# Get Device Change Events Source: https://docs.altostrat.io/api-reference/arp/devices/get-device-change-events sdx-api/spa/arp.json get /devices/{macAddress}/change-events Retrieves the change event history for a specific device. # Get Device Details Source: https://docs.altostrat.io/api-reference/arp/devices/get-device-details sdx-api/spa/arp.json get /devices/{macAddress} Retrieves details for a specific device by its MAC address. # Get Device IP History Source: https://docs.altostrat.io/api-reference/arp/devices/get-device-ip-history sdx-api/spa/arp.json get /devices/{macAddress}/ip-history Retrieves the IP address history for a specific device. # List Devices Source: https://docs.altostrat.io/api-reference/arp/devices/list-devices sdx-api/spa/arp.json get /devices Retrieves a list of network devices belonging to the authenticated customer, with filtering and pagination. # Update Device Alias Source: https://docs.altostrat.io/api-reference/arp/devices/update-device-alias sdx-api/spa/arp.json put /devices/{macAddress} Updates the alias for a specific device. # Asynchronous job execution Source: https://docs.altostrat.io/api-reference/developers/asynchronous-api/asynchronous-job-execution sdx-api/openapi.json post /api/asynchronous/{router_id} Queues a job to run scripts or config changes on the router without waiting for real-time response. # Retrieve a list of jobs for a router Source: https://docs.altostrat.io/api-reference/developers/asynchronous-api/retrieve-a-list-of-jobs-for-a-router sdx-api/openapi.json get /api/routers/{router_id}/jobs Fetch asynchronous job history or status for a specified router. # Retrieve router faults Source: https://docs.altostrat.io/api-reference/developers/health/retrieve-router-faults sdx-api/openapi.json get /api/routers/{router_id}/faults Gets the last 100 faults for the specified router, newest first. # Retrieve router metrics Source: https://docs.altostrat.io/api-reference/developers/health/retrieve-router-metrics sdx-api/openapi.json get /api/routers/{router_id}/metrics Provides uptime/downtime metrics for the past 24 hours based on heartbeats. # Create a transient port forward Source: https://docs.altostrat.io/api-reference/developers/port-forwards/create-a-transient-port-forward sdx-api/openapi.json post /api/routers/{router_id}/transient-forwarding Establish a temporary TCP forward over the management tunnel for behind-NAT access. # Delete a transient port forward Source: https://docs.altostrat.io/api-reference/developers/port-forwards/delete-a-transient-port-forward sdx-api/openapi.json delete /api/routers/{router_id}/transient-forwarding/{id} Revokes a port forward before it naturally expires. # Retrieve a specific port forward Source: https://docs.altostrat.io/api-reference/developers/port-forwards/retrieve-a-specific-port-forward sdx-api/openapi.json get /api/routers/{router_id}/transient-forwarding/{id} Returns the details for one transient port forward by ID. # Retrieve active transient port forwards Source: https://docs.altostrat.io/api-reference/developers/port-forwards/retrieve-active-transient-port-forwards sdx-api/openapi.json get /api/routers/{router_id}/transient-forwarding List all active port forwards for a given router. # Retrieve a list of routers Source: https://docs.altostrat.io/api-reference/developers/sites/retrieve-a-list-of-routers sdx-api/openapi.json get /api/routers Returns a list of MikroTik routers belonging to the team associated with the bearer token. # Retrieve OEM information Source: https://docs.altostrat.io/api-reference/developers/sites/retrieve-oem-information sdx-api/openapi.json get /api/routers/{router_id}/oem Provides manufacturer data (model, CPU, OS license, etc.) for a given router. # Retrieve router metadata Source: https://docs.altostrat.io/api-reference/developers/sites/retrieve-router-metadata sdx-api/openapi.json get /api/routers/{router_id}/metadata Gets freeform metadata (like name, timezone, banner, etc.) for a specific router. # Synchronous MikroTik command execution Source: https://docs.altostrat.io/api-reference/developers/synchronous-api/synchronous-mikrotik-command-execution sdx-api/openapi.json post /api/synchronous/{router_id} Real-time RouterOS commands for read or quick ops (not recommended for major config changes). # Adopt Device Source: https://docs.altostrat.io/api-reference/spa/async/bootstrap-&-adoption/adopt-device sdx-api/spa/mikrotik.json post /adopt/{id} Endpoint called by the device during bootstrapping to finalize adoption. It receives device information (heartbeat data), creates or finds the site record, and returns the final adoption script including the scheduler setup. Requires `Heartbeat` and `RunbookToken` middleware. Accepts `x-ros-debug` header. # Get Bootstrap Script Source: https://docs.altostrat.io/api-reference/spa/async/bootstrap-&-adoption/get-bootstrap-script sdx-api/spa/mikrotik.json get /{id} Retrieves the initial bootstrap script for a device based on a runbook token. The device fetches this script to start the adoption process. Requires a valid runbook token middleware (`RunbookToken`). Accepts `x-ros-debug` header for verbose/non-minified script. # Notify Scheduler Deletion Source: https://docs.altostrat.io/api-reference/spa/async/bootstrap-&-adoption/notify-scheduler-deletion sdx-api/spa/mikrotik.json get /notify/delete Endpoint called by a device's scheduler *after* it successfully deletes the Altostrat polling scheduler (typically when the site itself is being deleted/decommissioned). Requires `SiteAuth` and validates signature. Marks the site's deletion as fully completed. # Receive Heartbeat & Get Job Source: https://docs.altostrat.io/api-reference/spa/async/heartbeat/receive-heartbeat-&-get-job sdx-api/spa/mikrotik.json post /poll Endpoint called periodically by the managed device (via scheduler). Sends device status (heartbeat) and receives the next pending job script, if any. Requires `SiteAuth` middleware (device-specific Bearer token). # Get Customer Site IDs (Internal Lite) Source: https://docs.altostrat.io/api-reference/spa/async/internal/get-customer-site-ids-internal-lite sdx-api/spa/mikrotik.json get /site/internal/lite/{customer_id} Retrieves only the UUIDs of sites for a specific customer ID. Requires internal API token authentication. # Get Customer Sites (Internal) Source: https://docs.altostrat.io/api-reference/spa/async/internal/get-customer-sites-internal sdx-api/spa/mikrotik.json get /site/internal/{customer_id} Retrieves a list of sites for a specific customer ID. Requires internal API token authentication. # Get Online Site IDs (Internal) Source: https://docs.altostrat.io/api-reference/spa/async/internal/get-online-site-ids-internal sdx-api/spa/mikrotik.json get /site/internal/online Retrieves a list of UUIDs for all sites currently marked as having a pulse (online). Intended for internal use. # Get Site Counts for Multiple Customers (Internal) Source: https://docs.altostrat.io/api-reference/spa/async/internal/get-site-counts-for-multiple-customers-internal sdx-api/spa/mikrotik.json post /site/internal-count Retrieves the count of sites for each customer ID provided in the request body. Requires internal API token authentication. # Create Site Job Source: https://docs.altostrat.io/api-reference/spa/async/jobs/create-site-job sdx-api/spa/mikrotik.json post /site/{site}/job Creates a new job (command/script) for a specific site. Requires `job:create` permission and user ownership of the site. Uses headers for job metadata. # Delete Site Job Source: https://docs.altostrat.io/api-reference/spa/async/jobs/delete-site-job sdx-api/spa/mikrotik.json delete /site/{site}/job/{job} Deletes a *pending* job (one that has not started execution). Requires `job:delete` permission and user ownership. # Get Job Details Source: https://docs.altostrat.io/api-reference/spa/async/jobs/get-job-details sdx-api/spa/mikrotik.json get /site/{site}/job/{job} Retrieves details for a specific job associated with a site. Requires `job:view` permission and user ownership of the site/job. # List Site Jobs Source: https://docs.altostrat.io/api-reference/spa/async/jobs/list-site-jobs sdx-api/spa/mikrotik.json get /site/{site}/job Retrieves a list of jobs associated with a specific site. Requires `job:view` permission and user ownership of the site. # Update Job Status (from Device) Source: https://docs.altostrat.io/api-reference/spa/async/jobs/update-job-status-from-device sdx-api/spa/mikrotik.json get /job/{job}/update Endpoint called by the device (using a signed URL provided in the job script) to update the status of a job (busy, done, fail). Uses `ValidateSignature` and `SubstituteBindings` middleware. # Get Runbook Details Source: https://docs.altostrat.io/api-reference/spa/async/runbooks/get-runbook-details sdx-api/spa/mikrotik.json get /runbook/{id} Retrieves details for a specific Runbook, including its bootstrap command. Requires user authentication and authorization (user must own the runbook). # SFTP User Authentication Source: https://docs.altostrat.io/api-reference/spa/async/sftp-auth/sftp-user-authentication sdx-api/spa/mikrotik.json get /servers/{serverId}/users/{username}/config Called by the AWS SFTP Gateway to authenticate a user attempting to log in. Validates the provided password (cached temporarily) against the username (site UUID) and returns an IAM role and S3 policy if valid. # Delete Site Source: https://docs.altostrat.io/api-reference/spa/async/sites/delete-site sdx-api/spa/mikrotik.json delete /site/{site} Marks a site for deletion. The actual deletion and resource cleanup happen asynchronously. Requires `site:delete` permission and user ownership. Accepts `X-Force-Delete: true` header for immediate forceful deletion (use with caution). # Get Recent Sites Source: https://docs.altostrat.io/api-reference/spa/async/sites/get-recent-sites sdx-api/spa/mikrotik.json get /site/recent Retrieves a list of the 5 most recently accessed sites by the authenticated user. Requires user authentication. # Get Site Details Source: https://docs.altostrat.io/api-reference/spa/async/sites/get-site-details sdx-api/spa/mikrotik.json get /site/{site} Retrieves detailed information for a specific site. Records the access as a "recent site" for the user. Requires `site:view` permission and user ownership. # Get Site Hourly Uptime Stats Source: https://docs.altostrat.io/api-reference/spa/async/sites/get-site-hourly-uptime-stats sdx-api/spa/mikrotik.json get /site/mikrotik-stats/{site} Retrieves hourly uptime/downtime percentage statistics for the last 24 hours for a specific site. Requires user authentication and ownership. # Get Site Version Info Source: https://docs.altostrat.io/api-reference/spa/async/sites/get-site-version-info sdx-api/spa/mikrotik.json get /site-version/{site} Retrieves basic version information for a specific site. # List User's Sites Source: https://docs.altostrat.io/api-reference/spa/async/sites/list-users-sites sdx-api/spa/mikrotik.json get /site Retrieves a list of all sites associated with the authenticated user. Requires `site:view` permission. # List User's Sites (Minimal) Source: https://docs.altostrat.io/api-reference/spa/async/sites/list-users-sites-minimal sdx-api/spa/mikrotik.json get /site-minimal Retrieves a minimal list of sites (ID, name, pulse status, basic info) associated with the authenticated user. Optimized for dropdowns or quick lists. Requires `site:view` permission. # Manually Create Site (Internal/Admin) Source: https://docs.altostrat.io/api-reference/spa/async/sites/manually-create-site-internaladmin sdx-api/spa/mikrotik.json post /site/manual/create Allows manual creation of a site record, bypassing the usual adoption flow. Intended for internal tooling or administrative purposes. Requires appropriate permissions (likely admin/internal). # Update Site Details Source: https://docs.altostrat.io/api-reference/spa/async/sites/update-site-details sdx-api/spa/mikrotik.json put /site/{site} Updates mutable details of a specific site (e.g., name, address, location, timezone). Requires `site:update` permission and user ownership. # Get Country Codes and Locale Info Source: https://docs.altostrat.io/api-reference/spa/authentication/ancillary-services/get-country-codes-and-locale-info sdx-api/spa/authentication.json get /users/country-codes Returns a list of supported countries with their codes, flags, and currency information based on the user's detected IP address. # Get States/Provinces Source: https://docs.altostrat.io/api-reference/spa/authentication/ancillary-services/get-statesprovinces sdx-api/spa/authentication.json get /users/states Returns a list of states or provinces for countries that have them defined (e.g., US, CA, AU, ZA). # Get Supported Date/Time Formats Source: https://docs.altostrat.io/api-reference/spa/authentication/ancillary-services/get-supported-datetime-formats sdx-api/spa/authentication.json get /users/carbon-formats Returns lists of supported date and time formats with examples based on the user's timezone. # Get Supported Timezones Source: https://docs.altostrat.io/api-reference/spa/authentication/ancillary-services/get-supported-timezones sdx-api/spa/authentication.json get /users/timezone Returns a list of all supported timezones and timezones specific to the user's detected or profile country. # Get Timezones for a Country Source: https://docs.altostrat.io/api-reference/spa/authentication/ancillary-services/get-timezones-for-a-country sdx-api/spa/authentication.json get /users/timezone/{country} Returns a list of supported timezones for a specific country code (ISO2). # Create API Credential for Team Source: https://docs.altostrat.io/api-reference/spa/authentication/api-credentials/create-api-credential-for-team sdx-api/spa/authentication.json post /teams/{team}/api-credentials Creates a new API credential (token) for the specified team. Requires `api:create` scope. The full token is only returned on creation. # Delete API Credential Source: https://docs.altostrat.io/api-reference/spa/authentication/api-credentials/delete-api-credential sdx-api/spa/authentication.json delete /teams/{team}/api-credentials/{apiToken} Deletes/revokes an API credential. Requires `api:delete` scope. # Get API Credential Details Source: https://docs.altostrat.io/api-reference/spa/authentication/api-credentials/get-api-credential-details sdx-api/spa/authentication.json get /teams/{team}/api-credentials/{apiToken} Retrieves details for a specific API credential. Requires `api:view` scope. Does not return the secret token value. # List API Credentials for Team Source: https://docs.altostrat.io/api-reference/spa/authentication/api-credentials/list-api-credentials-for-team sdx-api/spa/authentication.json get /teams/{team}/api-credentials Retrieves all API credentials (tokens) associated with the specified team. Requires `api:view` scope. # Update API Credential Source: https://docs.altostrat.io/api-reference/spa/authentication/api-credentials/update-api-credential sdx-api/spa/authentication.json put /teams/{team}/api-credentials/{apiToken} Updates the name or expiration date of an API credential. Requires `api:update` scope. # Authenticate using API Token Source: https://docs.altostrat.io/api-reference/spa/authentication/authentication-&-user-info/authenticate-using-api-token sdx-api/spa/authentication.json get /.well-known/jwt Exchanges a valid Altostrat API Token (provided as Bearer token) for a short-lived JWT. # Confirm Two-Factor Authentication Source: https://docs.altostrat.io/api-reference/spa/authentication/authentication-&-user-info/confirm-two-factor-authentication sdx-api/spa/authentication.json post /oauth/confirm-2fa Confirms the 2FA setup using a code from the authenticator app. # Disable Two-Factor Authentication Source: https://docs.altostrat.io/api-reference/spa/authentication/authentication-&-user-info/disable-two-factor-authentication sdx-api/spa/authentication.json delete /oauth/2fa Disables 2FA for the authenticated user. # Enable Two-Factor Authentication Source: https://docs.altostrat.io/api-reference/spa/authentication/authentication-&-user-info/enable-two-factor-authentication sdx-api/spa/authentication.json post /oauth/2fa Enables 2FA for the authenticated user. Requires confirmation step. # Generate New 2FA Recovery Codes Source: https://docs.altostrat.io/api-reference/spa/authentication/authentication-&-user-info/generate-new-2fa-recovery-codes sdx-api/spa/authentication.json post /oauth/2fa-recovery-codes Generates and returns a new set of 2FA recovery codes, invalidating the old ones. # Get 2FA QR Code Source: https://docs.altostrat.io/api-reference/spa/authentication/authentication-&-user-info/get-2fa-qr-code sdx-api/spa/authentication.json get /oauth/2fa-qr-code Retrieves the SVG QR code for setting up 2FA in an authenticator app. # Get 2FA Recovery Codes Source: https://docs.altostrat.io/api-reference/spa/authentication/authentication-&-user-info/get-2fa-recovery-codes sdx-api/spa/authentication.json get /oauth/2fa-recovery-codes Retrieves the user's current 2FA recovery codes. # Get 2FA Secret Key Source: https://docs.altostrat.io/api-reference/spa/authentication/authentication-&-user-info/get-2fa-secret-key sdx-api/spa/authentication.json get /oauth/2fa-secret-key Retrieves the secret key for manually setting up 2FA. # Get Authenticated User Info (API) Source: https://docs.altostrat.io/api-reference/spa/authentication/authentication-&-user-info/get-authenticated-user-info-api sdx-api/spa/authentication.json get /api/user Retrieves detailed information about the currently authenticated user via API token (JWT). # Get Authenticated User Info (OAuth) Source: https://docs.altostrat.io/api-reference/spa/authentication/authentication-&-user-info/get-authenticated-user-info-oauth sdx-api/spa/authentication.json get /oauth/userinfo Retrieves detailed information about the currently authenticated user (standard OIDC endpoint). # Get JSON Web Key Set (JWKS) Source: https://docs.altostrat.io/api-reference/spa/authentication/authentication-&-user-info/get-json-web-key-set-jwks sdx-api/spa/authentication.json get /.well-known/jwks.json Returns the JSON Web Key Set used for verifying JWT signatures. # Get OpenID Connect Configuration Source: https://docs.altostrat.io/api-reference/spa/authentication/authentication-&-user-info/get-openid-connect-configuration sdx-api/spa/authentication.json get /.well-known/openid-configuration Returns the OpenID Connect discovery document containing endpoints and capabilities. # Get Billing Account Details Source: https://docs.altostrat.io/api-reference/spa/authentication/billing--account/get-billing-account-details sdx-api/spa/authentication.json get /billing/account Retrieves the Stripe customer account details associated with the user's organization. # Update Billing Account Details Source: https://docs.altostrat.io/api-reference/spa/authentication/billing--account/update-billing-account-details sdx-api/spa/authentication.json put /billing/account Updates the Stripe customer account details (name, email, address parts, additional invoice info). Country is immutable. Requires `billing:update` scope. # Get Invoice or Upcoming Invoice Source: https://docs.altostrat.io/api-reference/spa/authentication/billing--invoices/get-invoice-or-upcoming-invoice sdx-api/spa/authentication.json get /billing/invoices/{id} Retrieves details for a specific past invoice (using `in_...` ID) OR the upcoming invoice for a subscription (using `sub_...