REST APIs
Kavach exposes a versioned FastAPI REST control plane for operational integrations. The REST layer is transport-only: routers use request/response DTOs, mapper classes, and API service facades.
Overview
Base path: /api/v1. Documentation endpoints are available at /openapi.json, /docs, and /redoc.
Tenant Context
Tenant-scoped requests send X-Kavach-Organization-Id, X-Kavach-Project-Id, X-Request-Id, and optionally X-Correlation-Id. X-Kavach-Actor-Id is accepted only with the development identity provider. Organization administration is available under /api/v1/organizations; the resolved scope, roles, and permissions are returned by /api/v1/context.
Health and Metadata
GET /healthGET /readyGET /api/v1
Registry APIs
GET /api/v1/providers/{provider_name}GET /api/v1/prompts/{prompt_name}GET /api/v1/models/{model_id}GET /api/v1/datasets/{dataset_id}
Evaluation APIs
POST /api/v1/evaluationsPOST /api/v1/evaluations/jobsGET /api/v1/evaluations/{evaluation_id}GET /api/v1/evaluations/history/{execution_id}GET /api/v1/evaluations/latest/{execution_id}
Experiment APIs
POST /api/v1/experimentsGET /api/v1/experimentsGET /api/v1/experiments/{experiment_id}POST /api/v1/experiments/{experiment_id}/candidatesPOST /api/v1/experiments/{experiment_id}/runGET /api/v1/experiments/{experiment_id}/leaderboard
Experiment insight endpoints:
GET /api/v1/experiments/{experiment_id}/insightsGET /api/v1/experiments/{experiment_id}/candidates/{candidate_id}/insightsGET /api/v1/experiments/{experiment_id}/comparative-insights
Replay APIs
Replay Management reproduces a historical execution from frozen evidence; it is distinct from retrying an original execution. Source discovery is tenant-scoped and cursor-paginated. Replay creation and lifecycle actions are idempotent when clients provide a stable idempotency key.
GET /api/v1/replay-executions/searchGET /api/v1/replay-executions/{execution_id}POST /api/v1/replaysGET /api/v1/replaysGET /api/v1/replays/{replay_id}POST /api/v1/replays/{replay_id}/submitPOST /api/v1/replays/{replay_id}/evaluatePOST /api/v1/replays/{replay_id}/cancelPOST /api/v1/replays/{replay_id}/archiveGET /api/v1/replays/{replay_id}/result
See Replay Management for lifecycle, compatibility, worker, and production-search guidance.
Job APIs
POST /api/v1/jobsGET /api/v1/jobsGET /api/v1/jobs/{job_id}POST /api/v1/jobs/{job_id}/cancelPOST /api/v1/jobs/{job_id}/retryGET /api/v1/jobs/{job_id}/result
Ontology Synchronization APIs
GET /api/v1/ontology/synchronization/eventsGET /api/v1/ontology/synchronization/events/metricsGET /api/v1/ontology/synchronization/events/{event_id}POST /api/v1/ontology/synchronization/events/{event_id}/retryPOST /api/v1/ontology/synchronization/events/{event_id}/cancel
Ontology Graph Query APIs
GET /api/v1/ontology/entities/{entity_type}/{entity_id}GET /api/v1/ontology/relationships/{relationship_id}GET /api/v1/ontology/entities/{entity_type}/{entity_id}/relationshipsGET /api/v1/ontology/entities/{entity_type}/{entity_id}/neighbourhoodGET /api/v1/ontology/entities/{entity_type}/{entity_id}/upstreamGET /api/v1/ontology/entities/{entity_type}/{entity_id}/downstreamGET /api/v1/ontology/path
Governance APIs
POST /api/v1/governance/comparePOST /api/v1/governance/driftGET /api/v1/governance/reports/{evaluation_id}GET /api/v1/investigations/by-correlation/{correlation_id}GET /api/v1/investigations/by-job/{job_id}GET /api/v1/investigations/by-evaluation/{evaluation_id}GET /api/v1/investigations/by-audit/{audit_id}
Decision APIs
POST /api/v1/decisions/evaluateGET /api/v1/decisions/{decision_id}GET /api/v1/decisionsGET /api/v1/decisions/{decision_id}/evidenceGET /api/v1/decisions/{decision_id}/lineageGET /api/v1/decisions/{decision_id}/explain
Settings Control Plane
GET /api/v1/settingsGET /api/v1/settings/{key}PATCH /api/v1/settings/{key}POST /api/v1/settings/validateGET /api/v1/settings/categoriesGET /api/v1/settings/audit
Report APIs
Generate governance evidence reports as JSON or Markdown using the format query parameter:
GET /api/v1/reports/experiments/{experiment_id}GET /api/v1/reports/evaluations/{evaluation_id}GET /api/v1/reports/drift/{drift_id}GET /api/v1/reports/investigations/{correlation_id}GET /api/v1/reports/mcp-audit/{audit_id}
Error Envelope
REST errors use a common envelope:
{
"error": {
"code": "ERROR_CODE",
"message": "Human-readable message.",
"details": {}
}
}Important error codes include:
PROVIDER_NOT_FOUND,UNSUPPORTED_METRIC,EVALUATION_NOT_FOUNDEXPERIMENT_NOT_FOUND,CANDIDATE_NOT_FOUND,INVALID_EXPERIMENT_REQUESTJOB_NOT_FOUND,IDEMPOTENCY_CONFLICTDecisionNotFound,PolicyNotFound,PolicyValidationFailedEvidenceUnavailable,validation_error,internal_server_error
Boundaries
REST routers must not import repository implementations, provider adapters, or provider SDKs. They depend on API models, API mappers, and dependency-injected API service facades. Sensitive metadata keys such as API keys, tokens, passwords, secrets, and authorization values are scrubbed from REST metadata responses.
