# Asynchronous job execution Source: https://docs.sdx.altostrat.io/api-reference/developers/asynchronous-api/asynchronous-job-execution sdx-api/openapi.json post /api/asynchronous/{router_id} Queues a job to run scripts or config changes on the router without waiting for real-time response. # Retrieve a list of jobs for a router Source: https://docs.sdx.altostrat.io/api-reference/developers/asynchronous-api/retrieve-a-list-of-jobs-for-a-router sdx-api/openapi.json get /api/routers/{router_id}/jobs Fetch asynchronous job history or status for a specified router. # Retrieve router faults Source: https://docs.sdx.altostrat.io/api-reference/developers/health/retrieve-router-faults sdx-api/openapi.json get /api/routers/{router_id}/faults Gets the last 100 faults for the specified router, newest first. # Retrieve router metrics Source: https://docs.sdx.altostrat.io/api-reference/developers/health/retrieve-router-metrics sdx-api/openapi.json get /api/routers/{router_id}/metrics Provides uptime/downtime metrics for the past 24 hours based on heartbeats. # Create a transient port forward Source: https://docs.sdx.altostrat.io/api-reference/developers/port-forwards/create-a-transient-port-forward sdx-api/openapi.json post /api/routers/{router_id}/transient-forwarding Establish a temporary TCP forward over the management tunnel for behind-NAT access. # Delete a transient port forward Source: https://docs.sdx.altostrat.io/api-reference/developers/port-forwards/delete-a-transient-port-forward sdx-api/openapi.json delete /api/routers/{router_id}/transient-forwarding/{id} Revokes a port forward before it naturally expires. # Retrieve a specific port forward Source: https://docs.sdx.altostrat.io/api-reference/developers/port-forwards/retrieve-a-specific-port-forward sdx-api/openapi.json get /api/routers/{router_id}/transient-forwarding/{id} Returns the details for one transient port forward by ID. # Retrieve active transient port forwards Source: https://docs.sdx.altostrat.io/api-reference/developers/port-forwards/retrieve-active-transient-port-forwards sdx-api/openapi.json get /api/routers/{router_id}/transient-forwarding List all active port forwards for a given router. # Retrieve a list of routers Source: https://docs.sdx.altostrat.io/api-reference/developers/sites/retrieve-a-list-of-routers sdx-api/openapi.json get /api/routers Returns a list of MikroTik routers belonging to the team associated with the bearer token. # Retrieve OEM information Source: https://docs.sdx.altostrat.io/api-reference/developers/sites/retrieve-oem-information sdx-api/openapi.json get /api/routers/{router_id}/oem Provides manufacturer data (model, CPU, OS license, etc.) for a given router. # Retrieve router metadata Source: https://docs.sdx.altostrat.io/api-reference/developers/sites/retrieve-router-metadata sdx-api/openapi.json get /api/routers/{router_id}/metadata Gets freeform metadata (like name, timezone, banner, etc.) for a specific router. # Synchronous MikroTik command execution Source: https://docs.sdx.altostrat.io/api-reference/developers/synchronous-api/synchronous-mikrotik-command-execution sdx-api/openapi.json post /api/synchronous/{router_id} Real-time RouterOS commands for read or quick ops (not recommended for major config changes). # Adopt a site via runbook token (RouterOS device handshake) Source: https://docs.sdx.altostrat.io/api-reference/spa/async/device-adoption/adopt-a-site-via-runbook-token-routeros-device-handshake sdx-api/spa/mikrotik.json post /adopt/{id} Used by new devices to adopt themselves into the system, returning a script that installs scheduler, backups, etc. Uses `heartbeat` + `runbook` middleware. The {id} is a base62-encoded UUID token for the runbook/policy. # Retrieve the initial bootstrap script Source: https://docs.sdx.altostrat.io/api-reference/spa/async/device-adoption/retrieve-the-initial-bootstrap-script sdx-api/spa/mikrotik.json get /{id} Displays the main bootstrap code for a new device. Typically includes logic for installing a future poll route, etc. Uses `bootstrap` + `runbook` middleware. The {id} is a base62-encoded runbook token. # Send heartbeat from device Source: https://docs.sdx.altostrat.io/api-reference/spa/async/heartbeat/send-heartbeat-from-device sdx-api/spa/mikrotik.json post /poll Devices post heartbeat (status) data here. Subject to the `site-auth` middleware, which authenticates via Bearer token that decrypts to a Site model. This route is heavily used by MikroTik scripts. # Count sites for multiple customers (internal) Source: https://docs.sdx.altostrat.io/api-reference/spa/async/internal/count-sites-for-multiple-customers-internal sdx-api/spa/mikrotik.json post /site/internal-count Accepts an array of customer UUIDs and returns a site count grouping. For internal usage only. # Fetch all sites (detailed) for a given customer (internal) Source: https://docs.sdx.altostrat.io/api-reference/spa/async/internal/fetch-all-sites-detailed-for-a-given-customer-internal sdx-api/spa/mikrotik.json