Sessions
Sessions group events from a single agent execution. They are created implicitly on first event ingestion.
/v1/sessionsList sessions for the authenticated tenant, ordered by most recently active first.
Query parameters:
| Param | Type | Default | Description |
|---|---|---|---|
limit | number | 20 | Results per page (1–100) |
cursor | string | — | Opaque pagination cursor from nextCursor |
include | string | — | Comma-separated: risk, policy |
agentId | string | — | Filter by agent identifier (exact match) |
from | ISO 8601 | — | Sessions active at or after this time |
to | ISO 8601 | — | Sessions active at or before this time |
search | string | — | Partial session ID match (case-insensitive) |
With ?include=risk, each session includes a riskSummary:
{
"sessionId": "session-001",
"riskSummary": { "score": 62, "severity": "medium" }
}With ?include=policy, each session includes a policyDecision:
{
"sessionId": "session-001",
"policyDecision": "allowed"
}Possible values: allowed, requires_review, violates_policy, no_policy.
/v1/sessions/:sessionIdGet full session detail with all events ordered by sourceTimestamp.
Returns the session metadata and the complete event timeline. Returns 404 if the session does not exist under the authenticated tenant. Sessions belonging to other tenants also return 404 — existence is never confirmed across tenants.
/v1/sessions/:sessionId/riskCompute the risk score for a session.
Returns a risk assessment with an overall score (0–100), severity level, 10 OWASP-aligned dimension scores, explainable factors, and actionable recommendations.
/v1/sessions/:sessionId/export.jsonExport session as JSON with integrity hash.
Returns the full event stream as a JSON document with a SHA-256 integrity hash for verification.