` ID). Requires `billing:view` scope. # Get Next Payment Details (Upcoming Invoice) Source: https://docs.altostrat.io/api-reference/spa/authentication/billing--invoices/get-next-payment-details-upcoming-invoice sdx-api/spa/authentication.json get /billing/next-payment Retrieves details about the next upcoming invoice for the default subscription. Requires `billing:view` scope. # List Invoices Source: https://docs.altostrat.io/api-reference/spa/authentication/billing--invoices/list-invoices sdx-api/spa/authentication.json get /billing/invoices Retrieves a list of past invoices (including pending) for the organization. Requires `billing:view` scope. # Preview Price Change Source: https://docs.altostrat.io/api-reference/spa/authentication/billing--invoices/preview-price-change sdx-api/spa/authentication.json get /billing/preview-price Previews the invoice changes if the subscription interval were changed. Requires `billing:view` scope. # Create Setup Intent Source: https://docs.altostrat.io/api-reference/spa/authentication/billing--payment-methods/create-setup-intent sdx-api/spa/authentication.json post /billing/setup-intent Creates a Stripe SetupIntent to securely collect payment method details (e.g., for adding a new card). Requires `billing:update` scope. # Delete Payment Method Source: https://docs.altostrat.io/api-reference/spa/authentication/billing--payment-methods/delete-payment-method sdx-api/spa/authentication.json delete /billing/payment-methods/{id} Deletes a saved payment method. Cannot delete the default payment method. Requires `billing:update` scope. # List Payment Methods Source: https://docs.altostrat.io/api-reference/spa/authentication/billing--payment-methods/list-payment-methods sdx-api/spa/authentication.json get /billing/payment-methods Retrieves a list of saved payment methods (cards) for the organization's billing account. Requires `billing:view` scope. # Set Default Payment Method Source: https://docs.altostrat.io/api-reference/spa/authentication/billing--payment-methods/set-default-payment-method sdx-api/spa/authentication.json post /billing/payment-methods Sets a previously added payment method (identified by its Stripe PM or Card ID) as the default for the organization's subscriptions. Requires `billing:update` scope. # Cancel Subscription Source: https://docs.altostrat.io/api-reference/spa/authentication/billing--subscriptions/cancel-subscription sdx-api/spa/authentication.json delete /billing/subscriptions/{plan} Cancels the specified subscription plan immediately. Requires `billing:update` scope. Cannot cancel if active services exceed minimum/free tier. # Create or Update Subscription Source: https://docs.altostrat.io/api-reference/spa/authentication/billing--subscriptions/create-or-update-subscription sdx-api/spa/authentication.json post /billing/subscriptions Creates a new `default` subscription or updates the quantity/interval of an existing one based on the provided plan details. Requires `billing:update` scope and a default payment method. # Get Public Pricing Information Source: https://docs.altostrat.io/api-reference/spa/authentication/billing--subscriptions/get-public-pricing-information sdx-api/spa/authentication.json get /billing/prices Retrieves public pricing details, potentially localized based on IP address. Does not require authentication. # Get Subscription Overview Source: https://docs.altostrat.io/api-reference/spa/authentication/billing--subscriptions/get-subscription-overview sdx-api/spa/authentication.json get /billing/subscriptions Retrieves an overview of the organization's current subscription status, usage, and pricing for different plans. Requires `billing:view` scope. # Add Tax ID Source: https://docs.altostrat.io/api-reference/spa/authentication/billing--tax-ids/add-tax-id sdx-api/spa/authentication.json post /billing/tax Adds a Tax ID to the organization's billing account. Requires `billing:update` scope. # Delete Tax ID Source: https://docs.altostrat.io/api-reference/spa/authentication/billing--tax-ids/delete-tax-id sdx-api/spa/authentication.json delete /billing/tax/{tax} Deletes a Tax ID from the organization's billing account. Requires `billing:update` scope. # List Supported Tax ID Types Source: https://docs.altostrat.io/api-reference/spa/authentication/billing--tax-ids/list-supported-tax-id-types sdx-api/spa/authentication.json get /billing/tax/types Retrieves a list of supported Tax ID types with descriptions, country codes, and examples. Requires `billing:view` scope. # List Tax IDs Source: https://docs.altostrat.io/api-reference/spa/authentication/billing--tax-ids/list-tax-ids sdx-api/spa/authentication.json get /billing/tax Retrieves a list of Tax IDs associated with the organization's billing account. Requires `billing:view` scope. # Get Organization ID for Team (Internal) Source: https://docs.altostrat.io/api-reference/spa/authentication/internal-m2m/get-organization-id-for-team-internal sdx-api/spa/authentication.json get /users/m2m/org-id/{team} Internal endpoint to look up organization and owner details based on a team ID. Requires M2M authentication. # Get Team License/Seat Count (Internal) Source: https://docs.altostrat.io/api-reference/spa/authentication/internal-m2m/get-team-licenseseat-count-internal sdx-api/spa/authentication.json get /billing/internal/seat-count/{team} Internal endpoint for checking available license seats within a team context. Requires specific internal M2M Bearer token authentication. # Get User Email Details (Internal) Source: https://docs.altostrat.io/api-reference/spa/authentication/internal-m2m/get-user-email-details-internal sdx-api/spa/authentication.json get /users/m2m/notifiable/email/{user} Internal endpoint to retrieve user's email details. Requires M2M authentication. # Get User Mobile Details (Internal) Source: https://docs.altostrat.io/api-reference/spa/authentication/internal-m2m/get-user-mobile-details-internal sdx-api/spa/authentication.json get /users/m2m/notifiable/mobile/{user} Internal endpoint to retrieve user's mobile number details. Requires M2M authentication. # Record CVE Scan Charge (Internal) Source: https://docs.altostrat.io/api-reference/spa/authentication/internal-m2m/record-cve-scan-charge-internal sdx-api/spa/authentication.json post /users/m2m/charges/cve/{team} Internal endpoint to record a usage-based charge for a CVE scan against a team's organization. Requires M2M authentication. # Trigger Site Count Sync (Internal) Source: https://docs.altostrat.io/api-reference/spa/authentication/internal-m2m/trigger-site-count-sync-internal sdx-api/spa/authentication.json get /users/m2m/sync/site-count Internal endpoint to trigger a background job that syncs site counts for all organizations. Requires M2M authentication. # Update Organization Trial End Date (Internal) Source: https://docs.altostrat.io/api-reference/spa/authentication/internal-m2m/update-organization-trial-end-date-internal sdx-api/spa/authentication.json post /users/m2m/trial_ends_at/{organization} Internal endpoint to set or update the trial end date for an organization. Requires M2M authentication. # Create Team Role Source: https://docs.altostrat.io/api-reference/spa/authentication/roles-&-permissions/create-team-role sdx-api/spa/authentication.json post /team_roles Creates a new custom role specific to the current team. Requires `role:create` scope. # Delete Team Role Source: https://docs.altostrat.io/api-reference/spa/authentication/roles-&-permissions/delete-team-role sdx-api/spa/authentication.json delete /team_roles/{role} Deletes a custom role specific to the current team. Cannot delete global roles or roles currently assigned to users. Requires `role:delete` scope. # Get Role Details Source: https://docs.altostrat.io/api-reference/spa/authentication/roles-&-permissions/get-role-details sdx-api/spa/authentication.json get /team_roles/{role} Retrieves details of a specific role (global or team-specific). Requires `role:view` scope. # List Available Scopes Source: https://docs.altostrat.io/api-reference/spa/authentication/roles-&-permissions/list-available-scopes sdx-api/spa/authentication.json get /scopes Retrieves a list of all available permission scopes in the system. # List Team Roles Source: https://docs.altostrat.io/api-reference/spa/authentication/roles-&-permissions/list-team-roles sdx-api/spa/authentication.json get /team_roles Retrieves all roles available within the current team context (includes global and team-specific roles). Requires `role:view` scope. # Update Team Role Source: https://docs.altostrat.io/api-reference/spa/authentication/roles-&-permissions/update-team-role sdx-api/spa/authentication.json put /team_roles/{role} Updates a custom role specific to the current team. Cannot update global roles. Requires `role:update` scope. # Cancel Team Invitation Source: https://docs.altostrat.io/api-reference/spa/authentication/teams/cancel-team-invitation sdx-api/spa/authentication.json delete /teams/{team}/invites/{teamInvitation} Cancels a pending team invitation. Requires `teams:invite-users` scope (or owner permission). # Create Team Source: https://docs.altostrat.io/api-reference/spa/authentication/teams/create-team sdx-api/spa/authentication.json post /teams Creates a new team owned by the authenticated user, associated with their organization. Requires `team:create` scope (or implicitly allowed for owners). # Delete Team Source: https://docs.altostrat.io/api-reference/spa/authentication/teams/delete-team sdx-api/spa/authentication.json delete /teams/{team} Deletes a team. Requires `team:delete` scope (or owner permission). Cannot delete personal teams or teams with active resources. # Get Invitation Details Source: https://docs.altostrat.io/api-reference/spa/authentication/teams/get-invitation-details sdx-api/spa/authentication.json get /teams/{team}/invites/{teamInvitation} Retrieves details of a specific pending invitation. # Get Team Details Source: https://docs.altostrat.io/api-reference/spa/authentication/teams/get-team-details sdx-api/spa/authentication.json get /teams/{team} Retrieves details for a specific team the user belongs to. # Get Team Member Details Source: https://docs.altostrat.io/api-reference/spa/authentication/teams/get-team-member-details sdx-api/spa/authentication.json get /teams/{team}/members/{user} Retrieves the details of a specific member within a specific team, including their roles within that team. # Invite User to Team Source: https://docs.altostrat.io/api-reference/spa/authentication/teams/invite-user-to-team sdx-api/spa/authentication.json post /teams/{team}/invites Sends an invitation email to a user to join the specified team. Requires `teams:invite-users` scope. # List Pending Team Invitations Source: https://docs.altostrat.io/api-reference/spa/authentication/teams/list-pending-team-invitations sdx-api/spa/authentication.json get /teams/{team}/invites Retrieves a list of pending invitations for the specified team. # List Team Members Source: https://docs.altostrat.io/api-reference/spa/authentication/teams/list-team-members sdx-api/spa/authentication.json get /teams/{team}/members Retrieves a list of users who are members of the specified team. # List User's Teams Source: https://docs.altostrat.io/api-reference/spa/authentication/teams/list-users-teams sdx-api/spa/authentication.json get /teams Retrieves a list of all teams the authenticated user is a member of. # Remove Team Member Source: https://docs.altostrat.io/api-reference/spa/authentication/teams/remove-team-member sdx-api/spa/authentication.json delete /teams/{team}/members/{user} Removes a specified user from the specified team. Requires `teams:remove-users` scope or owner permission. Cannot remove the team owner. # Switch Current Team Source: https://docs.altostrat.io/api-reference/spa/authentication/teams/switch-current-team sdx-api/spa/authentication.json put /teams/{team}/switch Sets the specified team as the authenticated user's current active team context. # Update Team Source: https://docs.altostrat.io/api-reference/spa/authentication/teams/update-team sdx-api/spa/authentication.json put /teams/{team} Updates the details of a specific team. Requires `team:update` scope (or owner permission). # Create or Add User to Team Source: https://docs.altostrat.io/api-reference/spa/authentication/user-management/create-or-add-user-to-team sdx-api/spa/authentication.json post /users Creates a new user (if email doesn't exist) and adds them to the current team, or adds an existing user to the team. Requires `user:create` scope. Sends verification emails/SMS if applicable. Newly created users get a temporary password returned in the response (only on creation). # Delete User Source: https://docs.altostrat.io/api-reference/spa/authentication/user-management/delete-user sdx-api/spa/authentication.json delete /users/{user} Removes a user from the system **if** they are not the owner of any team with other members. Requires `user:delete` scope unless deleting self (which is generally disallowed if owner). # Get User Details Source: https://docs.altostrat.io/api-reference/spa/authentication/user-management/get-user-details sdx-api/spa/authentication.json get /users/{user} Retrieves details for a specific user within the current team context. Requires `user:view` scope. # List Users in Current Team Source: https://docs.altostrat.io/api-reference/spa/authentication/user-management/list-users-in-current-team sdx-api/spa/authentication.json get /users Retrieves a list of all users belonging to the authenticated user's current team. Requires `user:view` scope. # Resend Email Verification Source: https://docs.altostrat.io/api-reference/spa/authentication/user-management/resend-email-verification sdx-api/spa/authentication.json get /users/{user}/verification-notification/email Sends a new email verification link to the specified user if their email is not already verified. Rate limited. # Resend Mobile Verification Source: https://docs.altostrat.io/api-reference/spa/authentication/user-management/resend-mobile-verification sdx-api/spa/authentication.json get /users/{user}/verification-notification/mobile Sends a new mobile verification link (via SMS) to the specified user if their mobile is not already verified and is set. Rate limited. # Submit Feedback Source: https://docs.altostrat.io/api-reference/spa/authentication/user-management/submit-feedback sdx-api/spa/authentication.json post /users/feedback Submits user feedback, which creates a ticket in the helpdesk system. # Update User Details Source: https://docs.altostrat.io/api-reference/spa/authentication/user-management/update-user-details sdx-api/spa/authentication.json put /users/{user} Updates the profile information for a specific user. Requires `user:update` scope unless updating self. Updating email or mobile number will reset verification status and trigger new verification flows. Can also update user roles within the team. # List backups for a site Source: https://docs.altostrat.io/api-reference/spa/backups/site-backups/list-backups-for-a-site sdx-api/spa/backups.json get /{site}/ Retrieves an array of available RouterOS backups for the specified site. Requires `backup:view` scope. # Request a new backup for a site Source: https://docs.altostrat.io/api-reference/spa/backups/site-backups/request-a-new-backup-for-a-site sdx-api/spa/backups.json post /{site}/ Enqueues a backup request for the specified site. Requires `backup:create` scope. # Retrieve a specific backup file Source: https://docs.altostrat.io/api-reference/spa/backups/site-backups/retrieve-a-specific-backup-file sdx-api/spa/backups.json get /{site}/{file} Shows the contents of the specified backup file. By default returns JSON with parsed metadata. If header `X-Download` is set, it downloads raw data. If `x-highlight` is set, highlights syntax. If `x-view` is set, returns raw text in `text/plain`. Requires `backup:view` scope. # Retrieve subnets from latest backup Source: https://docs.altostrat.io/api-reference/spa/backups/site-backups/retrieve-subnets-from-latest-backup sdx-api/spa/backups.json get /{site}/subnets Parses the most recent backup for the specified site, returning discovered local subnets. Requires `backup:view` scope. # Show diff between two backup files Source: https://docs.altostrat.io/api-reference/spa/backups/site-backups/show-diff-between-two-backup-files sdx-api/spa/backups.json get /{site}/{from}/{to} Returns a unified diff between two backup files. By default returns the diff as `text/plain`. If `X-Download` header is set, you can download it as a file. If `x-highlight` is set, it highlights the diff in a textual format. Requires `backup:view` scope. # Assign BGP Policy to Site Source: https://docs.altostrat.io/api-reference/spa/bgp-dns-filter/bgp-policy/assign-bgp-policy-to-site sdx-api/spa/bgp-dns-filter.json post /bgp/{site_id} Assigns or updates the BGP/DNR policy for a specific site tunnel. Creates the tunnel record if it doesn't exist. # Create BGP Policy Source: https://docs.altostrat.io/api-reference/spa/bgp-dns-filter/bgp-policy/create-bgp-policy sdx-api/spa/bgp-dns-filter.json post /bgp/policy Creates a new BGP/DNR policy. # Delete BGP Policy Source: https://docs.altostrat.io/api-reference/spa/bgp-dns-filter/bgp-policy/delete-bgp-policy sdx-api/spa/bgp-dns-filter.json delete /bgp/policy/{policy} Deletes a BGP/DNR policy. Fails if the policy is currently attached to any sites. # Get BGP Policy Details Source: https://docs.altostrat.io/api-reference/spa/bgp-dns-filter/bgp-policy/get-bgp-policy-details sdx-api/spa/bgp-dns-filter.json get /bgp/policy/{policy} Retrieves details of a specific BGP/DNR policy by its UUID. # List BGP Policies Source: https://docs.altostrat.io/api-reference/spa/bgp-dns-filter/bgp-policy/list-bgp-policies sdx-api/spa/bgp-dns-filter.json get /bgp/policy Retrieves all BGP/DNR policies for the authenticated customer. # List BGP/DNR Lists Source: https://docs.altostrat.io/api-reference/spa/bgp-dns-filter/bgp-policy/list-bgpdnr-lists sdx-api/spa/bgp-dns-filter.json get /bgp/category Retrieves a list of available BGP/DNR feed lists. # Remove BGP Policy from Site Source: https://docs.altostrat.io/api-reference/spa/bgp-dns-filter/bgp-policy/remove-bgp-policy-from-site sdx-api/spa/bgp-dns-filter.json delete /bgp/{site_id} Removes the BGP/DNR policy assignment from a specific site tunnel. Deletes the tunnel record if no DNS policy remains. # Update BGP Policy Source: https://docs.altostrat.io/api-reference/spa/bgp-dns-filter/bgp-policy/update-bgp-policy sdx-api/spa/bgp-dns-filter.json put /bgp/policy/{policy} Updates an existing BGP/DNR policy. # List Categories and Top Applications Source: https://docs.altostrat.io/api-reference/spa/bgp-dns-filter/categories-&-applications/list-categories-and-top-applications sdx-api/spa/bgp-dns-filter.json get /category Retrieves a list of content categories, each including its top applications sorted by domain count. # List Safe Search Options Source: https://docs.altostrat.io/api-reference/spa/bgp-dns-filter/categories-&-applications/list-safe-search-options sdx-api/spa/bgp-dns-filter.json get /category/safe_search Retrieves a list of available safe search services and their configuration options. # Assign DNS Policy to Site Source: https://docs.altostrat.io/api-reference/spa/bgp-dns-filter/dns-policy/assign-dns-policy-to-site sdx-api/spa/bgp-dns-filter.json post /{site_id} Assigns or updates the DNS policy for a specific site tunnel. Creates the tunnel record if it doesn't exist. # Create DNS Policy Source: https://docs.altostrat.io/api-reference/spa/bgp-dns-filter/dns-policy/create-dns-policy sdx-api/spa/bgp-dns-filter.json post /policy Creates a new DNS content filtering policy. # Delete DNS Policy Source: https://docs.altostrat.io/api-reference/spa/bgp-dns-filter/dns-policy/delete-dns-policy sdx-api/spa/bgp-dns-filter.json delete /policy/{policy} Deletes a DNS policy. Fails if the policy is currently attached to any sites. # Get DNS Policy Details Source: https://docs.altostrat.io/api-reference/spa/bgp-dns-filter/dns-policy/get-dns-policy-details sdx-api/spa/bgp-dns-filter.json get /policy/{policy} Retrieves details of a specific DNS policy by its UUID. # List DNS Policies Source: https://docs.altostrat.io/api-reference/spa/bgp-dns-filter/dns-policy/list-dns-policies sdx-api/spa/bgp-dns-filter.json get /policy Retrieves all DNS content filtering policies for the authenticated customer. # Remove DNS Policy from Site Source: https://docs.altostrat.io/api-reference/spa/bgp-dns-filter/dns-policy/remove-dns-policy-from-site sdx-api/spa/bgp-dns-filter.json delete /{site_id} Removes the DNS policy assignment from a specific site tunnel. Deletes the tunnel