Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.igrisecurity.com/llms.txt

Use this file to discover all available pages before exploring further.

Real-Time Events

Igris provides a Server-Sent Events (SSE) endpoint that streams real-time events to connected clients. The dashboard uses this for live updates, and you can connect your own clients for monitoring and alerting.

SSE Endpoint

GET /api/v1/events
Authentication: Session cookie or API key required. Scoping: Events are scoped to the authenticated user’s active organization. You only receive events for servers belonging to your org.

Connecting

Browser (EventSource)

const eventSource = new EventSource(
  "https://your-igris.fly.dev/api/v1/events",
  { withCredentials: true } // sends session cookie
);

eventSource.addEventListener("tool_call", (event) => {
  const data = JSON.parse(event.data);
  console.log("Tool call:", data.toolName, data.action);
});

eventSource.addEventListener("anomaly", (event) => {
  const data = JSON.parse(event.data);
  console.log("Anomaly detected:", data.anomalyType);
});

curl

curl -N -H "Authorization: Bearer ig_abc123..." \
  https://your-igris.fly.dev/api/v1/events

Event Types

tool_call

Emitted when a tool call is processed by the proxy. 
{
  "type": "tool_call",
  "serverId": "db-production",
  "sessionId": "sess_abc123",
  "toolName": "read_users",
  "action": "allow",
  "latencyMs": 12,
  "timestamp": "2026-03-19T10:30:00.000Z"
}

anomaly

Emitted when anomaly detection triggers an alert. 
{
  "type": "anomaly",
  "serverId": "db-production",
  "anomalyType": "rate_spike",
  "toolName": "query_records",
  "currentRate": 150,
  "threshold": 45,
  "timestamp": "2026-03-19T10:30:05.000Z"
}

session_update

Emitted when a session is created, suspended, or resumed. 
{
  "type": "session_update",
  "sessionId": "sess_abc123",
  "status": "suspended",
  "timestamp": "2026-03-19T10:30:10.000Z"
}

Infrastructure

SSE events are broadcast via Upstash Redis pub/sub. When the API server writes an audit event, it simultaneously publishes to a Redis channel scoped to the organization. All SSE connections subscribed to that org’s channel receive the event. This architecture supports multiple API server instances — events published on one instance are received by clients connected to any instance.