get /site/internal/{customer_id} Internal route to return all site data for a given customer in a non-minimal format. Protected by `internal` middleware. # Fetch minimal site data for a given customer (internal) Source: https://docs.sdx.altostrat.io/api-reference/spa/async/internal/fetch-minimal-site-data-for-a-given-customer-internal sdx-api/spa/mikrotik.json get /site/internal/lite/{customer_id} Returns only site IDs (and maybe minimal fields) for a given customer. Protected by `internal` middleware. # List online sites (internal route) Source: https://docs.sdx.altostrat.io/api-reference/spa/async/internal/list-online-sites-internal-route sdx-api/spa/mikrotik.json get /site/internal/online Returns a list of site IDs that have `has_pulse = 1`. For internal use, no customer scoping enforced here except the 'internal' usage may be missing or implied. # Create a new job for a site Source: https://docs.sdx.altostrat.io/api-reference/spa/async/job-management/create-a-new-job-for-a-site sdx-api/spa/mikrotik.json post /site/{site}/job Queues up a job (script) to run on the device. Requires `job:create` scope. The job is triggered whenever the device polls next. # Delete a pending job Source: https://docs.sdx.altostrat.io/api-reference/spa/async/job-management/delete-a-pending-job sdx-api/spa/mikrotik.json delete /site/{site}/job/{job} Removes a job if it has not started yet. Requires `job:delete` scope. If job has started, returns error 429 or similar. # List jobs for a given site Source: https://docs.sdx.altostrat.io/api-reference/spa/async/job-management/list-jobs-for-a-given-site sdx-api/spa/mikrotik.json get /site/{site}/job Returns a site’s job queue. Excludes certain ephemeral jobs. Requires `job:view` scope. # Show a job on a specific site Source: https://docs.sdx.altostrat.io/api-reference/spa/async/job-management/show-a-job-on-a-specific-site sdx-api/spa/mikrotik.json get /site/{site}/job/{job} View a single job’s details. Requires `job:view` scope. # Update a job status (done/fail/busy) Source: https://docs.sdx.altostrat.io/api-reference/spa/async/job-management/update-a-job-status-donefailbusy sdx-api/spa/mikrotik.json put /job/{job} Typically called by devices to mark a job as started (busy), completed (done), or failed (fail). Only available via `notify` middleware for polling scripts. # Get runbook details (bootstrap script info) Source: https://docs.sdx.altostrat.io/api-reference/spa/async/runbook/get-runbook-details-bootstrap-script-info sdx-api/spa/mikrotik.json get /runbook/{id} Fetch details about a runbook/policy. Part of an internal or authenticated route. The ID is a simple UUID, not base62. # Notify about scheduler deletion Source: https://docs.sdx.altostrat.io/api-reference/spa/async/scheduler/notify-about-scheduler-deletion sdx-api/spa/mikrotik.json get /notify/delete A GET route that the MikroTik device calls to notify that the bootstrap scheduler is being removed from the device. Under `delete` middleware. If a site was pending delete, this might finalize it. # SFTP config fetch route Source: https://docs.sdx.altostrat.io/api-reference/spa/async/sftpbackup/sftp-config-fetch-route sdx-api/spa/mikrotik.json get /servers/{siteId}/users/{username}/config Used to handle SFTP credentials for backups. The `username` is typically the site’s ID; the `Password` header is checked by the controller. # Delete a site Source: https://docs.sdx.altostrat.io/api-reference/spa/async/site-management/delete-a-site sdx-api/spa/mikrotik.json delete /site/{site} Triggers site deletion flow, which may queue jobs to remove from system, remove scheduler, etc. Requires `site:delete` scope. # Get minimal version info for a single site Source: https://docs.sdx.altostrat.io/api-reference/spa/async/site-management/get-minimal-version-info-for-a-single-site sdx-api/spa/mikrotik.json get /site-version/{site} Returns basic data about the site’s board model, software version, etc. Uses the model binding for {site}. # List all sites Source: https://docs.sdx.altostrat.io/api-reference/spa/async/site-management/list-all-sites sdx-api/spa/mikrotik.json get /site Authenticated route returning a full site listing. Filters out sites with `delete_completed_at`. Requires scope `site:view`. # List minimal site data for authenticated user Source: https://docs.sdx.altostrat.io/api-reference/spa/async/site-management/list-minimal-site-data-for-authenticated-user sdx-api/spa/mikrotik.json get /site-minimal Returns site ID, name, and `has_pulse`. Possibly cached for 60 minutes. Requires `site:view` scope. # List recently accessed sites Source: https://docs.sdx.altostrat.io/api-reference/spa/async/site-management/list-recently-accessed-sites sdx-api/spa/mikrotik.json get /site/recent Returns up to 5 recent sites for the authenticated user. Filtered by ownership. Also uses heartbeat cache to determine last-seen info. # Manually create a site Source: https://docs.sdx.altostrat.io/api-reference/spa/async/site-management/manually-create-a-site