record if no BGP policy remains. # Update DNS Policy Source: https://docs.altostrat.io/api-reference/spa/bgp-dns-filter/dns-policy/update-dns-policy sdx-api/spa/bgp-dns-filter.json put /policy/{policy} Updates an existing DNS content filtering policy. # Handle DNR Subscription Webhook Source: https://docs.altostrat.io/api-reference/spa/bgp-dns-filter/internal-hooks/handle-dnr-subscription-webhook sdx-api/spa/bgp-dns-filter.json post /subscription/dnr Endpoint to receive DNR (BGP) subscription lifecycle events (create, terminate). Requires valid signature. # Handle DNS Subscription Webhook Source: https://docs.altostrat.io/api-reference/spa/bgp-dns-filter/internal-hooks/handle-dns-subscription-webhook sdx-api/spa/bgp-dns-filter.json post /subscription/dns Endpoint to receive DNS subscription lifecycle events (create, terminate). Requires valid signature. # Get Application Blackhole IPs Source: https://docs.altostrat.io/api-reference/spa/bgp-dns-filter/ip-lists/get-application-blackhole-ips sdx-api/spa/bgp-dns-filter.json get /blackhole-ips Retrieves a list of applications and their assigned blackhole IP addresses used for DNS filtering. Requires internal API token. # Get DNR Blackhole IP Ranges Source: https://docs.altostrat.io/api-reference/spa/bgp-dns-filter/ip-lists/get-dnr-blackhole-ip-ranges sdx-api/spa/bgp-dns-filter.json get /dnr-blackhole-ips Retrieves a map of DNR list names to their active blackhole IP ranges (integer format). Requires internal API token. # Get Service Counts for All Customers Source: https://docs.altostrat.io/api-reference/spa/bgp-dns-filter/tunnels-&-sites/get-service-counts-for-all-customers sdx-api/spa/bgp-dns-filter.json get /all-customer-services Retrieves a summary count of DNS and DNR subscriptions per customer. Requires internal API token. # Get Service Details for a Customer Source: https://docs.altostrat.io/api-reference/spa/bgp-dns-filter/tunnels-&-sites/get-service-details-for-a-customer sdx-api/spa/bgp-dns-filter.json get /customer-services/{customer_id} Retrieves detailed service information (DNS/DNR subscriptions) for all tunnels belonging to a specific customer. Requires internal API token. # Get Tunnel/Site Details Source: https://docs.altostrat.io/api-reference/spa/bgp-dns-filter/tunnels-&-sites/get-tunnelsite-details sdx-api/spa/bgp-dns-filter.json get /tunnel/{site_id} Retrieves details for a specific tunnel/site by its Site ID. # List All Tunnels/Sites Source: https://docs.altostrat.io/api-reference/spa/bgp-dns-filter/tunnels-&-sites/list-all-tunnelssites sdx-api/spa/bgp-dns-filter.json get /tunnel Retrieves a list of all tunnels/sites associated with the authenticated customer. # List Sites with BGP/DNR Service Source: https://docs.altostrat.io/api-reference/spa/bgp-dns-filter/tunnels-&-sites/list-sites-with-bgpdnr-service sdx-api/spa/bgp-dns-filter.json get /bgp/service-counts Retrieves a list of site IDs for the authenticated customer that have the BGP/DNR service enabled. # List Sites with DNS Service Source: https://docs.altostrat.io/api-reference/spa/bgp-dns-filter/tunnels-&-sites/list-sites-with-dns-service sdx-api/spa/bgp-dns-filter.json get /service-counts Retrieves a list of site IDs for the authenticated customer that have the DNS filtering service enabled. # Create a new Auth Integration Source: https://docs.altostrat.io/api-reference/spa/captive-portal/idp-integrations/create-a-new-auth-integration sdx-api/spa/captive-portal.json post /auth-integrations # Delete a specific Auth Integration Source: https://docs.altostrat.io/api-reference/spa/captive-portal/idp-integrations/delete-a-specific-auth-integration sdx-api/spa/captive-portal.json delete /auth-integrations/{auth_integration} # List all IDP Integrations Source: https://docs.altostrat.io/api-reference/spa/captive-portal/idp-integrations/list-all-idp-integrations sdx-api/spa/captive-portal.json get /auth-integrations # Partially update a specific Auth Integration Source: https://docs.altostrat.io/api-reference/spa/captive-portal/idp-integrations/partially-update-a-specific-auth-integration sdx-api/spa/captive-portal.json patch /auth-integrations/{auth_integration} # Replace a specific Auth Integration Source: https://docs.altostrat.io/api-reference/spa/captive-portal/idp-integrations/replace-a-specific-auth-integration sdx-api/spa/captive-portal.json put /auth-integrations/{auth_integration} # Retrieve a specific Auth Integration Source: https://docs.altostrat.io/api-reference/spa/captive-portal/idp-integrations/retrieve-a-specific-auth-integration sdx-api/spa/captive-portal.json get /auth-integrations/{auth_integration} # Create a new captive portal Instance Source: https://docs.altostrat.io/api-reference/spa/captive-portal/instances/create-a-new-captive-portal-instance sdx-api/spa/captive-portal.json post /instances # Delete a specific captive portal Instance Source: https://docs.altostrat.io/api-reference/spa/captive-portal/instances/delete-a-specific-captive-portal-instance sdx-api/spa/captive-portal.json delete /instances/{instance} # List all captive portal Instances Source: https://docs.altostrat.io/api-reference/spa/captive-portal/instances/list-all-captive-portal-instances sdx-api/spa/captive-portal.json get /instances # Partially update a specific captive portal Instance Source: https://docs.altostrat.io/api-reference/spa/captive-portal/instances/partially-update-a-specific-captive-portal-instance sdx-api/spa/captive-portal.json patch /instances/{instance} # Replace a specific captive portal Instance Source: https://docs.altostrat.io/api-reference/spa/captive-portal/instances/replace-a-specific-captive-portal-instance sdx-api/spa/captive-portal.json put /instances/{instance} # Retrieve a specific captive portal Instance Source: https://docs.altostrat.io/api-reference/spa/captive-portal/instances/retrieve-a-specific-captive-portal-instance sdx-api/spa/captive-portal.json get /instances/{instance} # Upload an image (logo or icon) for a specific Instance Source: https://docs.altostrat.io/api-reference/spa/captive-portal/instances/upload-an-image-logo-or-icon-for-a-specific-instance sdx-api/spa/captive-portal.json post /instances/{instance}/images/{type} # Create a new walled garden entry for a site Source: https://docs.altostrat.io/api-reference/spa/captive-portal/walled-garden/create-a-new-walled-garden-entry-for-a-site sdx-api/spa/captive-portal.json post /walled-garden/{site} # Delete a specific walled garden entry under a site Source: https://docs.altostrat.io/api-reference/spa/captive-portal/walled-garden/delete-a-specific-walled-garden-entry-under-a-site sdx-api/spa/captive-portal.json delete /walled-garden/{site}/{walledGarden} # List all walled garden entries for a specific site Source: https://docs.altostrat.io/api-reference/spa/captive-portal/walled-garden/list-all-walled-garden-entries-for-a-specific-site sdx-api/spa/captive-portal.json get /walled-garden/{site} # Partially update a specific walled garden entry under a site Source: https://docs.altostrat.io/api-reference/spa/captive-portal/walled-garden/partially-update-a-specific-walled-garden-entry-under-a-site sdx-api/spa/captive-portal.json patch /walled-garden/{site}/{walledGarden} # Replace a specific walled garden entry under a site Source: https://docs.altostrat.io/api-reference/spa/captive-portal/walled-garden/replace-a-specific-walled-garden-entry-under-a-site sdx-api/spa/captive-portal.json put /walled-garden/{site}/{walledGarden} # Retrieve a specific walled garden entry under a site Source: https://docs.altostrat.io/api-reference/spa/captive-portal/walled-garden/retrieve-a-specific-walled-garden-entry-under-a-site sdx-api/spa/captive-portal.json get /walled-garden/{site}/{walledGarden} # Server check-in for a site Source: https://docs.altostrat.io/api-reference/spa/cpf/checkin/server-check-in-for-a-site sdx-api/spa/control-plane.json post /site-checkin Called by a server to claim or update itself as the active server for a particular site (via the tunnel username). # Create (rotate) new credentials Source: https://docs.altostrat.io/api-reference/spa/cpf/credentials/create-rotate-new-credentials sdx-api/spa/control-plane.json post /{site}/credentials Generates a new username/password pair for the site, deletes any older credentials. Requires `apicredentials:create` scope. # List site API credentials Source: https://docs.altostrat.io/api-reference/spa/cpf/credentials/list-site-api-credentials sdx-api/spa/control-plane.json get /{site}/credentials Returns the API credentials used to connect to a site. Requires `apicredentials:view` scope. # (Internal) Fetch management IPs for multiple sites Source: https://docs.altostrat.io/api-reference/spa/cpf/internal/internal-fetch-management-ips-for-multiple-sites sdx-api/spa/control-plane.json post /internal/management-ips Given an array of site IDs, returns a map of site_id => management IP (tunnel IP). # (Internal) Get site credentials Source: https://docs.altostrat.io/api-reference/spa/cpf/internal/internal-get-site-credentials sdx-api/spa/control-plane.json get /{site}/internal-credentials Returns the latest credentials for the specified site, typically used by internal services. Not user-facing. # Assign sites to a policy Source: https://docs.altostrat.io/api-reference/spa/cpf/policies/assign-sites-to-a-policy sdx-api/spa/control-plane.json post /policies/{id}/sites Sets or moves multiple site IDs onto the given policy. Requires `cpf:create` or `cpf:update` scope. # Create a policy Source: https://docs.altostrat.io/api-reference/spa/cpf/policies/create-a-policy sdx-api/spa/control-plane.json post /policies Creates a new policy for the authenticated user. Requires `cpf:create` scope. # Delete a policy Source: https://docs.altostrat.io/api-reference/spa/cpf/policies/delete-a-policy sdx-api/spa/control-plane.json delete /policies/{id} Removes a policy if it is not the default policy. Sites that used this policy get moved to the default policy. Requires `cpf:delete` scope. # List policies Source: https://docs.altostrat.io/api-reference/spa/cpf/policies/list-policies sdx-api/spa/control-plane.json get /policies Retrieves all policies for the authenticated user. Requires `cpf:view` scope. # Show a single policy Source: https://docs.altostrat.io/api-reference/spa/cpf/policies/show-a-single-policy sdx-api/spa/control-plane.json get /policies/{id} Retrieves details of the specified policy, including related sites. Requires `cpf:view` scope. # Update a policy Source: https://docs.altostrat.io/api-reference/spa/cpf/policies/update-a-policy sdx-api/spa/control-plane.json put /policies/{id} Update the specified policy. Sites not in the request may revert to a default policy. Requires `cpf:update` scope. # Validate a policy Source: https://docs.altostrat.io/api-reference/spa/cpf/policies/validate-a-policy sdx-api/spa/control-plane.json get /policy-validate/{policy} Check basic policy details to ensure it's valid. # Execute commands on a site (internal sync) Source: https://docs.altostrat.io/api-reference/spa/cpf/router-commands/execute-commands-on-a-site-internal-sync sdx-api/spa/control-plane.json post /{site}/sync/execute Sends an execution script or command to the management server for the site. Similar to /sync but specifically for custom script execution. # Print or run commands on a site (internal sync) Source: https://docs.altostrat.io/api-reference/spa/cpf/router-commands/print-or-run-commands-on-a-site-internal-sync sdx-api/spa/control-plane.json post /{site}/sync Send an API command to the management server to print or list resources on the router, or run a custom command. # Re-send bootstrap scheduler script Source: https://docs.altostrat.io/api-reference/spa/cpf/scheduler/re-send-bootstrap-scheduler-script sdx-api/spa/control-plane.json post /{site}/resend-scheduler Forces re-sending of a scheduled script or runbook to the router. Often used if the script fails to be applied the first time. # Check the management server assigned to a site Source: https://docs.altostrat.io/api-reference/spa/cpf/sites/check-the-management-server-assigned-to-a-site sdx-api/spa/control-plane.json get /{site}/management-server Returns the IP/hostname of the server currently managing the site. Requires authentication. # Create a new Site Source: https://docs.altostrat.io/api-reference/spa/cpf/sites/create-a-new-site sdx-api/spa/control-plane.json post /site/create Creates a new site resource with the specified ID, policy, and other information. # Create site for migration Source: https://docs.altostrat.io/api-reference/spa/cpf/sites/create-site-for-migration sdx-api/spa/control-plane.json post /site/create-for-migration Creates a Site for system migrations, then runs additional background jobs (tunnel assignment, credentials creation, policy update). # List all site IDs Source: https://docs.altostrat.io/api-reference/spa/cpf/sites/list-all-site-ids sdx-api/spa/control-plane.json get /site_ids Returns minimal site data for every site in the system (ID and tunnel IP). # List site IDs by Customer Source: https://docs.altostrat.io/api-reference/spa/cpf/sites/list-site-ids-by-customer sdx-api/spa/control-plane.json get /site_ids/{customerid} Returns a minimal array of sites for a given customer, including the assigned tunnel IP if available. # Perform a site action Source: https://docs.altostrat.io/api-reference/spa/cpf/sites/perform-a-site-action sdx-api/spa/control-plane.json post /{site}/action Sends an SNS-based request to the router for various special actions (reboot, clear firewall, etc.). # Retrieve site note Source: https://docs.altostrat.io/api-reference/spa/cpf/sites/retrieve-site-note sdx-api/spa/control-plane.json get /{site}/note Fetch current note from an external metadata microservice. Requires authentication and site ownership. # Set site note Source: https://docs.altostrat.io/api-reference/spa/cpf/sites/set-site-note sdx-api/spa/control-plane.json post /{site}/note Update or create site metadata with a 'note' field, stored in an external metadata microservice. # Create a transient access for a site Source: https://docs.altostrat.io/api-reference/spa/cpf/transient-access/create-a-transient-access-for-a-site sdx-api/spa/control-plane.json post /{site}/transient-accesses Generates a temporary NAT access to Winbox/SSH. Requires `transientaccess:create` scope. # List active transient accesses for a site Source: https://docs.altostrat.io/api-reference/spa/cpf/transient-access/list-active-transient-accesses-for-a-site sdx-api/spa/control-plane.json get /{site}/transient-accesses Returns all unexpired, unrevoked transient access records for the site. Requires `transientaccess:view` scope. # Revoke a transient access Source: https://docs.altostrat.io/api-reference/spa/cpf/transient-access/revoke-a-transient-access sdx-api/spa/control-plane.json delete /{site}/transient-accesses/{id} Marks it as expired/revoked and triggers config removal. Requires `transientaccess:delete` scope. # Show one transient access Source: https://docs.altostrat.io/api-reference/spa/cpf/transient-access/show-one-transient-access sdx-api/spa/control-plane.json get /{site}/transient-accesses/{id} Returns a single transient access record. Requires `transientaccess:view` scope. # Create a transient port-forward Source: https://docs.altostrat.io/api-reference/spa/cpf/transient-forward/create-a-transient-port-forward sdx-api/spa/control-plane.json post /{site}/transient-forward Creates a short-lived NAT forwarding rule to a destination IP/port behind the router. # List site transient port forwards Source: https://docs.altostrat.io/api-reference/spa/cpf/transient-forward/list-site-transient-port-forwards sdx-api/spa/control-plane.json get /{site}/transient-forward Returns all active NAT port-forwards for a site. Not access-limited, but presumably requires a certain scope. # Revoke a transient port-forward Source: https://docs.altostrat.io/api-reference/spa/cpf/transient-forward/revoke-a-transient-port-forward sdx-api/spa/control-plane.json delete /{site}/transient-forward/{id} Marks the port-forward as expired and removes the NAT rule from the management server. # Show one transient port-forward Source: https://docs.altostrat.io/api-reference/spa/cpf/transient-forward/show-one-transient-port-forward sdx-api/spa/control-plane.json get /{site}/transient-forward/{id} Returns details about a specific transient port-forward rule by ID. # Get CVE Mitigation Steps Source: https://docs.altostrat.io/api-reference/spa/cve/cve-management/get-cve-mitigation-steps sdx-api/spa/cve-scans.json get /mitigation/{cve_id} Retrieves AI-generated, OS-agnostic manual mitigation steps for a specified CVE ID. Requires `cve:view` scope. # Get CVEs by MAC Address Source: https://docs.altostrat.io/api-reference/spa/cve/cve-management/get-cves-by-mac-address sdx-api/spa/cve-scans.json get /mac-address/cves Retrieves all CVEs associated with a specific MAC address across all scans for the customer. Throttled (600 req/min). Requires `cve:view` scope. # List CVE Status Overrides Source: https://docs.altostrat.io/api-reference/spa/cve/cve-management/list-cve-status-overrides sdx-api/spa/cve-scans.json get /mac-address/cve/status Retrieves a list of manually set CVE statuses (accepted/mitigated) for MAC addresses, optionally filtered by MAC, CVE ID, or status. Requires `cve:view` scope. # List MAC Addresses with CVEs Source: https://docs.altostrat.io/api-reference/spa/cve/cve-management/list-mac-addresses-with-cves sdx-api/spa/cve-scans.json get /mac-address/cve/list Retrieves a list of unique MAC addresses that have associated CVEs for the authenticated customer, along with summary statistics. Throttled (600 req/min). Requires `cve:view` scope. # Set CVE Status Override Source: https://docs.altostrat.io/api-reference/spa/cve/cve-management/set-cve-status-override sdx-api/spa/cve-scans.json post /mac-address/cve/status Creates a new status record (accepted or mitigated) for a specific CVE on a specific MAC address. Status expires automatically after 5 minutes. Requires `cve:update` scope. # Scan Multiple IPs via Schedule Context Source: https://docs.altostrat.io/api-reference/spa/cve/on-demand-scans/scan-multiple-ips-via-schedule-context sdx-api/spa/cve-scans.json post /scan/multiple-ips Initiates an immediate scan for a list of specific IP addresses, using the context (credentials, settings) of an existing scan schedule and site. Requires authentication. # Scan Single IP via Schedule Context Source: https://docs.altostrat.io/api-reference/spa/cve/on-demand-scans/scan-single-ip-via-schedule-context sdx-api/spa/cve-scans.json post /scheduled/single-ip Initiates an immediate scan for a single IP address, using the context (credentials, settings) of an existing scan schedule. Requires authentication. # Get Scan Result Details Source: https://docs.altostrat.io/api-reference/spa/cve/scan-results/get-scan-result-details sdx-api/spa/cve-scans.json get /{scan_id} Retrieves the detailed summary for a specific scan result instance by its UUID. Requires `cve:view` scope. # List Scan Results Source: https://docs.altostrat.io/api-reference/spa/cve/scan-results/list-scan-results sdx-api/spa/cve-scans.json get / Retrieves a list of completed scan results/reports for the authenticated customer, sorted by date (newest first). Requires `cve:view` scope. Reports are generated asynchronously after scans complete. # Create Scan Schedule Source: https://docs.altostrat.io/api-reference/spa/cve/scan-schedules/create-scan-schedule sdx-api/spa/cve-scans.json post /scheduled Creates a new CVE scan schedule. Requires `cve:create` scope. # Delete Scan Schedule Source: https://docs.altostrat.io/api-reference/spa/cve/scan-schedules/delete-scan-schedule sdx-api/spa/cve-scans.json delete /scheduled/{scanSchedule} Deletes a scan schedule. Fails if the schedule has running scans. Requires `cve:delete` scope. # Get Latest Scan Status for Schedule Source: https://docs.altostrat.io/api-reference/spa/cve/scan-schedules/get-latest-scan-status-for-schedule sdx-api/spa/cve-scans.json get /{scanSchedule}/status Retrieves the status (targets, scanned, failed sites) of the most recent scan run associated with a schedule. Requires authentication. # Get Scan Schedule Details Source: https://docs.altostrat.io/api-reference/spa/cve/scan-schedules/get-scan-schedule-details sdx-api/spa/cve-scans.json get /scheduled/{scanSchedule} Retrieves the details of a specific scan schedule by its UUID. Requires `cve:view` scope. # List Scan Schedules Source: https://docs.altostrat.io/api-reference/spa/cve/scan-schedules/list-scan-schedules sdx-api/spa/cve-scans.json get /scheduled Retrieves all CVE scan schedules configured for the authenticated customer. Requires `cve:view` scope. # Start Scheduled Scan Manually Source: https://docs.altostrat.io/api-reference/spa/cve/scan-schedules/start-scheduled-scan-manually sdx-api/spa/cve-scans.json get /scheduled/{scanSchedule}/invoke Initiates an immediate run of the specified scan schedule. Rate limited to prevent rapid restarts. Requires authorization to access the schedule. # Stop Running Scheduled Scan Source: https://docs.altostrat.io/api-reference/spa/cve/scan-schedules/stop-running-scheduled-scan sdx-api/spa/cve-scans.json delete /scheduled/{scanSchedule}/invoke Requests the termination of any currently running scan instances associated with the specified schedule. Requires authorization to access the schedule. # Update Scan Schedule Source: https://docs.altostrat.io/api-reference/spa/cve/scan-schedules/update-scan-schedule sdx-api/spa/cve-scans.json put /scheduled/{scanSchedule} Updates an existing scan schedule. Requires `cve:update` scope. # Assign a new IP address Source: https://docs.altostrat.io/api-reference/spa/elastic-ip/ip-addresses-l2tp/assign-a-new-ip-address sdx-api/spa/elastic-ip.json post /l2tp Assigns a specific, available IP address from a given subnet to the customer and sets up associated RADIUS credentials. # Get IP address details Source: https://docs.altostrat.io/api-reference/spa/elastic-ip/ip-addresses-l2tp/get-ip-address-details sdx-api/spa/elastic-ip.json get /l2tp/{ip} Retrieves the details of a specific assigned IP address, including RADIUS credentials and last connection info. # List assigned IP addresses Source: https://docs.altostrat.io/api-reference/spa/elastic-ip/ip-addresses-l2tp/list-assigned-ip-addresses sdx-api/spa/elastic-ip.json get /l2tp Retrieves a list of all L2TP IP addresses assigned to the authenticated customer/user. # Release an IP address Source: https://docs.altostrat.io/api-reference/spa/elastic-ip/ip-addresses-l2tp/release-an-ip-address sdx-api/spa/elastic-ip.json delete /l2tp/{ip} Releases an assigned IP address, removing it from the customer's account and deleting associated RADIUS credentials and accounting data. # Reset RADIUS password Source: https://docs.altostrat.io/api-reference/spa/elastic-ip/ip-addresses-l2tp/reset-radius-password sdx-api/spa/elastic-ip.json get /l2tp/{l2tp}/new-password Resets the RADIUS password for the username associated with the specified IP address assignment. # Update IP address PTR record Source: https://docs.altostrat.io/api-reference/spa/elastic-ip/ip-addresses-l2tp/update-ip-address-ptr-record sdx-api/spa/elastic-ip.json put /l2tp/{ip} Updates the Pointer (PTR) record (Reverse DNS) for the specified IP address. # Get available IPs in a subnet Source: https://docs.altostrat.io/api-reference/spa/elastic-ip/subnets/get-available-ips-in-a-subnet sdx-api/spa/elastic-ip.json get /subnet/{subnet} Retrieves a list of randomly selected available IP addresses within the specified subnet. Limited to a maximum of 20 IPs. # List all managed subnets Source: https://docs.altostrat.io/api-reference/spa/elastic-ip/subnets/list-all-managed-subnets sdx-api/spa/elastic-ip.json get /subnet Retrieves a list of all subnets configured for the authenticated customer/user. # Alias for listing recent or ongoing faults Source: https://docs.altostrat.io/api-reference/spa/faults/faults/alias-for-listing-recent-or-ongoing-faults sdx-api/spa/faults.json get / Identical to `GET /recent`. **Requires** `fault:view` scope. # Generate a new short-lived fault token Source: https://docs.altostrat.io/api-reference/spa/faults/faults/generate-a-new-short-lived-fault-token sdx-api/spa/faults.json post /token Creates a token that can be used to retrieve unresolved or recently resolved faults without requiring ongoing authentication. **Requires** `fault:create` or possibly `fault:view` (depending on usage). # List all faults for a given site ID Source: https://docs.altostrat.io/api-reference/spa/faults/faults/list-all-faults-for-a-given-site-id sdx-api/spa/faults.json get /site/{site} Returns all faults recorded for a particular site. **Requires** `fault:view` scope. # List recent or ongoing faults Source: https://docs.altostrat.io/api-reference/spa/faults/faults/list-recent-or-ongoing-faults sdx-api/spa/faults.json get /recent **Requires** `fault:view` scope. Returns a paginated list of faults filtered by query parameters, typically those unresolved or resolved within the last 10 minutes if `status=recent` is used. For more flexible filtering see query parameters below. # List top 10 WAN faults in last 14 days Source: https://docs.altostrat.io/api-reference/spa/faults/faults/list-top-10-wan-faults-in-last-14-days sdx-api/spa/faults.json get /top10wan Retrieves the top 10 most active WAN tunnel (type=wantunnel) faults in the last 14 days. **Requires** `fault:view` scope. # Retrieve currently active (unresolved) faults via internal token Source: https://docs.altostrat.io/api-reference/spa/faults/faults/retrieve-currently-active-unresolved-faults-via-internal-token sdx-api/spa/faults.json post /fault/internal_active Available only via internal API token. Expects `type` in the request body (e.g. `site` or `wantunnel`) and returns all unresolved faults of that type. # Retrieve faults using short-lived token Source: https://docs.altostrat.io/api-reference/spa/faults/faults/retrieve-faults-using-short-lived-token sdx-api/spa/faults.json get /fault/token/{token} Retrieves a set of unresolved or recently resolved faults for the customer associated with the given short-lived token. No other authentication needed. **Public** endpoint, token-based. # Retrieve internal fault timeline for a site Source: https://docs.altostrat.io/api-reference/spa/faults/faults/retrieve-internal-fault-timeline-for-a-site sdx-api/spa/faults.json post /fault/internal Available only via internal API token (`internal` middleware). Typically used for analyzing fault timelines. Requires fields `start`, `end`, `type`, and `site_id` in the request body. # Filter and retrieve log events Source: https://docs.altostrat.io/api-reference/spa/logs/log-events/filter-and-retrieve-log-events sdx-api/spa/logs.json post /{log_group_name} Returns filtered log events from CloudWatch for the requested log group and streams. Requires `logs:view` scope. # Global ARP search across user’s sites Source: https://docs.altostrat.io/api-reference/spa/metrics/arp/global-arp-search-across-user’s-sites sdx-api/spa/metrics.json post /arps Search ARP data across multiple sites belonging to the current user. Requires `inventory:view` scope. # (Internal) ARP entries for a site Source: https://docs.altostrat.io/api-reference/spa/metrics/arp/internal-arp-entries-for-a-site sdx-api/spa/metrics.json get /internal/arp/{site} Returns ARP data for the site, or 204 if none exist. No Bearer token needed, presumably uses internal token. # List ARP entries for a site Source: https://docs.altostrat.io/api-reference/spa/metrics/arp/list-arp-entries-for-a-site sdx-api/spa/metrics.json post /arps/{site} Lists ARP entries for the specified site with optional pagination. Requires `inventory:view` scope. # Update an ARP entry Source: https://docs.altostrat.io/api-reference/spa/metrics/arp/update-an-arp-entry sdx-api/spa/metrics.json put /arps/{site}/{arpEntry} Allows updating group/alias for an ARP entry. Requires `inventory:update` scope. # Get BGP usage/logs from last ~2 days Source: https://docs.altostrat.io/api-reference/spa/metrics/content/get-bgp-usagelogs-from-last-~2-days sdx-api/spa/metrics.json get /bgp-report/{site} Generates a BGP usage report for the site (TCP/UDP traffic captured). Possibly uses blackhole IP analysis. Requires `site` middleware. # Get DNS usage/logs from last ~2 days Source: https://docs.altostrat.io/api-reference/spa/metrics/content/get-dns-usagelogs-from-last-~2-days sdx-api/spa/metrics.json get /dns-report/{site} Returns top categories, apps, source IPs from DNS logs. Possibly uses blackhole IP analysis. Requires `site` middleware. # Get SNMP interface metrics Source: https://docs.altostrat.io/api-reference/spa/metrics/interfaces/get-snmp-interface-metrics sdx-api/spa/metrics.json post /interfaces/{interface}/metrics Returns detailed interface metric data within a specified date range. Requires `site` and `interface` resolution plus relevant scopes. # (Internal) List site interfaces Source: https://docs.altostrat.io/api-reference/spa/metrics/interfaces/internal-list-site-interfaces sdx-api/spa/metrics.json get /internal/interfaces/{site} Same as /interfaces/{site}, but for internal use. # (Internal) Summarized interface metrics Source: https://docs.altostrat.io/api-reference/spa/metrics/interfaces/internal-summarized-interface-metrics sdx-api/spa/metrics.json post /internal/interfaces/{interface}/metrics Calculates average and max in/out in MBps or similar for the date range. Possibly used by other microservices. # List SNMP interfaces for a site Source: https://docs.altostrat.io/api-reference/spa/metrics/interfaces/list-snmp-interfaces-for-a-site sdx-api/spa/metrics.json get /interfaces/{site} Returns all known SNMP interfaces on a site. Requires `site` middleware. # Get 24h heartbeat or check-in data for a site Source: https://docs.altostrat.io/api-reference/spa/metrics/mikrotikstats/get-24h-heartbeat-or-check-in-data-for-a-site sdx-api/spa/metrics.json get /mikrotik-stats/{site} Returns info about missed heartbeats from mikrotik checkins within the last 24 hours. Requires `site` middleware. # Get last checkin time for a site Source: https://docs.altostrat.io/api-reference/spa/metrics/mikrotikstats/get-last-checkin-time-for-a-site sdx-api/spa/metrics.json get /last-seen/{site} Returns how long ago the last MikrotikStats record was inserted. Requires `site` middleware. # Get raw Mikrotik stats from the last 8 hours Source: https://docs.altostrat.io/api-reference/spa/metrics/mikrotikstats/get-raw-mikrotik-stats-from-the-last-8-hours sdx-api/spa/metrics.json get /mikrotik-stats-all/{site} Returns stats such as CPU load, memory for the last 8 hours. Requires `site` middleware. # List syslog entries for a site Source: https://docs.altostrat.io/api-reference/spa/metrics/syslog/list-syslog-entries-for-a-site sdx-api/spa/metrics.json get /syslogs/{site} Returns syslog data for a given site. Requires 'site' middleware and typically `inventory:view` scope or similar. # Get ping stats for a WAN tunnel Source: https://docs.altostrat.io/api-reference/spa/metrics/tunnels/get-ping-stats-for-a-wan-tunnel sdx-api/spa/metrics.json post /wan-tunnels/{tunnel}/ping-stats Retrieves a time-series of ping metrics for the specified WAN tunnel. Requires 'tunnel' middleware, plus date range input. # Get tunnels ordered by average jitter or packet loss Source: https://docs.altostrat.io/api-reference/spa/metrics/tunnels/get-tunnels-ordered-by-average-jitter-or-packet-loss sdx-api/spa/metrics.json get /tunnel-order Aggregates last 24h data from ping_stats and returns an array sorted by either 'mdev' or 'packet_loss'. Typically used to see worst/best tunnels. Requires user’s WAN data scope. # (Internal) List WAN Tunnels for a site Source: https://docs.altostrat.io/api-reference/spa/metrics/tunnels/internal-list-wan-tunnels-for-a-site sdx-api/spa/metrics.json get /wan-tunnels-int/{site} Similar to /wan-tunnels/{site}, but does not require Bearer. Possibly uses an internal token or no auth. Returns 200 or 204 if no tunnels found. # (Internal) Retrieve summarized ping stats for a tunnel Source: https://docs.altostrat.io/api-reference/spa/metrics/tunnels/internal-retrieve-summarized-ping-stats-for-a-tunnel sdx-api/spa/metrics.json post /wan-tunnels/{tunnel}/int-ping-stats Given a site and tunnel, returns average or max stats in the date range. Possibly used by internal microservices. # List WAN tunnels for a site Source: https://docs.altostrat.io/api-reference/spa/metrics/tunnels/list-wan-tunnels-for-a-site sdx-api/spa/metrics.json get /wan-tunnels/{site} Returns all WAN Tunnels associated with that site ID. Requires `site` middleware. # Multi-tunnel or aggregated ping stats Source: https://docs.altostrat.io/api-reference/spa/metrics/tunnels/multi-tunnel-or-aggregated-ping-stats sdx-api/spa/metrics.json post /wan/ping-stats Retrieves a chart-friendly data series for one or multiple tunnels. Possibly used by a front-end chart. This is a single endpoint returning timestamps and data arrays. Requires date range, optional tunnel list. # Create a new notification group Source: https://docs.altostrat.io/api-reference/spa/notifications/groups/create-a-new-notification-group sdx-api/spa/notifications.json post / Creates a group with name, schedule, topics, recipients, and sites. Requires `notification:create` scope. # Delete a notification group Source: https://docs.altostrat.io/api-reference/spa/notifications/groups/delete-a-notification-group sdx-api/spa/notifications.json delete /{group} Removes the group, its recipients, site relationships, and topic references. Requires `notification:delete` scope. # Example Ably webhook endpoint Source: https://docs.altostrat.io/api-reference/spa/notifications/groups/example-ably-webhook-endpoint sdx-api/spa/notifications.json get /notifications/ably/hook Used for testing. Returns request data. Does not require user scope. # List all notification groups for the customer Source: https://docs.altostrat.io/api-reference/spa/notifications/groups/list-all-notification-groups-for-the-customer sdx-api/spa/notifications.json get / Retrieves all groups belonging to the authenticated customer. Requires `notification:view` scope. # Show a specific notification group Source: https://docs.altostrat.io/api-reference/spa/notifications/groups/show-a-specific-notification-group sdx-api/spa/notifications.json get /{group} Retrieve the detail of one group by ID. Requires `notification:view` scope. # Update a notification group Source: https://docs.altostrat.io/api-reference/spa/notifications/groups/update-a-notification-group sdx-api/spa/notifications.json put /{group} Update name, schedule, recipients, and other properties. Requires `notification:update` scope. # List all topics Source: https://docs.altostrat.io/api-reference/spa/notifications/topics/list-all-topics sdx-api/spa/notifications.json get /topics Returns all possible topics that can be attached to a notification group. # Delete a generated SLA report Source: https://docs.altostrat.io/api-reference/spa/reports/sla-reports/delete-a-generated-sla-report sdx-api/spa/reports.json delete /sla/reports/{id} Deletes the JSON data object from S3 (and presumably the PDF). Requires `sla:run` scope. # List generated SLA reports Source: https://docs.altostrat.io/api-reference/spa/reports/sla-reports/list-generated-sla-reports sdx-api/spa/reports.json get /sla/reports Lists recent SLA JSON results objects in S3 for the user. Requires `sla:run` scope to view generated reports. # Create a new SLA schedule Source: https://docs.altostrat.io/api-reference/spa/reports/sla-schedules/create-a-new-sla-schedule sdx-api/spa/reports.json post /sla/schedules Creates a new SLA report schedule object in DynamoDB and sets up CloudWatch event rules (daily/weekly/monthly). Requires `sla:create` scope. # Delete an SLA schedule Source: https://docs.altostrat.io/api-reference/spa/reports/sla-schedules/delete-an-sla-schedule sdx-api/spa/reports.json delete /sla/schedules/{id} Deletes a single SLA schedule from DynamoDB and removes CloudWatch events. Requires `sla:delete` scope. # Get a single SLA schedule Source: https://docs.altostrat.io/api-reference/spa/reports/sla-schedules/get-a-single-sla-schedule sdx-api/spa/reports.json get /sla/schedules/{id} Retrieves a single SLA schedule by UUID from DynamoDB. Requires `sla:view` scope. # List all SLA schedules Source: https://docs.altostrat.io/api-reference/spa/reports/sla-schedules/list-all-sla-schedules sdx-api/spa/reports.json get /sla/schedules Fetches SLA reporting schedules from DynamoDB for the authenticated user. Requires `sla:view` scope. # Manually run an SLA schedule Source: https://docs.altostrat.io/api-reference/spa/reports/sla-schedules/manually-run-an-sla-schedule sdx-api/spa/reports.json post /sla/schedules/{id}/run Triggers a single SLA schedule to run now, with specified date range. Requires `sla:run` scope. This is done by posting `from_date` and `to_date` in the body. # Update an SLA schedule Source: https://docs.altostrat.io/api-reference/spa/reports/sla-schedules/update-an-sla-schedule sdx-api/spa/reports.json put /sla/schedules/{id} Updates a single SLA schedule and re-configures the CloudWatch event rule(s). Requires `sla:update` scope. # Retrieve a specific schedule (internal) Source: https://docs.altostrat.io/api-reference/spa/schedules/internal/retrieve-a-specific-schedule-internal sdx-api/spa/schedules.json get /internal/schedules/{schedule} This route is for internal usage. It requires a special token in the `X-Bearer-Token` header (or `Authorization: Bearer `), validated by the `internal` middleware. # Create a new schedule Source: https://docs.altostrat.io/api-reference/spa/schedules/schedules/create-a-new-schedule sdx-api/spa/schedules.json post /schedules # Delete an existing schedule Source: https://docs.altostrat.io/api-reference/spa/schedules/schedules/delete-an-existing-schedule sdx-api/spa/schedules.json delete /schedules/{schedule} # List all schedules Source: https://docs.altostrat.io/api-reference/spa/schedules/schedules/list-all-schedules sdx-api/spa/schedules.json get /schedules # Retrieve a specific schedule Source: https://docs.altostrat.io/api-reference/spa/schedules/schedules/retrieve-a-specific-schedule sdx-api/spa/schedules.json get /schedules/{schedule} # Update an existing schedule Source: https://docs.altostrat.io/api-reference/spa/schedules/schedules/update-an-existing-schedule sdx-api/spa/schedules.json put /schedules/{schedule} # Generate RouterOS script via AI prompt Source: https://docs.altostrat.io/api-reference/spa/scripts/ai-generation/generate-routeros-script-via-ai-prompt sdx-api/spa/scripts.json post /gen-ai Calls an OpenAI model to produce a RouterOS script from the user’s prompt. Returns JSON with commands, error, destructive boolean, etc. Throttled to 5 requests/minute. Requires `script:create` scope. # Create a new community script Source: https://docs.altostrat.io/api-reference/spa/scripts/community-scripts/create-a-new-community-script sdx-api/spa/scripts.json post /community-scripts Registers a new script from a GitHub raw URL (.rsc) and optional .md readme URL. Automatically triggers background jobs to fetch code, parse README, and create an AI description. # List community scripts Source: https://docs.altostrat.io/api-reference/spa/scripts/community-scripts/list-community-scripts sdx-api/spa/scripts.json get /community-scripts Returns a paginated list of community-contributed scripts with minimal info. No authentication scope is specifically enforced in code, but presumably behind `'auth'` or `'api'` guard. # Raw readme.md content Source: https://docs.altostrat.io/api-reference/spa/scripts/community-scripts/raw-readmemd-content sdx-api/spa/scripts.json get /community-scripts/{id}.md Fetches README from GitHub and returns as text/plain, if `readme_url` is set. # Raw .rsc content of a community script Source: https://docs.altostrat.io/api-reference/spa/scripts/community-scripts/raw-rsc-content-of-a-community-script sdx-api/spa/scripts.json get /community-scripts/{id}.rsc Fetches the script content from GitHub and returns as text/plain. # Show a