> For the complete documentation index, see [llms.txt](https://docs.millimetric.ai/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.millimetric.ai/api-reference/overview.md).

# Overview

## Base URL

| Environment | URL                                                   |
| ----------- | ----------------------------------------------------- |
| Local dev   | `http://localhost:8787`                               |
| Production  | `https://api.millimetric.ai` (your Worker deployment) |

All endpoints are versioned under `/v1/*`.

## Authentication

```http
Authorization: Bearer {kind}_{env}_{prefix}_{secret}
```

The Worker resolves the prefix to a project + scope (see [API keys](/core-concepts/api-keys.md)). If the key is `pk_*`, the request must also include an `Origin:` header from the project's allowlist.

## Content type

All ingest and admin endpoints accept `application/json`. Read endpoints accept query string parameters and return JSON.

```http
Content-Type: application/json
```

## Errors

All errors are returned as JSON with a stable `error` code field:

```json
{ "error": "invalid_payload", "details": {...} }
```

| Status | `error`                      | Meaning                                                       |
| ------ | ---------------------------- | ------------------------------------------------------------- |
| 400    | `invalid_payload`            | Body failed Zod validation. `details` is the flattened error. |
| 400    | `invalid_params`             | Query string failed validation.                               |
| 400    | `invalid_group_by`           | Unknown column passed to `/v1/stats?group_by=`.               |
| 401    | `missing_bearer_token`       | No `Authorization` header.                                    |
| 401    | `malformed_api_key`          | Key doesn't match \`(pk                                       |
| 401    | `invalid_api_key`            | No matching key in the database.                              |
| 401    | `key_kind_mismatch`          | Stored key has a different kind than the prefix claims.       |
| 401    | `invalid_session`            | Admin endpoint: user JWT failed Supabase validation.          |
| 403    | `origin_not_allowed`         | `pk_*` key from an origin not in the project's allowlist.     |
| 403    | `insufficient_scope`         | Key scope doesn't cover this endpoint.                        |
| 403    | `forget_requires_secret_key` | `/v1/forget` called with a `pk_*` key.                        |
| 429    | `rate_limited`               | Token bucket exhausted. `Retry-After` header included.        |
| 500    | `internal_error`             | Unhandled server error. Worker logs have the trace.           |

## Rate limits

Per project, per route, via in-memory token bucket:

| Endpoint         | Refill rate | Burst capacity |
| ---------------- | ----------- | -------------- |
| `POST /v1/track` | 50/sec      | 200            |
| `POST /v1/batch` | 5/sec       | 20             |

Exceed → `429 rate_limited` with `Retry-After: <seconds>`.

(Buckets are per-Worker-instance today. For production-scale fairness, swap to a Durable Object — see `apps/api/src/auth/rateLimit.ts`.)

## CORS

Permissive on `/v1/*` and `/admin/*`. The actual authorization happens via `Authorization` + the project's origin allowlist for `pk_*` keys, not via a CORS allowlist.

## Idempotency

Pass an `event_id` on `/v1/track` or per-event in `/v1/batch`:

```json
{ "event": "signup", "event_id": "evt_abc123", ... }
```

If you send the same `event_id` twice the second call still inserts a row (we don't deduplicate at the database). Use this when *you* want a stable identifier for joining with your own systems — true server-side deduplication is on the roadmap.

## Versioning

`/v1/*` is stable. Breaking changes will appear under `/v2/*`. Additive changes (new fields on existing endpoints, new endpoints) happen in place.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.millimetric.ai/api-reference/overview.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.