sdx-api/spa/mikrotik.json post /site/manual/create Bypasses the adopt flow, simply creating a site with the given ID, name, runbook, etc. Used for manual input. Possibly restricted or internal use only. # Returns past 24h missed heartbeat data for a site Source: https://docs.sdx.altostrat.io/api-reference/spa/async/site-management/returns-past-24h-missed-heartbeat-data-for-a-site sdx-api/spa/mikrotik.json get /site/mikrotik-stats/{site} Computes how many checkins were expected vs. actual in the last 24h, grouping by hour. Returns % missed and total downtime. Requires `site:view` scope. # Show one site’s detail Source: https://docs.sdx.altostrat.io/api-reference/spa/async/site-management/show-one-site’s-detail sdx-api/spa/mikrotik.json get /site/{site} Returns extended site details with siteInfo, may also store the site in user’s recent sites. Requires `site:view`. # Update site fields (name, lat/lng, address, etc.) Source: https://docs.sdx.altostrat.io/api-reference/spa/async/site-management/update-site-fields-name-latlng-address-etc sdx-api/spa/mikrotik.json patch /site/{site} Allows partial updates to a site’s metadata. Requires `site:update`. # List backups for a site Source: https://docs.sdx.altostrat.io/api-reference/spa/backups/site-backups/list-backups-for-a-site sdx-api/spa/backups.json get /{site}/ Retrieves an array of available RouterOS backups for the specified site. Requires `backup:view` scope. # Request a new backup for a site Source: https://docs.sdx.altostrat.io/api-reference/spa/backups/site-backups/request-a-new-backup-for-a-site sdx-api/spa/backups.json post /{site}/ Enqueues a backup request for the specified site. Requires `backup:create` scope. # Retrieve a specific backup file Source: https://docs.sdx.altostrat.io/api-reference/spa/backups/site-backups/retrieve-a-specific-backup-file sdx-api/spa/backups.json get /{site}/{file} Shows the contents of the specified backup file. By default returns JSON with parsed metadata. If header `X-Download` is set, it downloads raw data. If `x-highlight` is set, highlights syntax. If `x-view` is set, returns raw text in `text/plain`. Requires `backup:view` scope. # Retrieve subnets from latest backup Source: https://docs.sdx.altostrat.io/api-reference/spa/backups/site-backups/retrieve-subnets-from-latest-backup sdx-api/spa/backups.json get /{site}/subnets Parses the most recent backup for the specified site, returning discovered local subnets. Requires `backup:view` scope. # Show diff between two backup files Source: https://docs.sdx.altostrat.io/api-reference/spa/backups/site-backups/show-diff-between-two-backup-files sdx-api/spa/backups.json get /{site}/{from}/{to} Returns a unified diff between two backup files. By default returns the diff as `text/plain`. If `X-Download` header is set, you can download it as a file. If `x-highlight` is set, it highlights the diff in a textual format. Requires `backup:view` scope. # Attach a BGP Policy to a Site Source: https://docs.sdx.altostrat.io/api-reference/spa/bgp-dns-filter/bgp/attach-a-bgp-policy-to-a-site sdx-api/spa/bgp-dns-filter.json post /bgp/{site_id} # Create a new BGP feed policy Source: https://docs.sdx.altostrat.io/api-reference/spa/bgp-dns-filter/bgp/create-a-new-bgp-feed-policy sdx-api/spa/bgp-dns-filter.json post /bgp/policy # Delete a BGP feed policy Source: https://docs.sdx.altostrat.io/api-reference/spa/bgp-dns-filter/bgp/delete-a-bgp-feed-policy sdx-api/spa/bgp-dns-filter.json delete /bgp/policy/{id} # Detach BGP Policy from a Site Source: https://docs.sdx.altostrat.io/api-reference/spa/bgp-dns-filter/bgp/detach-bgp-policy-from-a-site sdx-api/spa/bgp-dns-filter.json delete /bgp/{site_id} # Get BGP-based service counts Source: https://docs.sdx.altostrat.io/api-reference/spa/bgp-dns-filter/bgp/get-bgp-based-service-counts sdx-api/spa/bgp-dns-filter.json get /bgp/service-counts # List all BGP feed policies Source: https://docs.sdx.altostrat.io/api-reference/spa/bgp-dns-filter/bgp/list-all-bgp-feed-policies sdx-api/spa/bgp-dns-filter.json get /bgp/policy # List available IP lists for BGP feed Source: https://docs.sdx.altostrat.io/api-reference/spa/bgp-dns-filter/bgp/list-available-ip-lists-for-bgp-feed sdx-api/spa/bgp-dns-filter.json get /bgp/category # Retrieve a BGP feed policy Source: https://docs.sdx.altostrat.io/api-reference/spa/bgp-dns-filter/bgp/retrieve-a-bgp-feed-policy sdx-api/spa/bgp-dns-filter.json get /bgp/policy/{id} # Update a BGP feed policy Source: https://docs.sdx.altostrat.io/api-reference/spa/bgp-dns-filter/bgp/update-a-bgp-feed-policy sdx-api/spa/bgp-dns-filter.json put /bgp/policy/{id} # List all safe-search configuration entries Source: https://docs.sdx.altostrat.io/api-reference/spa/bgp-dns-filter/categories/list-all-safe-search-configuration-entries sdx-api/spa/bgp-dns-filter.json get /category/safe_search # List categories (and top applications) Source: https://docs.sdx.altostrat.io/api-reference/spa/bgp-dns-filter/categories/list-categories-and-top-applications sdx-api/spa/bgp-dns-filter.json