single community script Source: https://docs.altostrat.io/api-reference/spa/scripts/community-scripts/show-a-single-community-script sdx-api/spa/scripts.json get /community-scripts/{id} Provides script details including name, description, user info, repo info, etc. # Authorize a scheduled script Source: https://docs.altostrat.io/api-reference/spa/scripts/scheduled-scripts/authorize-a-scheduled-script sdx-api/spa/scripts.json put /scheduled/{scheduledScript}/authorize/{token} Sets `authorized_at` if provided token matches `md5(id)`. Requires `script:authorize` scope. Fails if already authorized. # Create a new scheduled script Source: https://docs.altostrat.io/api-reference/spa/scripts/scheduled-scripts/create-a-new-scheduled-script sdx-api/spa/scripts.json post /scheduled Requires `script:create` scope. Specifies a script body, description, launch time, plus sites and notifiable user IDs. Also sets whether backups should be made, etc. # Delete or cancel a scheduled script Source: https://docs.altostrat.io/api-reference/spa/scripts/scheduled-scripts/delete-or-cancel-a-scheduled-script sdx-api/spa/scripts.json delete /scheduled/{scheduledScript} If script not authorized & not started, it's fully deleted. Otherwise sets `cancelled_at`. Requires `script:delete` scope. # Immediately run the scheduled script Source: https://docs.altostrat.io/api-reference/spa/scripts/scheduled-scripts/immediately-run-the-scheduled-script sdx-api/spa/scripts.json put /scheduled/{scheduledScript}/run Requires the script to be authorized. Dispatches jobs to each site. Requires `script:run` scope. # List all scheduled scripts Source: https://docs.altostrat.io/api-reference/spa/scripts/scheduled-scripts/list-all-scheduled-scripts sdx-api/spa/scripts.json get /scheduled Lists scripts that are scheduled for execution. Requires `script:view` scope. Includes site relationships and outcome data. # Request authorization (trigger notifications) Source: https://docs.altostrat.io/api-reference/spa/scripts/scheduled-scripts/request-authorization-trigger-notifications sdx-api/spa/scripts.json get /scheduled/{scheduledScript}/authorize Sends a WhatsApp or other message to configured notifiables to authorize the script. Requires `script:update` scope. # Run scheduled script test Source: https://docs.altostrat.io/api-reference/spa/scripts/scheduled-scripts/run-scheduled-script-test sdx-api/spa/scripts.json put /scheduled/{scheduledScript}/run-test Sends the script to the configured `test_site_id` only. Requires `script:run` scope. # Script execution progress Source: https://docs.altostrat.io/api-reference/spa/scripts/scheduled-scripts/script-execution-progress sdx-api/spa/scripts.json get /scheduled/{scheduledScript}/progress Returns which sites are pending, which have completed, which have failed, etc. Requires `script:view` scope. # Show a single scheduled script’s details Source: https://docs.altostrat.io/api-reference/spa/scripts/scheduled-scripts/show-a-single-scheduled-script’s-details sdx-api/spa/scripts.json get /scheduled/{scheduledScript} Returns a single scheduled script with all relationships (sites, outcomes, notifications). Requires `script:view` scope. # Update a scheduled script Source: https://docs.altostrat.io/api-reference/spa/scripts/scheduled-scripts/update-a-scheduled-script sdx-api/spa/scripts.json put /scheduled/{scheduledScript} Edits a scheduled script’s fields, re-syncs sites and notifiables. Requires `script:update` scope. # Create a new VPN instance Source: https://docs.altostrat.io/api-reference/spa/vpn/instances/create-a-new-vpn-instance sdx-api/spa/vpn.json post /instances Provisions a new VPN instance, automatically deploying a server. Requires `vpn:create` scope. # Delete a VPN instance Source: https://docs.altostrat.io/api-reference/spa/vpn/instances/delete-a-vpn-instance sdx-api/spa/vpn.json delete /instances/{instance} Tears down the instance. Requires `vpn:delete` scope. # Fetch bandwidth usage Source: https://docs.altostrat.io/api-reference/spa/vpn/instances/fetch-bandwidth-usage sdx-api/spa/vpn.json get /instances/{instance}/bandwidth Returns the bandwidth usage metrics for the instance's primary server. Requires `vpn:view` scope. # List all VPN instances Source: https://docs.altostrat.io/api-reference/spa/vpn/instances/list-all-vpn-instances sdx-api/spa/vpn.json get /instances Returns a list of instances the authenticated user has created. Requires `vpn:view` scope. # Show details for a single VPN instance Source: https://docs.altostrat.io/api-reference/spa/vpn/instances/show-details-for-a-single-vpn-instance sdx-api/spa/vpn.json get /instances/{instance} Retrieves a single instance resource by its ID. Requires `vpn:view` scope. # Update a VPN instance Source: https://docs.altostrat.io/api-reference/spa/vpn/instances/update-a-vpn-instance sdx-api/spa/vpn.json put /instances/{instance} Allows modifications to DNS, routes, firewall, etc. Requires `vpn:update` scope. # Internal instance counts per customer Source: https://docs.altostrat.io/api-reference/spa/vpn/internal/internal-instance-counts-per-customer sdx-api/spa/vpn.json post /vpn/internal/instance-counts Used internally to retrieve aggregated peer or instance usage counts. Requires an internal token (not standard Bearer). # Create a new peer on an instance Source: https://docs.altostrat.io/api-reference/spa/vpn/peers/create-a-new-peer-on-an-instance sdx-api/spa/vpn.json post /instances/{instance}/peers Adds a client peer or site peer to the instance. Requires `vpn:create` scope. # Delete a peer Source: https://docs.altostrat.io/api-reference/spa/vpn/peers/delete-a-peer sdx-api/spa/vpn.json delete /instances/{instance}/peers/{peer} Removes a peer from the instance. Requires `vpn:delete` scope. # List all peers under an instance Source: https://docs.altostrat.io/api-reference/spa/vpn/peers/list-all-peers-under-an-instance sdx-api/spa/vpn.json get /instances/{instance}/peers Lists all VPN peers (clients or site-peers) attached to the specified instance. Requires `vpn:view` scope. # Show a single peer Source: https://docs.altostrat.io/api-reference/spa/vpn/peers/show-a-single-peer sdx-api/spa/vpn.json get /instances/{instance}/peers/{peer} Returns detail about a single peer for the given instance. Requires `vpn:view` scope. # Update a peer Source: https://docs.altostrat.io/api-reference/spa/vpn/peers/update-a-peer sdx-api/spa/vpn.json put /instances/{instance}/peers/{peer} Update subnets, route-all, etc. Requires `vpn:update` scope. # List available server regions Source: https://docs.altostrat.io/api-reference/spa/vpn/servers/list-available-server-regions sdx-api/spa/vpn.json get /servers/regions Retrieves a list of possible Vultr (or other provider) regions where a VPN instance can be deployed. # Server build complete callback Source: https://docs.altostrat.io/api-reference/spa/vpn/servers/server-build-complete-callback sdx-api/spa/vpn.json get /vpn/servers/{server}/heartbeat Called by the server itself upon final provisioning. Signed route with short TTL. Updates IP, sets DNS records, etc. # Get site subnets Source: https://docs.altostrat.io/api-reference/spa/vpn/sites/get-site-subnets sdx-api/spa/vpn.json get /site/{id}/subnets Retrieves potential subnets from the specified site (used for configuring a site-to-site VPN peer). # Download WireGuard config as a QR code Source: https://docs.altostrat.io/api-reference/spa/vpn/vpn-client-tokens/download-wireguard-config-as-a-qr-code sdx-api/spa/vpn.json get /vpn/instances/{instance}/peers/{peer}.svg Returns the config in a QR code SVG. Signed route with short TTL. Requires the peer to be a client peer. # Download WireGuard config file Source: https://docs.altostrat.io/api-reference/spa/vpn/vpn-client-tokens/download-wireguard-config-file sdx-api/spa/vpn.json get /vpn/instances/{instance}/peers/{peer}.conf Returns the raw WireGuard client config for a peer (type=client). Signed route with short TTL. Requires the peer to be a client peer. # Retrieve ephemeral client config references Source: https://docs.altostrat.io/api-reference/spa/vpn/vpn-client-tokens/retrieve-ephemeral-client-config-references sdx-api/spa/vpn.json get /vpn/client Uses a client token to retrieve a short-lived reference for WireGuard config or QR code download. The token is validated by custom client-token auth. Returns a JSON with config_file URL, QR code URL, etc. # Create WAN failover for a site Source: https://docs.altostrat.io/api-reference/spa/wan-failover/failover/create-wan-failover-for-a-site sdx-api/spa/wan-failover.json post /{site_id}/failover Sets up a new failover resource for the site if not already present, plus some default tunnels. Requires `wan:create` scope. # Delete WAN failover Source: https://docs.altostrat.io/api-reference/spa/wan-failover/failover/delete-wan-failover sdx-api/spa/wan-failover.json delete /{site_id}/failover/{id} Deletes failover from DB, tears down related tunnels, and unsubscribes. Requires `wan:delete` scope. # Get failover info for a site Source: https://docs.altostrat.io/api-reference/spa/wan-failover/failover/get-failover-info-for-a-site sdx-api/spa/wan-failover.json get /{site_id}/failover Retrieves the failover record for a given site, if any. Requires `wan:view` scope. # List failover services for current user Source: https://docs.altostrat.io/api-reference/spa/wan-failover/failover/list-failover-services-for-current-user sdx-api/spa/wan-failover.json get /service-counts Returns minimal array of failover objects (id, site_id) for user. Possibly used to see how many failovers they have. # Set tunnel priorities for a site Source: https://docs.altostrat.io/api-reference/spa/wan-failover/failover/set-tunnel-priorities-for-a-site sdx-api/spa/wan-failover.json post /{site_id}/failover/priorities Updates the `priority` field on each tunnel for this failover. Requires `wan:update` scope. # Update tunnel gateway (router callback) Source: https://docs.altostrat.io/api-reference/spa/wan-failover/gateway/update-tunnel-gateway-router-callback sdx-api/spa/wan-failover.json post /{site_id}/tunnel/{tunnel_id}/gateway Allows a router script to update the gateway IP after DHCP/PPP changes. Typically uses X-Bearer-Token or similar, not standard BearerAuth. No standard scope enforced. # List count of failovers per customer Source: https://docs.altostrat.io/api-reference/spa/wan-failover/services/list-count-of-failovers-per-customer sdx-api/spa/wan-failover.json get /services_all Returns an object mapping customer_id => count (how many site failovers). # List site IDs for a customer (failover services) Source: https://docs.altostrat.io/api-reference/spa/wan-failover/services/list-site-ids-for-a-customer-failover-services sdx-api/spa/wan-failover.json get /services/{customer_id} Returns an array of site IDs that have failover records for the given customer. # List tunnels for a site (unauth? or partial auth?) Source: https://docs.altostrat.io/api-reference/spa/wan-failover/services/list-tunnels-for-a-site-unauth?-or-partial-auth? sdx-api/spa/wan-failover.json get /services/{site_id}/tunnels Returns array of Tunnels for the given site if any exist. Possibly used by external or different auth flow. # Create a new tunnel Source: https://docs.altostrat.io/api-reference/spa/wan-failover/tunnel/create-a-new-tunnel sdx-api/spa/wan-failover.json post /{site_id}/tunnel Creates a new WAN tunnel record for the site. Requires `wan:create` scope. # Delete a tunnel Source: https://docs.altostrat.io/api-reference/spa/wan-failover/tunnel/delete-a-tunnel sdx-api/spa/wan-failover.json delete /{site_id}/tunnel/{id} Removes the tunnel from the DB and notifies system to remove config. Requires `wan:delete` scope. # Detect eligible gateways for an interface Source: https://docs.altostrat.io/api-reference/spa/wan-failover/tunnel/detect-eligible-gateways-for-an-interface sdx-api/spa/wan-failover.json post /{site_id}/tunnel/gateways Find potential gateway IP addresses for the given interface. Requires `wan:view` scope. # Get router interfaces Source: https://docs.altostrat.io/api-reference/spa/wan-failover/tunnel/get-router-interfaces sdx-api/spa/wan-failover.json get /{site_id}/tunnel/interfaces Lists valid router interfaces for a site. Possibly from router print. Requires `wan:view` scope. # List all tunnels for current user Source: https://docs.altostrat.io/api-reference/spa/wan-failover/tunnel/list-all-tunnels-for-current-user sdx-api/spa/wan-failover.json get /tunnels Returns all Tunnels for the authenticated user’s customer_id. Requires `wan:view` scope. # List tunnels for a site Source: https://docs.altostrat.io/api-reference/spa/wan-failover/tunnel/list-tunnels-for-a-site sdx-api/spa/wan-failover.json get /{site_id}/tunnel Returns all Tunnels associated with this site’s failover. Requires `wan:view` scope. # Show a single tunnel Source: https://docs.altostrat.io/api-reference/spa/wan-failover/tunnel/show-a-single-tunnel sdx-api/spa/wan-failover.json get /{site_id}/tunnel/{id} Returns details of the specified tunnel. Requires `wan:view` scope. # Update tunnel properties Source: https://docs.altostrat.io/api-reference/spa/wan-failover/tunnel/update-tunnel-properties sdx-api/spa/wan-failover.json put /{site_id}/tunnel/{id} Modifies name, gateway, interface, or SLA references on the tunnel. Requires `wan:update` scope. # Test a Slack or MS Teams webhook Source: https://docs.altostrat.io/api-reference/spa/webhooks/integrations/test-a-slack-or-ms-teams-webhook sdx-api/spa/webhooks.json post /test Sends a test message to the specified Slack or MS Teams webhook URL. **Requires** valid JWT authentication with appropriate scope (e.g., `webhook:test` or similar). # Content Filtering Source: https://docs.altostrat.io/core-concepts/content-filtering Manage and restrict access to undesirable or harmful web content across your network using DNS-based policies. Altostrat's **Content Filtering** service helps you enforce network usage standards by allowing you to **block or restrict** access to websites and online services based on predefined categories (like adult content, streaming media, or social networking). This ensures network usage aligns with your organization's **Acceptable Use Policies**. The filtering is primarily achieved through DNS manipulation; when a site is assigned a Content Filtering policy, its DNS requests are typically routed through Altostrat's filtering nameservers, which block queries to prohibited domains based on the policy rules. ## Key Features * **Category-Based Blocking**: Efficiently block large groups of websites based on content categories (e.g., Gambling, Malware, Phishing). * **SafeSearch & Restricted Mode**: Enforce SafeSearch for Google and Bing, and activate YouTube's Restricted Mode to filter explicit search results and videos. * **Filtering Avoidance Prevention**: Block access to known DNS proxies, anonymizers, and VPN services commonly used to circumvent filters. * **Custom Allow/Block Lists**: Define specific domains to always allow (whitelist) or always block (blacklist), overriding category rules. * **Detailed Traffic Analytics**: Review logs and statistics to understand DNS query patterns and identify blocked or allowed domains/categories. *** ## Creating a Content Filter Policy Follow these steps to set up a new policy: From your Altostrat **Dashboard**, go to **Policies → Content Filtering**. Click **Add** or **+ New** to initiate the creation process. {/* Images */} Click **Add** or **+ New** again on the policy list page. {/* Images */} Provide a clear **Policy Name** (e.g., "Standard Employee Policy", "Guest Network Restrictions"). * **Choose Categories**: Select the content categories you wish to block. You can expand groups to select specific sub-categories. ([View available categories via API](/api-reference/spa/bgp-dns-filter/categories-&-applications/list-categories-and-top-applications)). * **SafeSearch Settings**: Enable SafeSearch enforcement for major search engines and set YouTube's Restricted Mode as needed. ([View SafeSearch options via API](/api-reference/spa/bgp-dns-filter/categories-&-applications/list-safe-search-options)). * **Custom Domains**: Add specific domains to your **Allow List** or **Block List**. {/* Images */} Click **Save** or **Add** to create the policy. To apply it to one or more sites: * Navigate to your **Sites** list. {/* Images */} * Select a target site. * In the site's configuration settings, locate the **Content Filter Policy** section and choose your newly created policy from the dropdown. ([Assign policy to site via API](/api-reference/spa/bgp-dns-filter/dns-policy/assign-dns-policy-to-site)). Allow a few moments for the policy changes to propagate to the router's configuration. If the router is behind NAT, ensure the [Management VPN](/management/management-vpn) is active and correctly configured for Altostrat to push the update. {/* Images */} *** ## Editing a Content Filtering Policy To modify an existing policy: Go to **Policies → Content Filtering** in the Altostrat portal. {/* Images */} Click on the name of the policy you wish to update. This will open its configuration settings. {/* Images */} Modify the policy as needed: toggle categories, adjust SafeSearch settings, or manage custom domain lists. {/* Images */} Click **Save** or **Update**. The changes will automatically propagate to all sites currently assigned this policy. ([Update policy via API](/api-reference/spa/bgp-dns-filter/dns-policy/update-dns-policy)). *** ## Removing a Content Filtering Policy Deleting a policy also removes its configuration from any sites currently using it. These sites will revert to default DNS settings (no filtering) or fall back to another assigned policy if applicable. Ensure this is the intended outcome before proceeding. Go to **Policies → Content Filtering**. Locate the policy you intend to remove. {/* Images */} Select the policy, then click the **Trash** or **Remove** icon associated with it. Confirm your decision when prompted. ([Delete policy via API](/api-reference/spa/bgp-dns-filter/dns-policy/delete-dns-policy)). {/* Images */} To **completely disable** Content Filtering for specific sites without deleting the policy itself, navigate to the site's configuration and either assign a different policy (or no policy) or remove the site's association with the current policy. ([Remove policy from site via API](/api-reference/spa/bgp-dns-filter/dns-policy/remove-dns-policy-from-site)). *** ## Programmatic Management (API) Content Filtering policies and their assignments can also be managed programmatically using the Altostrat API. Key endpoints include: * **Create Policy**: `POST /policy` ([API Docs](/api-reference/spa/bgp-dns-filter/dns-policy/create-dns-policy)) * **List Policies**: `GET /policy` ([API Docs](/api-reference/spa/bgp-dns-filter/dns-policy/list-dns-policies)) * **Get Policy Details**: `GET /policy/{policy}` ([API Docs](/api-reference/spa/bgp-dns-filter/dns-policy/get-dns-policy-details)) * **Update Policy**: `PUT /policy/{policy}` ([API Docs](/api-reference/spa/bgp-dns-filter/dns-policy/update-dns-policy)) * **Delete Policy**: `DELETE /policy/{policy}` ([API Docs](/api-reference/spa/bgp-dns-filter/dns-policy/delete-dns-policy)) * **Assign Policy to Site**: `POST /{site_id}` ([API Docs](/api-reference/spa/bgp-dns-filter/dns-policy/assign-dns-policy-to-site)) * **Remove Policy from Site**: `DELETE /{site_id}` ([API Docs](/api-reference/spa/bgp-dns-filter/dns-policy/remove-dns-policy-from-site)) Refer to the specific API documentation for request/response details and required permissions. *** ## Best Practices * **Start Conservatively, Refine Gradually**: Begin by blocking only the most critical or universally unacceptable content categories. Monitor logs and user feedback, then refine the policy by adding more categories or creating specific domain exceptions (allow/block lists) as needed. * **Test Policies**: Before applying a new or modified policy broadly, test it on a non-critical site or segment to ensure it behaves as expected and doesn't unintentionally block necessary resources. * **Regularly