API Reference

Mallard Metrics exposes a JSON HTTP API. All endpoints are served by the same process as the dashboard.

Base URL

http://your-instance.com

Most /api/stats/* and /api/keys/* endpoints require authentication. Provide one of:

Session cookie — Set after POST /api/auth/login. Sent automatically by browsers.
Bearer token — An API key in the Authorization: Bearer mm_... header.
X-API-Key header — An API key in the X-API-Key: mm_... header.

Endpoints that do not require authentication:

POST /api/event — Event ingestion (uses Origin allowlist instead).
GET /api/event — Pixel tracking (same parameters as POST via query string; returns 1×1 GIF).
POST /api/auth/login, POST /api/auth/setup, GET /api/auth/status, POST /api/auth/logout
GET /health, GET /health/ready, GET /health/detailed
GET /metrics — optionally protected by MALLARD_METRICS_TOKEN bearer token.
GET /robots.txt, GET /.well-known/security.txt
GET / (dashboard)

All request bodies are application/json. All responses are application/json unless otherwise noted.

Errors are returned as JSON objects:

{
  "error": "human-readable description"
}

Code	Meaning
200	Success
202	Event accepted (ingestion only)
400	Bad request — missing or invalid parameters
401	Unauthenticated — no valid session or API key
403	Forbidden — origin not in allowlist, or CSRF check failed
404	Not found
408	Request timeout (30-second server-side limit)
409	Conflict — resource already exists (e.g. password already set)
413	Request body too large (limit: 64 KB on ingestion routes)
422	Unprocessable — JSON validation failed
429	Rate limited or concurrent query limit — includes `Retry-After` header
503	Service unavailable — database not ready
500	Internal server error

Event Ingestion — POST /api/event, GET /api/event
Analytics Stats — GET /api/stats/*
Authentication — POST /api/auth/*, GET /api/keys/*, POST /api/keys, DELETE /api/keys/*
Health & Metrics — GET /health, GET /health/ready, GET /health/detailed, GET /metrics