get /category # Get aggregated service usage for all customers Source: https://docs.sdx.altostrat.io/api-reference/spa/bgp-dns-filter/misc/get-aggregated-service-usage-for-all-customers sdx-api/spa/bgp-dns-filter.json get /all-customer-services # Get service usage for a single customer Source: https://docs.sdx.altostrat.io/api-reference/spa/bgp-dns-filter/misc/get-service-usage-for-a-single-customer sdx-api/spa/bgp-dns-filter.json get /customer-services/{customer_id} # Retrieve all blackhole IP addresses for BGP blackholes Source: https://docs.sdx.altostrat.io/api-reference/spa/bgp-dns-filter/misc/retrieve-all-blackhole-ip-addresses-for-bgp-blackholes sdx-api/spa/bgp-dns-filter.json get /dnr-blackhole-ips # Retrieve all blackhole IP addresses for known applications Source: https://docs.sdx.altostrat.io/api-reference/spa/bgp-dns-filter/misc/retrieve-all-blackhole-ip-addresses-for-known-applications sdx-api/spa/bgp-dns-filter.json get /blackhole-ips # Create a new DNS policy Source: https://docs.sdx.altostrat.io/api-reference/spa/bgp-dns-filter/policies/create-a-new-dns-policy sdx-api/spa/bgp-dns-filter.json post /policy # Delete an existing DNS policy Source: https://docs.sdx.altostrat.io/api-reference/spa/bgp-dns-filter/policies/delete-an-existing-dns-policy sdx-api/spa/bgp-dns-filter.json delete /policy/{id} # List all DNS content-filtering policies Source: https://docs.sdx.altostrat.io/api-reference/spa/bgp-dns-filter/policies/list-all-dns-content-filtering-policies sdx-api/spa/bgp-dns-filter.json get /policy # Retrieve a specific DNS policy by ID Source: https://docs.sdx.altostrat.io/api-reference/spa/bgp-dns-filter/policies/retrieve-a-specific-dns-policy-by-id sdx-api/spa/bgp-dns-filter.json get /policy/{id} # Update an existing DNS policy Source: https://docs.sdx.altostrat.io/api-reference/spa/bgp-dns-filter/policies/update-an-existing-dns-policy sdx-api/spa/bgp-dns-filter.json put /policy/{id} # Attach a DNS Policy to a Site Source: https://docs.sdx.altostrat.io/api-reference/spa/bgp-dns-filter/tunnels/attach-a-dns-policy-to-a-site sdx-api/spa/bgp-dns-filter.json post /dns/{site_id} # Detach DNS Policy from a Site Source: https://docs.sdx.altostrat.io/api-reference/spa/bgp-dns-filter/tunnels/detach-dns-policy-from-a-site sdx-api/spa/bgp-dns-filter.json delete /dns/{site_id} # Get DNS-based service counts Source: https://docs.sdx.altostrat.io/api-reference/spa/bgp-dns-filter/tunnels/get-dns-based-service-counts sdx-api/spa/bgp-dns-filter.json get /service-counts # List all tunnels Source: https://docs.sdx.altostrat.io/api-reference/spa/bgp-dns-filter/tunnels/list-all-tunnels sdx-api/spa/bgp-dns-filter.json get /tunnel # Retrieve a specific tunnel by ID Source: https://docs.sdx.altostrat.io/api-reference/spa/bgp-dns-filter/tunnels/retrieve-a-specific-tunnel-by-id sdx-api/spa/bgp-dns-filter.json get /tunnel/{id} # Create a new Auth Integration Source: https://docs.sdx.altostrat.io/api-reference/spa/captive-portal/idp-integrations/create-a-new-auth-integration sdx-api/spa/captive-portal.json post /auth-integrations # Delete a specific Auth Integration Source: https://docs.sdx.altostrat.io/api-reference/spa/captive-portal/idp-integrations/delete-a-specific-auth-integration sdx-api/spa/captive-portal.json delete /auth-integrations/{auth_integration} # List all IDP Integrations Source: https://docs.sdx.altostrat.io/api-reference/spa/captive-portal/idp-integrations/list-all-idp-integrations sdx-api/spa/captive-portal.json get /auth-integrations # Partially update a specific Auth Integration Source: https://docs.sdx.altostrat.io/api-reference/spa/captive-portal/idp-integrations/partially-update-a-specific-auth-integration sdx-api/spa/captive-portal.json patch /auth-integrations/{auth_integration} # Replace a specific Auth Integration Source: https://docs.sdx.altostrat.io/api-reference/spa/captive-portal/idp-integrations/replace-a-specific-auth-integration sdx-api/spa/captive-portal.json put /auth-integrations/{auth_integration} # Retrieve a specific Auth Integration Source: https://docs.sdx.altostrat.io/api-reference/spa/captive-portal/idp-integrations/retrieve-a-specific-auth-integration sdx-api/spa/captive-portal.json get /auth-integrations/{auth_integration} # Create a new captive portal Instance Source: https://docs.sdx.altostrat.io/api-reference/spa/captive-portal/instances/create-a-new-captive-portal-instance sdx-api/spa/captive-portal.json post /instances # Delete a specific captive portal Instance Source: https://docs.sdx.altostrat.io/api-reference/spa/captive-portal/instances/delete-a-specific-captive-portal-instance sdx-api/spa/captive-portal.json delete /instances/{instance} # List all captive portal Instances Source: https://docs.sdx.altostrat.io/api-reference/spa/captive-portal/instances/list-all-captive-portal-instances sdx-api/spa/captive-portal.json get /instances # Partially update a specific captive portal Instance Source: https://docs.sdx.altostrat.io/api-reference/spa/captive-portal/instances/partially-update-a-specific-captive-portal-instance