Review Logs**: Periodically examine DNS query logs and filtering statistics to understand traffic patterns, identify frequently blocked sites (which might indicate policy gaps or user needs), and ensure the policy remains effective. * **Combine with Other Security Layers**: Content Filtering is one part of a layered security strategy. Complement it by enabling features like [Security Essentials](/core-concepts/security-essentials) for threat intelligence feeds and firewall rules. * **Communicate Policies to Users**: Ensure employees, guests, or other network users are aware of the Acceptable Use Policy and understand *why* certain content might be restricted. This minimizes confusion and support requests. # Control Plane Source: https://docs.altostrat.io/core-concepts/control-plane Configure inbound management services (WinBox, SSH, API) and firewall rules at scale in Altostrat. Altostrat's **Control Plane Policies** define how MikroTik devices handle inbound connections for critical management services such as **WinBox**, **SSH**, and **API**. By centralizing firewall rules and trusted networks, you ensure consistent security across all routers under a given policy. ## Default Policy When you sign up, Altostrat automatically creates a **Default Control Plane Policy** for basic protection. This policy includes: * **Trusted Networks** (e.g., private IP ranges like 10.x, 192.168.x) * **WinBox**, **API**, and **SSH** enabled on default ports * **Custom Input Rules** toggled on or off The IP address `154.66.115.255/32` may be added by default as a trusted address for Altostrat's Management API. ## Creating a Control Plane Policy Under Policies, select Control Plane. You'll see a list of existing policies, including the default one. {/* Images */} Click + Add Policy. Give your policy a descriptive name (e.g., "Strict Admin Access"). {/* Images */} Add or remove IP addresses or CIDR ranges that you consider trusted. For example: 192.168.0.0/16. {/* Images */} Decide whether your MikroTik firewall input rules should take precedence. If set to ON, your custom rules will be applied first. {/* Images */} Under IP Services, specify ports for WinBox, SSH, and API. These services must remain enabled if you plan to manage devices via Altostrat's API. {/* Images */} Assign the policy to specific sites if desired. You can also assign it later. Click Add to finalize. {/* Images */} ## Editing a Control Plane Policy Navigate to Policies → Control Plane. Click on the policy to open its settings. {/* Images */} {/* Images */} Add or remove CIDRs, toggle whether Custom Input Rules override Altostrat's default drop rules, and modify ports for WinBox, API, and SSH. {/* Images */} Changes will propagate automatically to any sites using this policy. Allow a short period for routers to update. ## Removing a Control Plane Policy Deleting a policy from an active site may disrupt management access if no other policy is assigned. In Policies → Control Plane, locate the policy you wish to remove. {/* Images */} Click the Trash icon and confirm the action. If any routers depend on this policy for inbound admin services, assign them another policy first. {/* Images */} ## Best Practices * **Maintain Essential Services**: Keep WinBox, SSH, and API enabled if you plan to manage devices through Altostrat. * **Limit Trusted Networks**: Restrict access to reduce exposure. * **Regular Review**: Review and update policies as your network changes. * **Security Layering**: Combine with [Security Essentials](/core-concepts/security-essentials) for a comprehensive security approach. # Notification Groups Source: https://docs.altostrat.io/core-concepts/notification-groups Define groups of users, schedules, and alert types for more targeted notifications. {/* Images */} A **Notification Group** is a way to organize who receives alerts, **when** they receive them, and for **which events**. This helps ensure relevant teams get the notifications they need while avoiding unnecessary notifications for others. ## Setting Up a Notification Group Go to Notifications → Notification Groups in the Altostrat Portal. {/* Images */} Click Add or + New to create a new Notification Group. Provide a Group Name. {/* Images */} {/* Images */} Choose who should receive alerts—either individual users or an entire role (e.g., "NOC Team"). Only selected users will receive notifications tied to this group. {/* Images */} If desired, link a policy specifying time windows for sending alerts (to reduce off-hours messages). {/* Images */} Select which types of notifications are relevant (e.g., Heartbeat Failures, Security Alerts, WAN Failover). {/* Images */} If alerts should only apply to specific sites, limit them here. Otherwise, the group will cover all sites by default. {/* Images */} Confirm your settings. The new group will now be active. *** ## Editing a Notification Group Under Notifications → Notification Groups, locate the group you want to modify. {/* Images */} {/* Images */} Adjust the group's name, add or remove users, modify the Business Hours Policy, or expand/restrict topics. {/* Images */} Most changes save automatically. Users may need to log out and log back in to see updates in some cases. *** ## Removing a Notification Group Deleting a group means its members will no longer receive those alerts. Ensure critical notifications are covered by another group if needed. In Notifications → Notification Groups, select the group to remove. {/* Images */} {/* Images */} Click the Trash icon. Confirm your choice in the dialog. {/* Images */} If the group was tied to certain **Business Hours Policies** or **Alert Topics**, you might need to reassign them to another group to maintain coverage. *** ## Tips & Best Practices * **Segment Based on Function**: Create separate groups for Security Teams, NOC Teams, Management, etc. * **Use Business Hours Policies**: Reduce alert fatigue by only notifying off-hours for critical events. * **Review Groups Regularly**: Ensure each group's membership and topics remain relevant. * **Combine with Integrations**: Forward alerts to Slack or Microsoft Teams if needed—see [Integrations](/integrations/integrations-overview). # Notifications Source: https://docs.altostrat.io/core-concepts/notifications Define, manage, and route alerts for important network events in Altostrat. {/* Images */} Altostrat **Notifications** keep you informed about key events—like **Network Outages**, **SLA Breaches**, and **Security Issues**—so you can react quickly. Customize notifications to ensure the right teams or individuals get the right alerts at the right time. ## Why Notifications Matter * **Proactive Issue Management:** Address potential problems before they escalate into major outages. * **Improved Network Uptime:** Quick response to alerts shortens downtime. * **Enhanced Security:** Security-related notifications highlight suspicious activity, enabling quick risk mitigation. * **Customizable:** Assign notifications to specific users or groups based on their roles. ## Notification Types Here are common notifications sent by Altostrat: | **Type** | **Description** | | ----------------------- | ---------------------------------------------------------------------------------- | | **SLA Reports** | Alerts you when agreed Service Level Agreements (uptime, latency) aren't met | | **Heartbeat Failures** | Informs administrators when a device stops sending health signals | | **WAN Failover Events** | Indicates connectivity issues or automatic failover events that affect the network | | **Security Alerts** | Notifies you about malicious IP blocks, intrusion attempts, or suspicious traffic | *** ## Setting Up Notifications {/* From your Altostrat Dashboard, go to the Notifications section. This page displays an overview of existing notification rules. Click Add or New Notification to create a rule. Define conditions such as Fault Type, SLA Breach, or Security Trigger. Select specific users, roles, or Notification Groups who should receive these alerts. You can configure delivery methods including Email or SMS (subject to [Supported SMS Regions](/resources/supported-sms-regions)). Review and confirm the notification settings. If possible, test by simulating a trigger (e.g., forcing a Heartbeat Failure). Recipients should receive a test alert when everything is configured correctly. */} You can follow this guide in order to set up your notifications. [Setting Up Notitications](/core-concepts/notification-groups) ## Customizing Alerts * **Business Hour Policies:** Receive notifications only during specified times * **Targeted Alerts:** Direct SLA or Security notifications to relevant teams * **Limit Redundancy:** Prevent notification fatigue by avoiding duplicate messages *** ## Best Practices * **Review Regularly:** Ensure your notification settings align with current organizational needs * **Use Notification Groups:** Organize recipients by function (e.g., NOC Team, Security Team) * **Integrate with Other Tools:** Connect notifications with external services (e.g., Slack, Microsoft Teams) for streamlined workflows If you experience issues or need to configure advanced behavior, consult the [Notification Groups](/core-concepts/notification-groups) page or review the [Orchestration Log](/management/orchestration-log) for troubleshooting assistance. # Roles & Permissions Source: https://docs.altostrat.io/core-concepts/roles-and-permissions Control user access levels in Altostrat SDX using roles, which group granular permission scopes for accessing resources and performing actions via the UI and API. # Roles & Permissions in Altostrat SDX Altostrat SDX uses a flexible Role-Based Access Control (RBAC) system to manage user capabilities. **Permissions** (also referred to as **Scopes**) define the ability to perform specific actions (like viewing billing info or deleting a site), while **Roles** group these permissions together. Roles are then assigned to users **within the context of a specific Team**, determining what each user can do within that team's resources. ## Key Concepts * **Permissions (Scopes):** Fine-grained strings representing specific actions, typically in the format `resource:action` (e.g., `site:view`, `billing:update`, `api:create`). These scopes directly control access to API endpoints and influence what is visible or actionable in the user interface. * **Roles:** Collections of permissions. Assigning a role to a user grants them all the permissions contained within that role for the team they are assigned to. * **System Roles:** Predefined roles with common permission sets provided by Altostrat SDX (e.g., Owner, Administrator, potentially a read-only or member role). System roles usually cannot be deleted or fundamentally altered. * **Custom Roles:** Roles you create and manage within your team, allowing you to tailor access precisely by selecting specific permissions. * **Team Context:** Role assignments are specific to a Team. A user might be an Administrator in one team but only have view permissions in another. ## Permission Scope Reference Permissions grant access to specific functionalities. Here is a breakdown of common permission scopes grouped by area, based on available API actions: | **Scope** | **Explanation** | | ----------------- | -------------------------------------------------------------- | | `user:view` | View user details within the team. | | `user:create` | Create new users and add them to the team. | | `user:update` | Update user profile details and role assignments. | | `user:delete` | Remove users from the team/system (restrictions apply). | | *(Implied/OAuth)* | Manage own 2FA settings (enable, disable, confirm, get codes). | | *(Implied/OAuth)* | View own user info. | | **Scope** | **Explanation** | | ---------------------- | ------------------------------------------------- | | `team:create` | Create new teams within the organization. | | `team:update` | Update team details (name, site limit). | | `team:delete` | Delete teams (restrictions apply). | | `teams:invite-users` | Invite users to join a team; cancel invitations. | | `teams:remove-users` | Remove members from a team (cannot remove owner). | | *(Implied/Membership)* | List teams, view team details, members, invites. | | *(Implied/Membership)* | Switch active team context. | | **Scope** | **Explanation** | | ---------------- | ----------------------------------------------------------- | | `role:view` | View available roles (system & custom) and assigned scopes. | | `role:create` | Create new custom roles for the team. | | `role:update` | Update custom team roles (name, assigned scopes). | | `role:delete` | Delete custom team roles (if unassigned). | | `api:view` | View team API credentials (names, IDs, usage). | | `api:create` | Create new API credentials for the team. | | `api:update` | Update API credential details (name, expiry). | | `api:delete` | Delete/revoke API credentials for the team. | | *(Implied/Auth)* | List all available permission scopes. | | **Scope** | **Explanation** | | ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------- | | `billing:view` | View billing account details, payment methods, tax IDs, invoices, subscription overview, | | pricing, upcoming invoice, supported Tax ID types. | | | `billing:update` | Update billing account, manage payment methods (add, set default, delete), manage tax IDs | | (add, delete), manage subscriptions (create, update quantity/interval, cancel). | | | **Scope** | **Explanation** | | ------------------ | -------------------------------------------------------------------- | | `site:view` | View site details, list sites, view uptime, versions, recent sites. | | `site:create` | *(Primarily internal/adoption flow)* Create site records. | | `site:update` | Update site details (name, address, timezone etc). | | `site:delete` | Mark a site for deletion. | | `site:action` | Perform specific actions on a site (e.g., reboot). | | `job:view` | View job history and details for a site. | | `job:create` | Create asynchronous jobs (scripts/commands) for a site. | | `job:delete` | Delete *pending* jobs for a site. | | `backup:view` | List backups, view backup content, view diffs, view subnets. | | `backup:create` | Request a new backup to be taken for a site. | | `inventory:view` | View network inventory like ARP tables, syslog, possibly interfaces. | | `inventory:update` | Update metadata associated with inventory items (e.g., ARP alias). | | `logs:view` | View system log events from CloudWatch. | | `script:create` | Create scheduled scripts, generate scripts via AI. | | `script:view` | View scheduled scripts and execution progress. | | `script:update` | Update scheduled scripts, request authorization. | | `script:delete` | Delete or cancel scheduled scripts. | | `script:run` | Immediately run or test a scheduled script. | | `script:authorize` | Authorize a scheduled script for execution. | | *(Implied/UI)* | List community scripts and view their details. | | **Scope** | **Explanation** | | ------------------------- | ---------------------------------------------- | | `vpn:view` | View VPN instances and peers. | | `vpn:create` | Create VPN instances and peers. | | `vpn:update` | Update VPN instances and peers. | | `vpn:delete` | Delete VPN instances and peers. | | `wan:view` | View WAN failover configurations and tunnels. | | `wan:create` | Create WAN failover services and tunnels. | | `wan:update` | Update WAN failover tunnels and priorities. | | `wan:delete` | Delete WAN failover services and tunnels. | | `elasticip:view` | List assigned Elastic IPs and managed subnets. | | `elasticip:create` | Assign new Elastic IPs. | | `elasticip:update` | Reset RADIUS password, update PTR records. | | `elasticip:delete` | Release assigned Elastic IPs. | | `cpf:view` | List Control Plane policies. | | `cpf:create` | Create Control Plane policies. | | `cpf:update` | Update Control Plane policies, assign sites. | | `cpf:delete` | Delete Control Plane policies. | | `apicredentials:view` | View site API credentials (CPF). | | `apicredentials:create` | Rotate/create site API credentials (CPF). | | `transientaccess:view` | View transient access sessions. | | `transientaccess:create` | Create transient access sessions (Winbox/SSH). | | `transientaccess:delete` | Revoke transient access sessions. | | `transientforward:view` | View transient port forwards. | | `transientforward:create` | Create transient port forwards. | | `transientforward:delete` | Revoke transient port forwards. | | **Scope** | **Explanation** | | ---------------------- | ---------------------------------------------------------------------- | | `contentfilter:view` | View DNS & BGP/DNR policies, categories, apps, assigned sites/tunnels. | | `contentfilter:create` | Create DNS & BGP/DNR policies. | | `contentfilter:update` | Update DNS & BGP/DNR policies, assign/unassign from sites/tunnels. | | `contentfilter:delete` | Delete DNS & BGP/DNR policies (if unassigned). | | `cve:view` | View CVE scan schedules and scan results. | | `cve:create` | Create new CVE scan schedules. | | `cve:update` | Update CVE scan schedules, start/stop scans manually. | | `cve:delete` | Delete CVE scan schedules. | | **Scope** | **Explanation** | | --------------------- | -------------------------------------------------------------------------- | | `sla:view` | View SLA report schedules. | | `sla:create` | Create new SLA report schedules. | | `sla:update` | Update SLA report schedules. | | `sla:delete` | Delete SLA report schedules. | | `sla:run` | Manually run SLA reports, view/delete generated reports. | | `notification:view` | View notification groups. | | `notification:create` | Create notification groups. | | `notification:update` | Update notification groups. | | `notification:delete` | Delete notification groups. | | `webhook:test` | Test webhook integrations (Slack, Teams). | | `fault:view` | View fault history and details. | | `fault:create` | *(Implied)* Generate fault tokens (might require view or specific create). | *Note: For a definitive list of all available permission scopes, refer to the [List Available Scopes API endpoint](/api-reference/spa/authentication/roles-&-permissions/list-available-scopes). Specific scope requirements are also detailed in the documentation for each API endpoint.