teams is returned.
Create a team
Creates a new team within the organization. Teams are used to group members and control access to clusters, jobs, and queries.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Request Body
Responses
Successfully created team.
Describe a team
Returns the full details of a team, including its name, description, and member count.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
The team response.
Delete a team
Permanently removes a team and all its member assignments. Resources previously shared with this team become inaccessible to its former members unless they have access through another team.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
The requested operation was done successfully.
Update a team
Modifies a team's metadata such as its name or description.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Request Body
Responses
Successfully updated team.
List team members
Returns all members of a team, including their assigned team roles.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Query Parameters
The page number to retrieve (1-indexed). Used with limit to support offset-based pagination.
"int32"11The maximum number of items to list.
"int32"0100100The field to sort by.
"name""email""name"The direction to sort (ascending or descending).
"asc""desc""asc"Responses
A list of team members is returned.
Add a team member
Adds an existing organization member to a team, granting them access to the team's associated resources (clusters, jobs, queries). If roleIds is omitted or empty, the team's configured default role is used.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Request Body
Responses
The member was added to the team successfully.
Remove a team member
Removes a member from a team. The member loses access to resources shared with this team unless they have access through another team.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
The member was removed from the team successfully.
Update team member roles
Syncs the team roles for a team member by replacing all existing roles with the provided list.
At least one role must be provided; to remove a member from the team entirely use the
remove-team-member endpoint instead.
The member must be a member of the team before roles can be assigned.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Request Body
Responses
The requested operation was done successfully.
List organization roles
Returns all roles available within the organization, including their names and descriptions. Organization roles define the permissions a member has at the organization level.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Query Parameters
The page number to retrieve (1-indexed). Used with limit to support offset-based pagination.
"int32"11The maximum number of items to list.
"int32"0100100Search term to filter results. Searches across relevant text fields like names and descriptions.
""The field to sort by.
"name""name"The direction to sort (ascending or descending).
"asc""desc""asc"Responses
A list of organization roles is returned.
Describe an organization role
Retrieves detailed information about a specific organization role, including all assigned permissions and permission bundles.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Path Parameters
The organization role ID.
"A1B2C3D4E5"120"^[A-Z0-9]{1,20}$"Responses
Organization role details retrieved successfully
List team roles
Returns all team roles within the organization that can be assigned to team members.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Query Parameters
The page number to retrieve (1-indexed). Used with limit to support offset-based pagination.
"int32"11The maximum number of items to list.
"int32"0100100Search term to filter results. Searches across relevant text fields like names and descriptions.
""The field to sort by.
"name""name"The direction to sort (ascending or descending).
"asc""desc""asc"Responses
A list of team roles is returned.
Describe a team role
Retrieves detailed information about a specific team role, including all assigned permissions and permission bundles.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Path Parameters
The ID of the team role.
Responses
Team role details retrieved successfully
Create an invitation
Sends an email invitation to a user to join the organization. If the user does not yet have an account, they will be guided through signup.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Request Body
Responses
The invite was created successfully.
Describe an invitation
Returns the details of a pending invitation, including the invited email address, expiration time, and current status.
Responses
The invite details.
Accept an invitation
Accepts a pending invitation, adding the authenticated user as a member of the organization.
Request Body
Responses
The invite was accepted successfully.
Search members
Returns a filtered list of organization members matching the search criteria, including their profiles and role assignments.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Query Parameters
The page number to retrieve (1-indexed). Used with limit to support offset-based pagination.
"int32"11The maximum number of items to list.
"int32"0100100The field to sort by.
"name""email""name"The direction to sort (ascending or descending).
"asc""desc""asc"Filter criteria for members
Responses
A paginated list of organization users with details is returned.
Describe an organization member
Returns the full details of an organization member, including their profile, assigned roles, and team memberships.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
Organization user details retrieved successfully
Remove a member
Removes a user from the organization and revokes all their assigned roles and team memberships.
The last Owner of the organization cannot be removed.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
The requested operation was done successfully.
Update a member
Modifies an organization member's profile information such as their display name.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Request Body
Responses
The updated organization user.
Update member roles
Replaces all organization roles for a member with the provided list.
At least one role must be provided; to remove a member entirely use the
remove-member endpoint instead.
The last Owner of the organization cannot have their Owner role removed.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Request Body
Responses
The requested operation was done successfully.
connections
Cloud account connections, CloudFormation template management, and resource discovery.
Operations
List cloud accounts
Returns a paginated list of cloud accounts configured for the organization.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Query Parameters
The maximum number of items to list.
"int32"0100100The pagination token returned from the previous list operation.
Responses
List of External connections.
Create a cloud account
Creates a new cloud account and returns the CloudFormation template information needed for deployment.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Request Body
Responses
External connection created successfully.