sdx-api/spa/captive-portal.json patch /instances/{instance} # Replace a specific captive portal Instance Source: https://docs.sdx.altostrat.io/api-reference/spa/captive-portal/instances/replace-a-specific-captive-portal-instance sdx-api/spa/captive-portal.json put /instances/{instance} # Retrieve a specific captive portal Instance Source: https://docs.sdx.altostrat.io/api-reference/spa/captive-portal/instances/retrieve-a-specific-captive-portal-instance sdx-api/spa/captive-portal.json get /instances/{instance} # Upload an image (logo or icon) for a specific Instance Source: https://docs.sdx.altostrat.io/api-reference/spa/captive-portal/instances/upload-an-image-logo-or-icon-for-a-specific-instance sdx-api/spa/captive-portal.json post /instances/{instance}/images/{type} # Create a new walled garden entry for a site Source: https://docs.sdx.altostrat.io/api-reference/spa/captive-portal/walled-garden/create-a-new-walled-garden-entry-for-a-site sdx-api/spa/captive-portal.json post /walled-garden/{site} # Delete a specific walled garden entry under a site Source: https://docs.sdx.altostrat.io/api-reference/spa/captive-portal/walled-garden/delete-a-specific-walled-garden-entry-under-a-site sdx-api/spa/captive-portal.json delete /walled-garden/{site}/{walledGarden} # List all walled garden entries for a specific site Source: https://docs.sdx.altostrat.io/api-reference/spa/captive-portal/walled-garden/list-all-walled-garden-entries-for-a-specific-site sdx-api/spa/captive-portal.json get /walled-garden/{site} # Partially update a specific walled garden entry under a site Source: https://docs.sdx.altostrat.io/api-reference/spa/captive-portal/walled-garden/partially-update-a-specific-walled-garden-entry-under-a-site sdx-api/spa/captive-portal.json patch /walled-garden/{site}/{walledGarden} # Replace a specific walled garden entry under a site Source: https://docs.sdx.altostrat.io/api-reference/spa/captive-portal/walled-garden/replace-a-specific-walled-garden-entry-under-a-site sdx-api/spa/captive-portal.json put /walled-garden/{site}/{walledGarden} # Retrieve a specific walled garden entry under a site Source: https://docs.sdx.altostrat.io/api-reference/spa/captive-portal/walled-garden/retrieve-a-specific-walled-garden-entry-under-a-site sdx-api/spa/captive-portal.json get /walled-garden/{site}/{walledGarden} # Server check-in for a site Source: https://docs.sdx.altostrat.io/api-reference/spa/cpf/checkin/server-check-in-for-a-site sdx-api/spa/control-plane.json post /site-checkin Called by a server to claim or update itself as the active server for a particular site (via the tunnel username). # Create (rotate) new credentials Source: https://docs.sdx.altostrat.io/api-reference/spa/cpf/credentials/create-rotate-new-credentials sdx-api/spa/control-plane.json post /{site}/credentials Generates a new username/password pair for the site, deletes any older credentials. Requires `apicredentials:create` scope. # List site API credentials Source: https://docs.sdx.altostrat.io/api-reference/spa/cpf/credentials/list-site-api-credentials sdx-api/spa/control-plane.json get /{site}/credentials Returns the API credentials used to connect to a site. Requires `apicredentials:view` scope. # (Internal) Fetch management IPs for multiple sites Source: https://docs.sdx.altostrat.io/api-reference/spa/cpf/internal/internal-fetch-management-ips-for-multiple-sites sdx-api/spa/control-plane.json post /internal/management-ips Given an array of site IDs, returns a map of site_id => management IP (tunnel IP). # (Internal) Get site credentials Source: https://docs.sdx.altostrat.io/api-reference/spa/cpf/internal/internal-get-site-credentials sdx-api/spa/control-plane.json get /{site}/internal-credentials Returns the latest credentials for the specified site, typically used by internal services. Not user-facing. # Assign sites to a policy Source: https://docs.sdx.altostrat.io/api-reference/spa/cpf/policies/assign-sites-to-a-policy sdx-api/spa/control-plane.json post /policies/{id}/sites Sets or moves multiple site IDs onto the given policy. Requires `cpf:create` or `cpf:update` scope. # Create a policy Source: https://docs.sdx.altostrat.io/api-reference/spa/cpf/policies/create-a-policy sdx-api/spa/control-plane.json post /policies Creates a new policy for the authenticated user. Requires `cpf:create` scope. # Delete a policy Source: https://docs.sdx.altostrat.io/api-reference/spa/cpf/policies/delete-a-policy sdx-api/spa/control-plane.json delete /policies/{id} Removes a policy if it is not the default policy. Sites that used this policy get moved to the default policy. Requires `cpf:delete` scope. # List policies Source: https://docs.sdx.altostrat.io/api-reference/spa/cpf/policies/list-policies sdx-api/spa/control-plane.json get /policies Retrieves all policies for the authenticated user. Requires `cpf:view` scope. # Show a single policy Source: https://docs.sdx.altostrat.io/api-reference/spa/cpf/policies/show-a-single-policy