* ## Creating a Role Follow these steps to create a custom role within your currently active team: In the Altostrat SDX Dashboard, go to **Settings → Roles & Permissions**. You will see a list of existing system and custom roles for your current team. {/* Image: Screenshot showing the Roles & Permissions list page */} Click the **+ Add** button. A form will appear to define the new role. Enter a descriptive name (e.g., "NOC Level 1", "Billing Manager") that clearly indicates the role's purpose. {/* Image: Screenshot showing the 'Add Role' modal or form with the name field highlighted. */} Scroll through the list of available permissions, grouped by category. Select the checkboxes corresponding to the **scopes** (e.g., `site:view`, `billing:update`) you want to grant to this role. {/* Image: Screenshot showing the permission selection part of the form, with some checkboxes ticked. */} {/* Re-use edit image if applicable */} {/* Re-use edit image if applicable */} Once you have selected all the desired permissions, click the **Save** button. The new custom role will be created and appear in the list, ready to be assigned to users within the team. (This typically corresponds to a `POST` [/team\_roles](/api-reference/spa/authentication/roles-&-permissions/create-team-role) API call). {/* Image: Screenshot showing the saved role in the list or a success message. */} ## Editing a Role You can modify the name and assigned permissions of custom roles. System roles typically cannot be edited. Navigate to **Settings → Roles & Permissions**. Find the custom role you wish to modify in the list and click on its name or an associated 'Edit' icon. {/* Image: Screenshot showing the list of roles with one highlighted or an edit icon pointed out. */} In the role editing form, you can change the role's name and adjust the assigned permissions (**scopes**) by selecting or deselecting the checkboxes. {/* Image: Screenshot of the role editing form with permissions being changed. */} Click the **Update** or **Save** button to apply your modifications. All users currently assigned this role within the team will inherit the updated set of permissions. (This corresponds to a `PUT` [/team\_roles/{role}](/api-reference/spa/authentication/roles-&-permissions/update-team-role) API call). Users might need to refresh their session (e.g., log out and back in) for changes to take full effect. {/* Image: Screenshot showing the confirmation or the updated role list. */} ## Deleting a Role You can only delete *custom* roles. Deleting a role cannot be undone. Deleting a custom role will immediately revoke all its associated permissions from any users currently assigned that role within the team. Ensure users have alternative roles if continued access is needed. You generally **cannot** delete a role if it is currently assigned to any users within the team. Go to **Settings → Roles & Permissions**. Find the custom role you want to remove from the list. System roles will typically not have a delete option. {/* Image: Use Creating-Role-Step1 image */} {/* Image: Use Editing-Role-Step1 image */} Click the delete icon (e.g., trash can or via a menu) associated with the role. A confirmation prompt will appear. Carefully review the impact and confirm the deletion. (This corresponds to a `DELETE` [/team\_roles/{role}](/api-reference/spa/authentication/roles-&-permissions/delete-team-role) API call). The delete option might be hidden off-screen on smaller displays or if the role has many permissions listed horizontally. You may need to scroll horizontally to find it. {/* Video: Showing the process of clicking delete and confirming. */} ## Assigning Roles to Users Roles are assigned to users within the **Team Members** management section. 1. Navigate to **Team Settings** -> **Members**. 2. Select the user whose roles you want to manage within the current team. 3. Assign one or more available roles (system or custom) to the user. 4. Save the changes. (See [User Management](/core-concepts/users) for details on assigning roles to team members). ## Best Practices * **Use System Roles First**: Leverage predefined roles like Administrator or Member for common access patterns before creating custom ones. * **Principle of Least Privilege**: Grant only the necessary permissions (scopes) required for a user to perform their job function within a team. Avoid overly broad roles. * **Create Task-Specific Custom Roles**: Define roles based on responsibilities (e.g., "Billing Viewer," "Site Operator," "Security Auditor") rather than individual users. * **Regular Audits**: Periodically review role definitions and user assignments to ensure they are still appropriate and align with current responsibilities and security policies. * **Document Custom Roles**: Clearly document the purpose and intended permissions of each custom role you create for your team's reference. # Threat Feeds Source: https://docs.altostrat.io/core-concepts/security-essentials Leverage BGP-delivered threat intelligence feeds to automatically block malicious traffic at your network edge. Altostrat's **Threat Feeds** feature enhances network security by integrating curated threat intelligence lists directly into your MikroTik router's routing table or firewall, often using **BGP** mechanisms. This allows you to automatically block traffic to and from known malicious IP addresses associated with threats like botnets, scanners, and compromised servers by null-routing or filtering traffic based on these feeds. This feature complements DNS-based [Content Filtering](/core-concepts/content-filtering), providing protection at the IP/routing layer. Both features are often managed under the same policy framework within Altostrat. ## Key Features * **BGP-Delivered Threat Intelligence**: Utilize automatically updated lists of malicious IP addresses sourced from reputable providers (e.g., Team Cymru, FireHOL, Emerging Threats), often distributed via BGP. * **Automated Routing/Firewall Integration**: Selected threat feeds dynamically update the router's configuration, typically by adding routes pointing to a null interface (blackhole) or populating firewall address lists for blocking rules. * **Malicious Traffic Blocking**: Prevent inbound and outbound connections associated with known threats based on the subscribed feeds at the network layer. * **Logging and Monitoring**: Track policy update statuses via the [Orchestration Log](/management/orchestration-log) and monitor related routing or firewall events on the MikroTik device. *** ## Default Threat Feed Policy When you first sign up, Altostrat may create a default **Threat Feed Policy** incorporating essential Threat Feeds. This policy often includes lists such as: * **RFC 1918** Private IP Ranges (common bogon filtering) * **Team Cymru FullBogons** (unallocated/unroutable IP addresses) * **FireHOL Level 1** (basic list of known malicious IPs) * **Emerging Threats Block IPs** (compromised IPs, C\&C servers) You can customize this default policy or create new ones tailored to your security posture. *** ## Creating a Threat Feed Policy Go to **Policies → Threat Feeds** in the Altostrat portal. {/* Images (Assuming these screenshots show navigation to the correct policy section) */} Click **Add** or **+ New**. Enter a descriptive policy name (e.g., "Block Known Attackers", "Critical Infrastructure Feeds"). {/* Images */} Choose the specific threat intelligence feeds (BGP/DNR Lists) you want to enable within this policy. The available feeds can be viewed ([View available BGP/DNR lists via API](/api-reference/spa/bgp-dns-filter/bgp-policy/list-bgpdnr-lists)). Select feeds based on desired protection level and potential operational impact. {/* Images */} Click **Save** or **Add** to finalize the policy definition ([Create BGP policy via API](/api-reference/spa/bgp-dns-filter/bgp-policy/create-bgp-policy)). To apply it to a site: * Navigate to the desired **Site** overview page. * Assign this newly created policy under the site's **Threat Feed Policy** setting. ([Assign BGP policy to site via API](/api-reference/spa/bgp-dns-filter/bgp-policy/assign-bgp-policy-to-site)). * The router will then be configured (via the [Management VPN](/management/management-vpn)) to utilize the selected BGP feeds, updating its routing table or firewall rules. Allow time for synchronization. *** ## Editing a Threat Feed Policy Access the Altostrat portal and navigate to **Policies → Threat Feeds**. {/* Images */} Click on the name of the policy you wish to modify. Toggle the desired threat feeds (BGP/DNR Lists) on or off as needed within the policy configuration. {/* Images */} {/* Images */} Click **Save** or **Update**. Changes automatically propagate to all sites using this policy, updating their routing/firewall configurations. ([Update BGP policy via API](/api-reference/spa/bgp-dns-filter/bgp-policy/update-bgp-policy)). *** ## Removing a Threat Feed Policy Deleting a Threat Feed Policy also removes its configuration from any sites using it. This disables the associated routing or firewall rules derived from its feeds, potentially increasing the site's exposure to threats if no alternative protection is active. Go to **Policies → Threat Feeds** and identify the policy you want to delete. {/* Images */} Click the **Remove** or **Trash** icon next to the policy and confirm your choice. This deletes the policy definition itself. Sites previously using it will have the corresponding configurations removed. ([Delete BGP policy via API](/api-reference/spa/bgp-dns-filter/bgp-policy/delete-bgp-policy)). {/* Images */} To stop applying a policy to a specific site **without deleting the policy definition**, navigate to the site's configuration and assign a different Threat Feed policy or remove the current assignment ([Remove BGP policy from site via API](/api-reference/spa/bgp-dns-filter/bgp-policy/remove-bgp-policy-from-site)). *** ## Programmatic Management (Threat Feed Policy API) Threat Feed policies using BGP/DNR can be managed programmatically via the Altostrat API. Key endpoints include: * **Create BGP Policy**: `POST /bgp/policy` ([API Docs](/api-reference/spa/bgp-dns-filter/bgp-policy/create-bgp-policy)) * **List BGP Policies**: `GET /bgp/policy` ([API Docs](/api-reference/spa/bgp-dns-filter/bgp-policy/list-bgp-policies)) * **Get BGP Policy Details**: `GET /bgp/policy/{policy}` ([API Docs](/api-reference/spa/bgp-dns-filter/bgp-policy/get-bgp-policy-details)) * **Update BGP Policy**: `PUT /bgp/policy/{policy}` ([API Docs](/api-reference/spa/bgp-dns-filter/bgp-policy/update-bgp-policy)) * **Delete BGP Policy**: `DELETE /bgp/policy/{policy}` ([API Docs](/api-reference/spa/bgp-dns-filter/bgp-policy/delete-bgp-policy)) * **Assign BGP Policy to Site**: `POST /bgp/{site_id}` ([API Docs](/api-reference/spa/bgp-dns-filter/bgp-policy/assign-bgp-policy-to-site)) * **Remove BGP Policy from Site**: `DELETE /bgp/{site_id}` ([API Docs](/api-reference/spa/bgp-dns-filter/bgp-policy/remove-bgp-policy-from-site)) * **List Available BGP/DNR Feeds**: `GET /bgp/category` ([API Docs](/api-reference/spa/bgp-dns-filter/bgp-policy/list-bgpdnr-lists)) Refer to the specific API documentation for request/response details. *** ## Best Practices * **Understand Feed Sources**: Know the origin and nature of each BGP/DNR feed (e.g., bogons, active threats) to assess potential impact and false positive risks. * **Monitor Routing/Firewall Impact**: Check the router's routing table (for blackholes) and firewall logs/rules to see how the feeds are being implemented and what traffic is being blocked. * **Start Selectively**: Implement conservative feeds first (like bogon lists) before adding more aggressive threat feeds. Monitor network reachability closely after adding new feeds. * **Layered Security**: Use Threat Feeds (IP/BGP layer) in conjunction with [Content Filtering](/core-concepts/content-filtering) (DNS layer) for comprehensive protection. * **Regular Audits**: Periodically review feed selections and policy assignments to align with current security needs and threat landscape. # Teams Source: https://docs.altostrat.io/core-concepts/teams Organize users into teams for resource ownership, collaboration, and scoped access control in Altostrat SDX. ## Introduction In Altostrat SDX, a **Team** is the primary way to group users and manage access to shared resources. Think of a team as a workspace or a container for collaboration. Every resource you manage within Altostrat SDX (like Sites, Policies, VPNs, Scripts, etc.) belongs to a specific team. Access control is layered: 1. A user must be a **member** of a team to potentially access its resources. 2. The user's assigned **Role(s)** *within that specific team* determine *what* actions they can perform on the team's resources, based on the [Permissions (Scopes)](/core-concepts/roles-and-permissions) granted by those roles. ## Key Concepts * **Resource Ownership:** All manageable resources are owned by a Team, not individual users. This ensures clear ownership and facilitates handover if team members change. * **Collaboration:** Teams allow groups of users working on common infrastructure or projects (e.g., a Network Operations team, a regional support group, a specific client project) to share visibility and control over the relevant resources. * **Scoped Access:** A user's permissions are always evaluated within the context of their currently active team. They only see and manage resources belonging to that team, according to their assigned roles within it. * **Multi-Team Membership:** A single user account can be a member of multiple teams, allowing individuals to participate in different projects or departments without needing separate logins. They can switch between their active team contexts using the team switcher in the UI or via API. * **Team Owner:** The user who creates a team is designated as its Owner. The Owner typically has full administrative privileges within that team (often assigned a default 'Administrator' or 'Owner' role) and is usually the only one who can delete the team or transfer ownership (though specific permissions can vary). * **Site Limit (Optional):** Teams can optionally have a specific 'Site Limit' configured. If set to a value greater than 0, this limit restricts the number of sites *this specific team* can manage, potentially overriding a higher limit set at the organizational/subscription level. A value of 0 means the team uses the available organization-wide limit. ## Managing Teams Team management involves viewing, creating, updating, switching between, and deleting teams. These actions typically require specific permissions (scopes). ### Viewing Teams * **UI:** Navigate to **Settings → Teams** in the dashboard to see a list of teams you belong to. * **API:** Use `GET` [/teams](/api-reference/spa/authentication/teams/list-users-teams) to retrieve a list of teams accessible to the authenticated user. {/* Image: Screenshot of the Team Overview page */} ### Creating a Team Requires the `team:create` permission scope. Go to **Settings → Teams** and click the **+ New** or **+ Add Team** button. {/* Images */} Provide a descriptive **Team Name** (e.g., "Network Operations Center", "Client Alpha Support", "Security Audit Team") and click **Add ->**. {/* Images */} The team is created, and the creator is automatically assigned as the Owner and added as a member. (API: `POST` [/teams](/api-reference/spa/authentication/teams/create-team)). You can now manage its members and settings. ### Editing a Team Requires the `team:update` permission scope (or Owner privileges). From the **Settings → Teams** overview, click on the name of the team you want to modify. {/* Images */} You can typically modify the **Team Name** and the optional **Site Limit**. Member management (adding, removing, changing roles) is also done from the team settings screen but is detailed under [User Management](/core-concepts/users). Changes are usually saved automatically as you make them. (API: `PUT` [/teams/\{team}](/api-reference/spa/authentication/teams/update-team)). {/* Images */} ### Switching Active Team If you are a member of multiple teams, you need to select which team's context you are currently working in. The active team determines which resources are visible and manageable. * **UI:** Use the Team Switcher dropdown, usually located in the main navigation or sidebar. * **API:** Use the `PUT` [/teams/\{team}/switch](/api-reference/spa/authentication/teams/switch-current-team) endpoint to change the active team context for subsequent API calls using the same authentication token/session. ### Deleting a Team Requires the `team:delete` permission scope (or Owner privileges). **This action is permanent and cannot be undone.** Deleting a team typically also deletes **all resources** owned by that team (sites, policies, etc.). Ensure any critical resources are moved or backed up before proceeding. You generally cannot delete a team if you are the sole owner and there are other members, or if critical resources are still associated with it. From the **Settings → Teams** overview, choose the team you wish to delete. Within the team's settings, find and click the **Delete Team** button or trash can icon. {/* Images */} A confirmation dialog will appear, warning about the consequences. Carefully read the confirmation and proceed if you are certain. (API: `DELETE` [/teams/\{team}](/api-reference/spa/authentication/teams/delete-team)). {/* Images */} ## Managing Members and Invites Adding users to a team, inviting new users, removing members, and assigning their roles within the team are managed within the specific team's settings (**Settings → Teams → \[Select Team] → Members**). For detailed instructions on these actions, please refer to the [User Management](/core-concepts/users) documentation. ## Best Practices * **Use Descriptive Names:** Choose team names that clearly indicate the team's purpose or scope (e.g., "EU Support", "Project Phoenix", "Read-Only Auditors"). * **Align Teams with Responsibilities:** Create teams based on functional roles, projects, or client groupings to simplify permission management. * **Leverage Multiple Teams:** Don't hesitate to place users in multiple teams if their responsibilities cross functional boundaries. * **Review Team Ownership:** Ensure the designated Team Owner is appropriate and active. Plan for ownership transfer if necessary. * **Utilize Site Limits Sparingly:** Only set per-team site limits if you need to enforce stricter quotas than the overall organizational subscription allows for specific groups. # User Management Source: https://docs.altostrat.io/core-concepts/users Manage portal users and notification recipients, assign roles within teams, and understand resource access in Altostrat SDX. # User Management in Altostrat SDX Altostrat SDX manages access control through **Users**, **Teams**, and **Roles**. A user account represents an individual who can interact with the platform or receive notifications. Access to resources (like sites or billing information) is determined by a user's membership in a Team and the Roles assigned to them within that team. ## User Types: Portal vs. Notification-Only Altostrat supports two primary user distinctions based on their ability to log in: | **Characteristic** | **Portal User (`allow_login: true`)** | **Notification-Only User (`allow_login: false`)** | | :------------------------------- | :------------------------------------ | :------------------------------------------------ | | **Can Log In?** | ✅ Yes | ❌ No | | **Receives Notifications?** | ✅ Yes | ✅ Yes | | **Can Own Resources?** | ✅ Yes (via Team Membership) | ❌ No | | **Requires Email Verification?** | ✅ Yes (for login) | ❌ No | | **Typical Use Case** | Admins, Operators, Team Members | Stakeholders, Alert Recipients | Essentially, the ability to log in (`allow_login` flag) is the key differentiator. Notification-Only users are primarily recipients for alerts and reports without needing dashboard access. ## Creating Users Users can be added to Altostrat SDX in two main ways: ### 1. User Self-Registration * Individuals can sign up themselves via the Altostrat authentication portal (e.g., `https://auth.altostrat.app`). * They must verify their email address to activate their account. * Once registered, they can either create their own Organization and Team or accept an invitation to join an existing Team. * See [User Registration](/getting-started/user-registration) for the user perspective. ### 2. Admin Creation (UI / API) * An administrator with the appropriate permissions (`user:create` scope) can create new users directly within a Team context. * **Via UI:** Typically done through the **Settings -> Users** or **Team Settings -> Members** section by clicking "Add User" or similar. * **Via API:** Use the `POST` [/users](/api-reference/spa/authentication/user-management/create-or-add-user-to-team) endpoint. * **Required Information:** When creating via Admin/API, you'll typically provide: * `name`: User's full name. * `email`: User's unique email address. * `allow_login` (Boolean): Set to `true` for a Portal User, `false` for a Notification-Only User. * `timezone`: User's preferred timezone (defaults based on creator's IP if not provided via API). * *(Optional)* `mobile`: Phone number details for SMS notifications. * *(Optional)* `roles`: An array of Role IDs to assign within the current team context. * **Important:** When creating a Portal User via API with `allow_login: true` who doesn't use SSO, a temporary password will be generated and returned in the API response. This should be securely communicated to the user, who should change it upon first login. Email verification will also be required. ## Managing Team Membership & Roles (Granting Access) Access to resources like sites, billing, or VPNs is controlled by **Team membership** and the **Roles** assigned within that team. To grant a user access: 1. **Navigate to Team Members:** Go to **Settings → Teams**, select the relevant Team, and navigate to its **Members** list. {/* Images */} 2. **Add or Invite the User:** * **Add Existing User:** If the user already has an Altostrat account, use the "Add Member" function (requires `user:create` or similar scope) and search for their email. * **Invite New User:** If the user doesn't have an account or you want them to register first, use the "Invite" function (requires `teams:invite-users` scope). Enter their email address to send an invitation link. (API: `POST` [/teams/\{team}/invites](/api-reference/spa/authentication/teams/invite-user-to-team)). {/* Images */} 3. **Assign Roles:** During the add/invite process (or by editing the member later), assign the appropriate **Role(s)**. The selected roles determine the user's permissions *only within this specific team*. Refer to [Roles & Permissions](/core-concepts/roles-and-permissions) for details on configuring roles and scopes. If adding an existing user and they don't appear in the search, ensure they have verified their email address after registration. ## Managing User Profiles Users can manage some of their own profile details. Administrators with `user:update` scope can modify details for other users within their teams. 