pex

API Overview

Apex exposes a REST API for tracking events, managing experiments, resolving identities, and querying analytics. All endpoints are relative to your Apex instance base URL.

Base URL

https://your-apex-instance.com

For local development, use http://localhost:3000.

Authentication

Apex supports two authentication methods depending on context.

Session Cookie

Dashboard requests use an apex_session cookie containing a signed JWT. This is set automatically after sign-in and sent with every browser request.

API Key

For server-to-server or SDK calls, pass your project API key via header:

curl -H "x-api-key: apex_key_abc123..." https://your-instance.com/api/goals

Or using the Authorization header:

curl -H "Authorization: Bearer apex_key_abc123..." https://your-instance.com/api/goals

Info

Public endpoints — /api/events, /api/experiments/active, and /api/apex-js — do not require authentication.

Error Format

All error responses follow a consistent JSON structure:

{
  "error": "Human-readable error message",
  "code": "VALIDATION_ERROR",
  "status": 400
}

Common status codes:

StatusMeaning
400Bad request — missing or invalid parameters
401Unauthorized — missing or invalid credentials
403Forbidden — valid credentials but insufficient permissions
404Resource not found
429Rate limit exceeded
500Internal server error

Rate Limiting

API requests are rate-limited per project key. When you exceed the limit, the API returns 429 Too Many Requests with a Retry-After header indicating how many seconds to wait.

Endpoint groupLimit
Event ingestion (/api/events)1000 req/min
Read endpoints (GET)200 req/min
Write endpoints (POST/PATCH/DELETE)100 req/min

Tip

Batch events using the SDK payload format to stay well within rate limits. A single batch request counts as one request regardless of how many events it contains.

Content Type

All request and response bodies use application/json. Set the Content-Type header on POST, PATCH, and DELETE requests.

Next Steps

PreviousWhich SDK?NextEvents