sdx-api/spa/control-plane.json get /policies/{id} Retrieves details of the specified policy, including related sites. Requires `cpf:view` scope. # Update a policy Source: https://docs.sdx.altostrat.io/api-reference/spa/cpf/policies/update-a-policy sdx-api/spa/control-plane.json put /policies/{id} Update the specified policy. Sites not in the request may revert to a default policy. Requires `cpf:update` scope. # Validate a policy Source: https://docs.sdx.altostrat.io/api-reference/spa/cpf/policies/validate-a-policy sdx-api/spa/control-plane.json get /policy-validate/{policy} Check basic policy details to ensure it's valid. # Execute commands on a site (internal sync) Source: https://docs.sdx.altostrat.io/api-reference/spa/cpf/router-commands/execute-commands-on-a-site-internal-sync sdx-api/spa/control-plane.json post /{site}/sync/execute Sends an execution script or command to the management server for the site. Similar to /sync but specifically for custom script execution. # Print or run commands on a site (internal sync) Source: https://docs.sdx.altostrat.io/api-reference/spa/cpf/router-commands/print-or-run-commands-on-a-site-internal-sync sdx-api/spa/control-plane.json post /{site}/sync Send an API command to the management server to print or list resources on the router, or run a custom command. # Re-send bootstrap scheduler script Source: https://docs.sdx.altostrat.io/api-reference/spa/cpf/scheduler/re-send-bootstrap-scheduler-script sdx-api/spa/control-plane.json post /{site}/resend-scheduler Forces re-sending of a scheduled script or runbook to the router. Often used if the script fails to be applied the first time. # Check the management server assigned to a site Source: https://docs.sdx.altostrat.io/api-reference/spa/cpf/sites/check-the-management-server-assigned-to-a-site sdx-api/spa/control-plane.json get /{site}/management-server Returns the IP/hostname of the server currently managing the site. Requires authentication. # Create a new Site Source: https://docs.sdx.altostrat.io/api-reference/spa/cpf/sites/create-a-new-site sdx-api/spa/control-plane.json post /site/create Creates a new site resource with the specified ID, policy, and other information. # Create site for migration Source: https://docs.sdx.altostrat.io/api-reference/spa/cpf/sites/create-site-for-migration sdx-api/spa/control-plane.json post /site/create-for-migration Creates a Site for system migrations, then runs additional background jobs (tunnel assignment, credentials creation, policy update). # List all site IDs Source: https://docs.sdx.altostrat.io/api-reference/spa/cpf/sites/list-all-site-ids sdx-api/spa/control-plane.json get /site_ids Returns minimal site data for every site in the system (ID and tunnel IP). # List site IDs by Customer Source: https://docs.sdx.altostrat.io/api-reference/spa/cpf/sites/list-site-ids-by-customer sdx-api/spa/control-plane.json get /site_ids/{customerid} Returns a minimal array of sites for a given customer, including the assigned tunnel IP if available. # Perform a site action Source: https://docs.sdx.altostrat.io/api-reference/spa/cpf/sites/perform-a-site-action sdx-api/spa/control-plane.json post /{site}/action Sends an SNS-based request to the router for various special actions (reboot, clear firewall, etc.). # Retrieve site note Source: https://docs.sdx.altostrat.io/api-reference/spa/cpf/sites/retrieve-site-note sdx-api/spa/control-plane.json get /{site}/note Fetch current note from an external metadata microservice. Requires authentication and site ownership. # Set site note Source: https://docs.sdx.altostrat.io/api-reference/spa/cpf/sites/set-site-note sdx-api/spa/control-plane.json post /{site}/note Update or create site metadata with a 'note' field, stored in an external metadata microservice. # Create a transient access for a site Source: https://docs.sdx.altostrat.io/api-reference/spa/cpf/transient-access/create-a-transient-access-for-a-site sdx-api/spa/control-plane.json post /{site}/transient-accesses Generates a temporary NAT access to Winbox/SSH. Requires `transientaccess:create` scope. # List active transient accesses for a site Source: https://docs.sdx.altostrat.io/api-reference/spa/cpf/transient-access/list-active-transient-accesses-for-a-site sdx-api/spa/control-plane.json get /{site}/transient-accesses Returns all unexpired, unrevoked transient access records for the site. Requires `transientaccess:view` scope. # Revoke a transient access Source: https://docs.sdx.altostrat.io/api-reference/spa/cpf/transient-access/revoke-a-transient-access sdx-api/spa/control-plane.json delete /{site}/transient-accesses/{id} Marks it as expired/revoked and triggers config removal. Requires `transientaccess:delete` scope. # Show one transient access Source: https://docs.sdx.altostrat.io/api-reference/spa/cpf/transient-access/show-one-transient-access sdx-api/spa/control-plane.json get /{site}/transient-accesses/{id} Returns a single transient access record. Requires `transientaccess:view` scope. # Create a transient port-forward Source: https://docs.sdx.altostrat.io/api-reference/spa/cpf/transient-forward/create-a-transient-port-forward sdx-api/spa/control-plane.json post /{site}/transient-forward Creates a short-lived NAT forwarding rule to a destination IP/port behind the router. # List site transient port forwards Source: https://docs.sdx.altostrat.io/api-reference/spa/cpf/transient-forward/list-site-transient-port-forwards sdx-api/spa/control-plane.json get /{site}/transient-forward Returns all active NAT port-forwards for a site. Not access-limited, but presumably requires a certain scope. # Revoke a transient port-forward Source: https://docs.sdx.altostrat.io/api-reference/spa/cpf/transient-forward/revoke-a-transient-port-forward sdx-api/spa/control-plane.json delete /{site}/transient-forward/{id} Marks the port-forward as expired and removes the NAT rule from the management server. # Show one transient port-forward Source: https://docs.sdx.altostrat.io/api-reference/spa/cpf/transient-forward/show-one-transient-port-forward sdx-api/spa/control-plane.json get /{site}/transient-forward/{id} Returns details about a specific transient port-forward rule by ID. # Create a new scan schedule Source: https://docs.sdx.altostrat.io/api-reference/spa/cve/scan-schedules/create-a-new-scan-schedule sdx-api/spa/cve-scans.json post /scheduled Creates a new schedule for CVE scans on specified sites. Requires `cve:create` scope or similar. # Delete a scan schedule Source: https://docs.sdx.altostrat.io/api-reference/spa/cve/scan-schedules/delete-a-scan-schedule sdx-api/spa/cve-scans.json delete /scheduled/{scanSchedule} Requires `cve:delete` scope or similar. # Get scan status for a schedule Source: https://docs.sdx.altostrat.io/api-reference/spa/cve/scan-schedules/get-scan-status-for-a-schedule sdx-api/spa/cve-scans.json get /{scanSchedule}/status Returns partial data about the schedule's latest scan in progress or completed. Requires `cve:view` scope. # List all scan schedules Source: https://docs.sdx.altostrat.io/api-reference/spa/cve/scan-schedules/list-all-scan-schedules sdx-api/spa/cve-scans.json get /scheduled Returns all the scan schedules belonging to the authenticated user. Requires `cve:view` scope or similar. # Show details for a single scan schedule Source: https://docs.sdx.altostrat.io/api-reference/spa/cve/scan-schedules/show-details-for-a-single-scan-schedule sdx-api/spa/cve-scans.json get /scheduled/{scanSchedule} Requires `cve:view` scope or similar. # Start a scan for a schedule Source: https://docs.sdx.altostrat.io/api-reference/spa/cve/scan-schedules/start-a-scan-for-a-schedule sdx-api/spa/cve-scans.json get /scheduled/{scanSchedule}/invoke Manually invokes a scan for this schedule. Sets schedule status to 'starting'. Requires `cve:update` or similar. # Stop a scan for a schedule Source: https://docs.sdx.altostrat.io/api-reference/spa/cve/scan-schedules/stop-a-scan-for-a-schedule sdx-api/spa/cve-scans.json delete /scheduled/{scanSchedule}/invoke Stops any active site scans for this schedule. Sets schedule status to 'stopping'. Requires `cve:update` or similar. # Update a scan schedule Source: https://docs.sdx.altostrat.io/api-reference/spa/cve/scan-schedules/update-a-scan-schedule sdx-api/spa/cve-scans.json put /scheduled/{scanSchedule} Requires `cve:update` scope or similar. # List CVE Scans Source: https://docs.sdx.altostrat.io/api-reference/spa/cve/scans/list-cve-scans sdx-api/spa/cve-scans.json get / Lists all scans for the authenticated user. Requires `cve:view` scope. # Show a single CVE scan Source: https://docs.sdx.altostrat.io/api-reference/spa/cve/scans/show-a-single-cve-scan sdx-api/spa/cve-scans.json get /{scan_id} Returns details about the specified scan. Requires `cve:view` scope. # Alias for listing recent or ongoing faults Source: https://docs.sdx.altostrat.io/api-reference/spa/faults/faults/alias-for-listing-recent-or-ongoing-faults sdx-api/spa/faults.json get / Identical to `GET /recent`. **Requires** `fault:view` scope. # Generate a new short-lived fault token Source: https://docs.sdx.altostrat.io/api-reference/spa/faults/faults/generate-a-new-short-lived-fault-token sdx-api/spa/faults.json post /token Creates a token that can be used to retrieve unresolved or recently resolved faults without requiring ongoing authentication. **Requires** `fault:create` or possibly `fault:view` (depending on usage). # List all faults for a given site ID Source: https://docs.sdx.altostrat.io/api-reference/spa/faults/faults/list-all-faults-for-a-given-site-id sdx-api/spa/faults.json get /site/{site} Returns all faults recorded for a particular site. **Requires** `fault:view` scope. # List recent or ongoing faults Source: https://docs.sdx.altostrat.io/api-reference/spa/faults/faults/list-recent-or-ongoing-faults sdx-api/spa/faults.json get /recent **Requires** `fault:view` scope. Returns a paginated list of faults filtered by query parameters, typically those unresolved or resolved