Describe a cloud account
Returns the details of a cloud account, including its provider, region, deployment status, and associated resources.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
External connection details.
Delete a cloud account
Permanently removes a cloud account. All associated clusters, networks, and catalogs must be destroyed before the connection can be deleted.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
The requested operation was done successfully.
Update a cloud account
Modifies a cloud account's metadata such as its name.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Request Body
Responses
Updated external connection.
List available cloud instance types
Returns EC2 instance types available in the cloud provider account for the specified connection. Supports filtering by region, architecture, CPU, and memory.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Query Parameters
AWS region to list instance types for. If not provided, defaults to the connection's configured region.
The maximum number of items to list.
"int32"0100100Filter by architecture (x86_64 or arm64)
"x86_64""arm64"Minimum number of vCPUs
1Minimum memory in MiB
1024Responses
List of available instance types for the cloud provider.
List available cloud provider regions
Returns the cloud provider regions available for provisioning external clusters and networks.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
List of available cloud provider regions
Sync cloud account IaC template
Updates the CloudFormation stack for this connection with the latest template. The update runs asynchronously. Only available for active connections with a deployed stack.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
Template sync operation initiated.
Get connection template
Returns the CloudFormation template URL and parameters needed to deploy the connection stack in the cloud account.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
CloudFormation template information.
Download connection template
Downloads the CloudFormation template file with parameter defaults pre-filled, ready for upload to the AWS CloudFormation console. Use Get connection template for the URL and raw parameters instead.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
CloudFormation template with defaults injected.
Verify a cloud account
Validates that the cloud account is correctly configured. Call this after deploying the CloudFormation template.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Request Body
Responses
External connection verification result.
networks
Cloud network provisioning and lifecycle management.
Operations
List available cloud provider networks
Returns VPCs and subnets available in the cloud provider account for the specified connection and region.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Query Parameters
AWS region to list networks for. If not provided, defaults to the connection's configured region.
Responses
List of available networks
List cloud networks
Returns all managed networks created through the API across all connections, supporting marker-based pagination.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Query Parameters
The maximum number of items to list.
"int32"0100100The pagination token returned from the previous list operation.
Responses
List of managed external networks
Delete a cloud network record
Permanently deletes a cloud network record. The network's infrastructure must
first be destroyed before the record can be deleted. A network in a failed state
may still have active infrastructure and should be destroyed first.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
The requested operation was done successfully.
List cloud networks by connection
Returns the managed networks provisioned through the specified connection.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Query Parameters
The maximum number of items to list.
"int32"0100100The pagination token returned from the previous list operation.
Responses
List of managed external networks
Create a cloud network
Creates a new network in the customer's cloud account via the specified connection. Requires an active connection.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Request Body
Responses
Managed external network created successfully.
Describe a cloud network
Returns the details of a cloud network, including its VPC configuration, subnets, and provisioning status.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
Managed external network details with connection information.
Destroy a cloud network
Initiates destruction of an active cloud network and all associated networking resources. All clusters and catalogs in the network must be destroyed first. The network record is retained for reference. Returns an operation ID for tracking progress.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
Destruction operation initiated.
Update a cloud network
Modifies a cloud network's metadata such as its name.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Request Body
Responses
Updated external network.
Provision a cloud network
Triggers provisioning of a cloud network in pending status. Returns an operation ID for progress tracking.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
Provisioning operation initiated.
List secrets
Returns managed workload secrets visible to the current member through team membership.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Query Parameters
The maximum number of items to list.
"int32"0100100The page number to retrieve (1-indexed). Used with limit to support offset-based pagination.
"int32"11Responses
A list of secrets is returned.
Create a secret
Creates a managed workload secret. Secret values are stored encrypted and are never returned.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Request Body
Responses
The secret was created successfully.
Describe a secret
Returns managed workload secret metadata. The secret value is never returned.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
The secret was returned successfully.
Delete a secret
Soft-deletes an unreferenced managed workload secret.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
The secret was deleted successfully.
Update a secret
Updates managed workload secret metadata and team assignments. Team removals that would break existing references are rejected.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Request Body
Responses
The secret was updated successfully.
Replace a secret value
Replaces the current secret value by appending a new internal version. The value is never returned.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Request Body
Responses
The secret value was replaced successfully.
Revoke a secret
Emergency-revokes the current secret version. Future runtime resolution fails closed until a replacement value is provided.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
The secret current version was revoked successfully.
notebooks
Marimo-based interactive Python notebooks backed by Sail (Spark) sessions.
Operations
List notebooks
Returns a paginated list of notebooks accessible to the requesting member, including notebooks they own and notebooks shared with their teams. Organization administrators see all notebooks.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Query Parameters
The maximum number of items to list.
"int32"0100100Responses
A paginated list of notebooks is returned.
