No. 14e · Docs
API and webhooks.
Programmatic exports and event delivery. Flock & Atlas tier.
Authentication
API keys are workspace-scoped. Mint one in /settings/api-keys. Send as a bearer token:
curl https://api.swallowtail.app/v1/maps \
-H "Authorization: Bearer st_live_..."Endpoints
| Method | Path | Description |
|---|---|---|
| GET | /v1/maps | List maps in the workspace |
| GET | /v1/maps/{id} | Map metadata + counts |
| GET | /v1/maps/{id}/export | Download formatted redirect file |
Export formats
Pass ?format=htaccess|nginx|iis|csv. Defaults to htaccess.
Webhooks
Configure delivery URLs in /settings/webhooks. Events are signed with HMAC-SHA256 over the raw request body, signature in the X-Swallowtail-Signature header.
Events
match.completed· A match job finishes. Payload includes map id, summary counts, completion timestamp.audit.completed· A ghost-URL audit finishes. Same payload shape.
Retries
Non-2xx responses retry with exponential backoff for up to 24 hours. After that the event is parked in /settings/webhooks/dlq for manual replay.
JWK rotation
Signing keys rotate every 90 days. Pin the JWK thumbprint from /.well-known/jwks.json in your verifier. Old keys remain valid for 30 days post-rotation.