1. **Locate the User:** Find the user in **Settings → Users** or within a specific **Team → Members** list. Click on their name or an 'Edit' icon. {/* Images */} 2. **Edit Details:** Modify fields such as: * Name * Email Address (requires re-verification) * Mobile Number (for SMS, requires re-verification) * Timezone, Locale, Date/Time Formats * `allow_login` status (to enable/disable portal access) * Assigned Roles (within the team context) {/* Images */} 3. **Save Changes:** Confirm the updates. (API: `PUT` [/users/\{user}](/api-reference/spa/authentication/user-management/update-user-details)). ## Disabling User Login To prevent a Portal User from logging in while retaining their account for notifications or historical reference: 1. Edit the user's profile as described above. 2. Set the `allow_login` toggle or checkbox to **false** (disabled). 3. Save the changes. (API: `PUT` [/users/\{user}](/api-reference/spa/authentication/user-management/update-user-details)) The user will no longer be able to log in via password or SSO, but their association with teams and notification settings remain. ## Deleting / Removing Users Removing a user has different implications: * **Removing from a Team:** This revokes the user's access to *that specific team's* resources and removes their role assignments *for that team*. They remain an Altostrat user and may belong to other teams. * **UI:** Go to **Team Settings → Members**, find the user, and select "Remove". * **API:** `DELETE` [/teams/\{team}/members/\{user}](/api-reference/spa/authentication/teams/remove-team-member) (Requires `teams:remove-users` scope). * **Caution:** You typically cannot remove the Team Owner. * **Deleting User Account:** This permanently removes the user from the Altostrat SDX system. This is generally less common than removing from a team unless the user should have no access at all. * **UI:** May be available under **Settings → Users** for users not associated with critical resources. * **API:** `DELETE` [/users/\{user}](/api-reference/spa/authentication/user-management/delete-user) (Requires `user:delete` scope). * **Caution:** You cannot delete a user who is the sole owner of an Organization or Team that still has members or resources. Ownership must be transferred first. {/* Images showing the delete/remove user flow */} ## Verification Processes * **Email Verification:** Essential for Portal Users to log in. An email with a verification link is sent upon registration or email address change. Admins can trigger a resend via UI or API (`GET` [/users/\{user}/verification-notification/email](/api-reference/spa/authentication/user-management/resend-email-verification)). * **Mobile Verification:** Required if a mobile number is added and SMS notifications are desired. Ensures SMS delivery is possible. A verification link is sent via SMS upon adding/changing a number. Admins can trigger a resend via UI or API (`GET` [/users/\{user}/verification-notification/mobile](/api-reference/spa/authentication/user-management/resend-mobile-verification)). Check [Supported SMS Regions](/resources/supported-sms-regions). ## Best Practices * **Keep Team Memberships Accurate:** Regularly review who belongs to each team to ensure correct resource access. Remove users who no longer need access to a specific team's resources. * **Use Roles Effectively:** Assign roles based on job function, adhering to the principle of least privilege. Create custom roles for specific needs. * **Audit Regularly:** Periodically review all users in your organization, ensuring accounts are still needed and roles are appropriate. Disable or remove inactive/unnecessary accounts. * **Prefer Disabling over Deleting:** For users who leave temporarily or just need login access revoked, disabling (`allow_login: false`) is often preferable to deletion as it preserves history and notification settings. By effectively managing users, teams, and roles, you maintain a secure and organized Altostrat SDX environment. # Adding a MikroTik Router to Altostrat SDX Source: https://docs.altostrat.io/getting-started/adding-a-router Follow these steps to integrate your prepared MikroTik router with the Altostrat SDX platform. ## Introduction This guide details the process of integrating your prepared **MikroTik router** (configured as per the [Initial Configuration](/getting-started/initial-configuration) guide) with the **Altostrat SDX platform**. Completing these steps establishes a secure connection between your hardware and Altostrat, enabling monitoring, management, and the application of Altostrat's SDN and security services. ## Detailed Step-by-Step Integration Guide ### 1. Access the Altostrat Portal and Navigate to Sites 1. Log in to the Altostrat SDX portal at [https://sdx.altostrat.app](https://sdx.altostrat.app). 2. Navigate to the **Sites** section using the main menu. This area lists all locations/devices currently integrated with your account. {/* Images */} ### 2. Create a Site Representation in Altostrat 1. Click the **+ Add** button to create a new logical representation for your physical router or location within Altostrat SDX. Creating a "Site" in Altostrat generates a unique identifier and a container for the device's configuration, policies, logs, and monitoring data within the platform. This conceptually relates to creating a site resource via the API (e.g., `POST /site` ([API Docs](/api-reference/spa/async/sites/list-users-sites))). {/* Images */} ### 3. Initiate the Router Integration (Express Deploy) 1. Once the site is created, navigate to its overview page. Click the **Add Router** button (or similar) to start the "Express Deploy" process. 2. This workflow securely generates the necessary commands to link your physical MikroTik hardware to this logical site representation in Altostrat SDX. {/* Images */} ### 4. Select and Review Control Plane Policy 1. You may be prompted to select an initial **Control Plane Policy** for the device (or the default policy might be automatically selected). This policy governs basic management access and firewall settings. ([Learn More](/core-concepts/control-plane)). > If only the default policy exists, this step might be skipped automatically. 2. Review the settings associated with the selected Control Plane Policy that will be applied during onboarding. {/* Images */} ### 5. Accept Settings and Generate Bootstrap Command 1. Preview any initial configuration settings derived from the Control Plane policy (e.g., firewall rules, initial VPN parameters). {/* Images */} 2. Click **Accept** to confirm. This triggers the generation of a unique, secure **Bootstrap Command**. ### 6. Copy the Generated Bootstrap Command 1. Altostrat SDX will display the one-time **Bootstrap Command**. 2. **Copy this entire command** to your clipboard. It contains a secure token linking it to this specific site onboarding process. This command typically instructs the router to securely fetch an initial script from an Altostrat endpoint, using a temporary Runbook token for authentication (Conceptually related to `GET /{id}` using a `RunbookToken` ([API Docs](/api-reference/spa/async/bootstrap-&-adoption/get-bootstrap-script))). {/* Images */} ### 7. Execute the Bootstrap Command on Your MikroTik Device 1. Access your MikroTik router's command line interface (CLI) using **Winbox (New Terminal)** or **SSH**. 2. **Paste the entire Bootstrap Command** copied from the Altostrat portal into the terminal and press **Enter**. 3. **Wait** for the script to execute. This may take a few moments. **What the Bootstrap Command Does:** * Downloads initial adoption scripts from Altostrat. * Authenticates the device using the embedded secure token. * Sends device hardware/software information back to Altostrat to complete the adoption process (Conceptually related to `POST /adopt/{id}` ([API Docs](/api-reference/spa/async/bootstrap-&-adoption/adopt-device))). * Establishes the persistent, secure [Management VPN](/management/management-vpn) tunnel to Altostrat. * Installs a scheduler on the router for periodic check-ins (heartbeats) and job polling (Conceptually uses `POST /poll` ([API Docs](/api-reference/spa/async/heartbeat/receive-heartbeat-&-get-job))). {/* Images */} ![Executing the bootstrap command in MikroTik terminal](https://mintlify.s3.us-west-1.amazonaws.com/altostratnetworks/images/getting-started/adding-a-router/getting_started_adding-a-router-step7.jpg) ### 8. Confirm Router Integration and Online Status 1. Return to the **Sites** page in the Altostrat SDX portal. 2. Refresh the page after a minute or two. Verify that your newly added router is listed and its status shows as **Online**. {/* Images */} An **Online** status indicates the router successfully completed the bootstrap process, established the Management VPN, and is sending regular heartbeat signals to Altostrat. 3. **Troubleshooting**: If the router shows as **Offline** or doesn't appear: * Verify the router still has internet connectivity (Step 4 in [Initial Configuration](/getting-started/initial-configuration)). * Ensure the full bootstrap command was copied and executed correctly. * Check the Altostrat [Orchestration Logs](/management/orchestration-log) for this site for any error messages related to the adoption process. * Confirm firewall rules on intermediate networks aren't blocking the [Management VPN](/management/management-vpn) connection (TCP port 8443 outbound). *** You have now successfully integrated your MikroTik router with Altostrat SDX. The device is ready for monitoring, and you can begin applying Altostrat's network and security services, such as [Threat Feeds](/core-concepts/threat-feeds) or [WAN Failover](/management/wan-failover), through policies assigned to this site. # Captive Portal Setup Source: https://docs.altostrat.io/getting-started/captive-portal-setup Learn how to configure a Captive Portal instance and enable network-level authentication. This document outlines the **fundamentals** and a **step-by-step guide** for setting up a Captive Portal in Altostrat. You'll also learn about **custom configurations** you can apply. Before proceeding, confirm you have an [IDP Instance](/integrations/identity-providers) configured if you plan to use **OAuth 2.0** authentication (e.g., Google, Microsoft Azure). Otherwise, you won't be able to authenticate users via third-party providers. ## Step 1: Navigate to the Captive Portal Page 1. From your **Dashboard**, select **Captive Portal** (or a similarly named menu option). 2. You'll see an **Overview** or **Get Started** button to create a new Captive Portal instance. 3. Click **Get Started** (or **+ Add**). ![Placeholder: Captive Portal Overview](https://mintlify.s3.us-west-1.amazonaws.com/altostratnetworks/images/captive-portal-overview-placeholder.jpg) ## Step 2: Create Your Captive Portal Instance 1. Provide a **Name** for the instance, e.g. “Guest Wi-Fi Portal.” 2. Set the **Authentication Strategy** (currently OAuth 2.0 only). 3. Pick the **Identity Provider** you previously configured, or click **+** to create a new one. 4. Click **Next** to confirm and move to customization. If you haven't created an IDP yet, follow our [Identity Providers](/integrations/identity-providers) guide before continuing. ### Captive Portal Customization After initial setup, you'll be redirected to a **Customization** page where you can: * **Branding**: Add logos, colors, and messaging. * **Terms of Use**: Insert disclaimers or acceptable use policies for users to accept before accessing the network. * **Redirects**: Control where users land post-authentication. * **Voucher or Coupon Codes**: Issue time-limited or usage-limited codes for guests. ![Placeholder: Captive Portal Customization](https://mintlify.s3.us-west-1.amazonaws.com/altostratnetworks/images/captive-portal-customization-placeholder.jpg) ## Network Considerations 1. **Firewall Rules** Ensure your MikroTik's firewall permits traffic for the Captive Portal flow. 2. **DHCP & DNS** Confirm your router provides IP addresses and DNS resolution for guest clients. ## Step 3: Finalizing & Applying the Captive Portal After you finish customizing: 1. Click **Add** or **Save** to finalize. 2. If your router is behind NAT, verify that the required ports are open or that the [Management VPN](/management/management-vpn) is set up for behind-NAT usage. ### Testing the Captive Portal 1. Connect a **test device** (phone, laptop, etc.) to your Wi-Fi or LAN. 2. When prompted by the Captive Portal, **log in** with the IDP you configured or a local account. 3. Confirm the **authentication** process succeeds, and you're able to browse the permitted network resources. For public or guest-facing portals, regularly monitor the captive portal logs to ensure usage is within acceptable limits. If you run into issues or need advanced behavior (like custom login pages or deeper policy integration), consult additional docs on [Transient Access](/getting-started/transient-access) or [Security Essentials](/core-concepts/security-essentials). # Initial Configuration Source: https://docs.altostrat.io/getting-started/initial-configuration Prepare your MikroTik device with a clean configuration and updated firmware before integrating it with Altostrat SDX. This page guides you through the recommended **initial setup** for your MikroTik device before you integrate it with the **Altostrat SDX** platform. Performing these steps ensures your router is in a known, clean state with basic connectivity and up-to-date firmware, facilitating a smoother onboarding process to access Altostrat's services. The key preparation steps include: * Resetting the device to clear previous configurations. * Establishing a basic internet connection. * Upgrading the RouterOS firmware to the latest stable version. ## Preparing Your MikroTik Router Follow these procedures to prepare your device: ### 1. Verify Power and Boot Completion 1. **Power On**: Plug in your MikroTik router and allow 10–60 seconds for it to fully boot. 2. **Check Indicators**: Confirm the device is operational via its LCD panel, status LEDs, or boot completion sounds. ### 2. Physically Connect for Internet Access 1. **WAN Connection**: Connect an Ethernet cable from your upstream internet source (e.g., modem, switch) to the **ether1** port (or designated WAN port) on your MikroTik router. 2. **Device Connection Port**: {/* Images */} For detailed first-time connection guidance, refer to MikroTik's official documentation: [https://help.mikrotik.com/docs/spaces/ROS/pages/328151/First+Time+Configuration](https://help.mikrotik.com/docs/spaces/ROS/pages/328151/First+Time+Configuration) ### 3. Reset RouterOS to Factory Default Settings Starting with a clean configuration is highly recommended for predictable integration. Choose one method: **Option A: Reset via LCD Panel (if available)** 1. Navigate the LCD menu to find **Factory Reset** (or similar). 2. Confirm the reset, potentially entering the default PIN `1234` if prompted. The device will reboot. After reboot, it typically uses the default IP **192.168.88.1** for management access. **Option B: Reset via Winbox or CLI** 1. Connect to the router using **Winbox** ([Download from MikroTik](https://help.mikrotik.com/docs/display/ROS/WinBox)) or SSH. 2. In Winbox, go to **System → Reset Configuration**. Crucially, check the box for **No Default Configuration** and click **Reset Configuration**. 3. Alternatively, in the CLI, run the command: `/system reset-configuration no-defaults=yes skip-backup=yes` Using `no-defaults=yes` ensures the router starts completely blank, avoiding potential conflicts with Altostrat's configuration pushes during onboarding. ### 4. Establish Basic Internet Connectivity Ensure the router can reach the internet. This is necessary for firmware updates and communication with Altostrat SDX. * **Using DHCP Client on WAN (ether1)**: (Most common method if your upstream network provides DHCP) 1. In Winbox: Go to **IP → DHCP Client**. 2. Click **Add New (+)**. 3. Set **Interface** to `ether1` (or your designated WAN port). 4. Ensure **Use Peer DNS** and **Add Default Route** are enabled (these are usually the defaults). 5. Click **Apply/OK**. Verify the status shows "bound" and that the router receives a valid IP address. * **Using Static IP or PPPoE**: Configure **IP → Addresses** and **IP → Routes** (for static) or configure the **PPP** interface settings (for PPPoE) according to your Internet Service Provider's instructions. **Confirm Internet Access** Once the WAN connection is configured, verify connectivity: 1. Open a **New Terminal** in Winbox or use the CLI. 2. Run a ping test: ```bash /ping address=altostrat.io count=4 # Or ping a reliable public address /ping address=8.8.8.8 count=4 ``` 3. Successful replies (0% packet loss) indicate the router is online. If pings fail, double-check your WAN configuration (IP address, subnet mask, gateway, DNS servers). ### 5. Update RouterOS Firmware Running the latest stable firmware ensures compatibility, security, and access to the latest features needed for Altostrat SDX. 1. In Winbox, go to **System → Packages**. 2. Click the **Check For Updates** button. 3. In the window that appears, select the **stable** channel from the **Channel** dropdown menu. 4. Click **Check For Updates** again. 5. Compare the *Installed Version* shown with the *Latest Version*. If they are different, click the **Download\&Install** button. The router will **reboot automatically** after downloading and installing the firmware update. You will need to reconnect to Winbox/CLI after the reboot. 6. **Check RouterBOARD Firmware:** After the RouterOS update and reboot, it's good practice to go to **System → RouterBOARD** in Winbox. Check if the *Current Firmware* differs from the *Upgrade Firmware*. If an upgrade is available and recommended, click the **Upgrade** button and reboot the router once more when prompted. For more details on RouterOS upgrades, see MikroTik's documentation: [https://help.mikrotik.com/docs/display/ROS/Upgrading+and+installation](https://help.mikrotik.com/docs/display/ROS/Upgrading+and+installation) *** Your MikroTik router should now be reset, online, and updated, making it ready for the next step: onboarding it onto the Altostrat SDX platform. Proceed to [Adding a Router](/getting-started/adding-a-router) to integrate your prepared device with Altostrat SDX. # Introduction Source: https://docs.altostrat.io/getting-started/introduction Altostrat SDX is designed for both small networks and large-scale deployments, providing robust tools to simplify management, bolster security, and maximize uptime-using your existing, compatible hardware.