Create a notebook
Creates a new Marimo notebook associated with a workload configuration. The notebook starts in stopped state. Call StartNotebook to provision the Sail and Marimo pods.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Request Body
Responses
The notebook was created successfully.
Describe a notebook
Returns the full details of a notebook, including its current status, configuration, associated workload config, and team access list.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Path Parameters
A notebook ID.
Responses
Notebook details with normalized entity references.
Delete a notebook
Permanently removes a notebook and its team assignments. If the notebook is currently running, it will be stopped before deletion.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Path Parameters
A notebook ID.
Responses
The requested operation was done successfully.
Update a notebook
Modifies a notebook's display name, description, or idle timeout. The workload configuration can only be changed when the notebook is stopped.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Path Parameters
A notebook ID.
Request Body
Responses
The notebook was updated successfully.
Start a notebook
Provisions the Sail (Spark Connect) and Marimo pods for this notebook. The notebook must be in stopped state. Status transitions to starting immediately; the session proxy URL becomes available once status reaches running.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Path Parameters
A notebook ID.
Responses
Notebook start initiated; status has transitioned to starting.
Stop a notebook
Tears down the Sail and Marimo pods for this notebook. The notebook must be in running state. Status transitions to stopping immediately; a stopped status confirms teardown is complete.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Path Parameters
A notebook ID.
Responses
Notebook stop initiated; status has transitioned to stopping.
Open a notebook
Returns a short-lived proxy authentication URL for embedding the notebook UI as an iframe. The notebook must be in running, idle, or detached state. The URL is valid for 5 minutes and is intended to be used once as the iframe src; the session proxy validates the embedded JWT, sets a same-site access cookie, and redirects to the notebook.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Path Parameters
A notebook ID.
Responses
A short-lived proxy authentication URL for embedding the notebook as an iframe.
Record notebook activity
Records the authenticated user's presence while a notebook is open in the browser. Updates the activity timestamp used by the idle-timeout monitor, keeping the notebook session alive while the user has it open. The notebook must be in running, idle, or detached state. Intended to be called periodically (e.g. every 60 seconds) by the frontend while the notebook iframe is rendered.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Path Parameters
A notebook ID.
Responses
Activity recorded.
List notebook teams
Returns the teams that have been granted access to the specified notebook.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Path Parameters
A notebook ID.
Query Parameters
The maximum number of items to list.
"int32"0100100Responses
A list of teams associated with the notebook is returned.
Add teams to a notebook
Grants one or more teams access to a notebook. Team members will be able to view and open the notebook (in read-only mode if the owner is active).
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Path Parameters
A notebook ID.
Request Body
Responses
The teams were added to the notebook successfully.
Remove a team from a notebook
Revokes a team's access to a notebook. Team members will no longer be able to view or open the notebook unless they have access through another team or are the notebook owner.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Path Parameters
A notebook ID.
The team ID.
Responses
The team was removed from the notebook successfully.
List team notebooks
Returns a paginated list of notebooks that the specified team has been granted access to.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Query Parameters
The maximum number of items to list.
"int32"0100100Responses
A list of notebooks accessible to the team is returned.
List sessions
Returns sessions visible to the caller: sessions they own plus sessions belonging to teams they are a member of. Passing teamId narrows the list to that team.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Query Parameters
Filter sessions by team.
"A1B2C3D4E5"120"^[A-Z0-9]{1,20}$"Filter sessions by endpoint type.
"spark_connect""marimo"Filter sessions by status.
"pending""active""idle""closed""failed"The maximum number of items to list.
"int32"0100100The pagination token returned from the previous list operation.
Responses
The list of sessions.
Create a session
Creates a new session. Resolves or creates a compute config, finds a reusable compute instance or provisions a new one, and returns the session in pending state. The session transitions to active on the first proxy request after the compute instance is ready.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Request Body
Responses
The session was created successfully.
Describe a session
Returns the session details. For the session owner, includes connectionInfo with the proxy authentication URL (HTTP-transport endpoints) or gRPC endpoint (gRPC-transport endpoints).
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
The session was retrieved successfully.
Close a session
Closes the session immediately. The session transitions to closed and closed_at is set. Infrastructure cleanup (marimo pod, compute instance) is handled asynchronously. Can be called by the session owner, team admin, or org admin.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
The session was closed successfully.
Issue a session proxy token
Issues a short-lived signed JWT bearer token for authenticating with the session gRPC proxy. Use the grpcEndpoint from the session's connectionInfo as the dial address and pass the token as Authorization: Bearer
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Request Body
Responses
A bearer token for gRPC proxy access.
Relaunch a closed session
Creates a new session using the same workload configuration as a previously closed or failed session. Useful for restarting a recurring session without having to reconfigure compute settings from scratch.
The original session must be in a terminal state (closed or failed). A brand-new session ID is returned — the original session is not mutated. The caller must be the original session owner.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
The session was relaunched successfully.
List workload configs
Returns workload configs visible to the caller. When teamId is provided, only workload configs whose cluster is linked to that team are returned. Anonymous (inline) configs are excluded.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Query Parameters
Filter workload configs by team.
"A1B2C3D4E5"120"^[A-Z0-9]{1,20}$"The maximum number of items to list.
"int32"0100100The pagination token returned from the previous list operation.
Responses
The list of workload configs.
Create a workload config
Creates a named workload config for a cluster. Named configs can be reused across multiple sessions and shared with team members. Once created, workloadType and clusterId are immutable.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Request Body
Responses
The workload config was created successfully.
Describe a workload config
Returns the full detail of a workload config.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
The workload config was retrieved successfully.
notifications
Notification channels, delivery rules, event types, and notification history.
Operations
List available notification event types
Returns the list of event types that notification rules can subscribe to. Includes shortcut types (e.g., 'any terminal status') that expand into individual event types at rule creation time.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
A list of available notification event types.
List notification channels
Lists notification channels for the organization, optionally filtered by team or member ownership.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Query Parameters
The maximum number of items to list.
"int32"0100100The pagination token returned from the previous list operation.
Filter by team ID.
"A1B2C3D4E5"120"^[A-Z0-9]{1,20}$"Filter by member ID.
"A1B2C3D4E5"120"^[A-Z0-9]{1,20}$"Responses
A list of notification channels.
Create a notification channel
Creates a new notification channel for delivering notifications to a team or member destination (email or webhook).
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Request Body
Responses
The notification channel was created successfully.
Get notification channel details
Returns the details of a specific notification channel.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
The notification channel details.
Delete a notification channel
Soft-deletes a notification channel. The channel is marked as deleted but preserved for delivery log history.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
The notification channel was deleted successfully.
Update a notification channel
Updates the configuration of an existing notification channel.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Request Body
Responses
The notification channel was updated successfully.
Send a test notification
Sends a test notification to verify the channel is configured correctly. On success, sets the channel's verifiedAt timestamp.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
The test notification was sent successfully.
List notification rules
Lists notification rules for the organization, optionally filtered by team, member, resource type, or scope type.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Query Parameters
The maximum number of items to list.
"int32"0100100The pagination token returned from the previous list operation.
Filter by team ID.
Filter by member ID.
Filter rules by resource type.
Filter rules by scope type.
"resource""team""organization""own_resources"Responses
A list of notification rules.
Create a notification rule
Creates a new notification rule that maps event types to notification channels.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Request Body
Responses
The notification rule was created successfully.
Get notification rule details
Returns the details of a specific notification rule.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
The notification rule details.
Delete a notification rule
Deletes a notification rule. Future events will no longer match this rule.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
The notification rule was deleted successfully.
Update a notification rule
Updates an existing notification rule (including enable/disable).
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Request Body
Responses
The notification rule was updated successfully.
List notification delivery history
Lists notification delivery log entries, optionally filtered by channel, rule, or status.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Query Parameters
The maximum number of items to list.
"int32"0100100The pagination token returned from the previous list operation.
Filter by channel ID.
"A1B2C3D4E5"120"^[A-Z0-9]{1,20}$"Filter by rule ID.
"A1B2C3D4E5"120"^[A-Z0-9]{1,20}$"Filter by delivery status.
"pending""delivering""delivered""failed""skipped"Responses
A list of notification delivery log entries.
List billable cloud accounts
Returns marketplace-linked cloud accounts for the calling organization, including the most recent submission timestamp and the current rate card.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
A list of billable cloud accounts with the current rate card.
List submission windows for a cloud account
Returns metering submission windows for one cloud account, optionally filtered by date range and zero-usage inclusion.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Parameters
Query Parameters
The maximum number of items to list.
"int32"0100100The pagination token returned from the previous list operation.
Include submissions with period_start at or after this timestamp.
"date-time"Include submissions with period_end at or before this timestamp.
"date-time"Include windows where submitted usage quantity was zero.
falseResponses
A list of billing submissions for one cloud account.
Get submission workload composition
Returns workload-level contributions included in a metering submission window, including the physical usage factors used to compute the submitted amount.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
Workload-level billing composition for one submission.
Get async operation status
Returns the current status and results of a long-running operation, such as cluster provisioning or infrastructure deployment. Poll this endpoint to track progress.
Authorizations
API token sent in the Authorization header. Most tokens use the Bearer scheme. For organizations with the requireDpop setting enabled, access tokens are sender-constrained per RFC 9449: the token MUST be presented as "Authorization: DPoP
Responses
Operation status and results.