within the last 10 minutes if `status=recent` is used. For more flexible filtering see query parameters below. # List top 10 WAN faults in last 14 days Source: https://docs.sdx.altostrat.io/api-reference/spa/faults/faults/list-top-10-wan-faults-in-last-14-days sdx-api/spa/faults.json get /top10wan Retrieves the top 10 most active WAN tunnel (type=wantunnel) faults in the last 14 days. **Requires** `fault:view` scope. # Retrieve currently active (unresolved) faults via internal token Source: https://docs.sdx.altostrat.io/api-reference/spa/faults/faults/retrieve-currently-active-unresolved-faults-via-internal-token sdx-api/spa/faults.json post /fault/internal_active Available only via internal API token. Expects `type` in the request body (e.g. `site` or `wantunnel`) and returns all unresolved faults of that type. # Retrieve faults using short-lived token Source: https://docs.sdx.altostrat.io/api-reference/spa/faults/faults/retrieve-faults-using-short-lived-token sdx-api/spa/faults.json get /fault/token/{token} Retrieves a set of unresolved or recently resolved faults for the customer associated with the given short-lived token. No other authentication needed. **Public** endpoint, token-based. # Retrieve internal fault timeline for a site Source: https://docs.sdx.altostrat.io/api-reference/spa/faults/faults/retrieve-internal-fault-timeline-for-a-site sdx-api/spa/faults.json post /fault/internal Available only via internal API token (`internal` middleware). Typically used for analyzing fault timelines. Requires fields `start`, `end`, `type`, and `site_id` in the request body. # Filter and retrieve log events Source: https://docs.sdx.altostrat.io/api-reference/spa/logs/log-events/filter-and-retrieve-log-events sdx-api/spa/logs.json post /{log_group_name} Returns filtered log events from CloudWatch for the requested log group and streams. Requires `logs:view` scope. # Global ARP search across user’s sites Source: https://docs.sdx.altostrat.io/api-reference/spa/metrics/arp/global-arp-search-across-user’s-sites sdx-api/spa/metrics.json post /arps Search ARP data across multiple sites belonging to the current user. Requires `inventory:view` scope. # (Internal) ARP entries for a site Source: https://docs.sdx.altostrat.io/api-reference/spa/metrics/arp/internal-arp-entries-for-a-site sdx-api/spa/metrics.json get /internal/arp/{site} Returns ARP data for the site, or 204 if none exist. No Bearer token needed, presumably uses internal token. # List ARP entries for a site Source: https://docs.sdx.altostrat.io/api-reference/spa/metrics/arp/list-arp-entries-for-a-site sdx-api/spa/metrics.json post /arps/{site} Lists ARP entries for the specified site with optional pagination. Requires `inventory:view` scope. # Update an ARP entry Source: https://docs.sdx.altostrat.io/api-reference/spa/metrics/arp/update-an-arp-entry sdx-api/spa/metrics.json put /arps/{site}/{arpEntry} Allows updating group/alias for an ARP entry. Requires `inventory:update` scope. # Get BGP usage/logs from last ~2 days Source: https://docs.sdx.altostrat.io/api-reference/spa/metrics/content/get-bgp-usagelogs-from-last-~2-days sdx-api/spa/metrics.json get /bgp-report/{site} Generates a BGP usage report for the site (TCP/UDP traffic captured). Possibly uses blackhole IP analysis. Requires `site` middleware. # Get DNS usage/logs from last ~2 days Source: https://docs.sdx.altostrat.io/api-reference/spa/metrics/content/get-dns-usagelogs-from-last-~2-days sdx-api/spa/metrics.json get /dns-report/{site} Returns top categories, apps, source IPs from DNS logs. Possibly uses blackhole IP analysis. Requires `site` middleware. # Get SNMP interface metrics Source: https://docs.sdx.altostrat.io/api-reference/spa/metrics/interfaces/get-snmp-interface-metrics sdx-api/spa/metrics.json post /interfaces/{interface}/metrics Returns detailed interface metric data within a specified date range. Requires `site` and `interface` resolution plus relevant scopes. # (Internal) List site interfaces Source: https://docs.sdx.altostrat.io/api-reference/spa/metrics/interfaces/internal-list-site-interfaces sdx-api/spa/metrics.json get /internal/interfaces/{site} Same as /interfaces/{site}, but for internal use. # (Internal) Summarized interface metrics Source: https://docs.sdx.altostrat.io/api-reference/spa/metrics/interfaces/internal-summarized-interface-metrics sdx-api/spa/metrics.json post /internal/interfaces/{interface}/metrics Calculates average and max in/out in MBps or similar for the date range. Possibly used by other microservices. # List SNMP interfaces for a site Source: https://docs.sdx.altostrat.io/api-reference/spa/metrics/interfaces/list-snmp-interfaces-for-a-site sdx-api/spa/metrics.json get /interfaces/{site} Returns all known SNMP interfaces on a site. Requires `site` middleware. # Get 24h heartbeat or check-in data for a site Source: https://docs.sdx.altostrat.io/api-reference/spa/metrics/mikrotikstats/get-24h-heartbeat-or-check-in-data-for-a-site sdx-api/spa/metrics.json get /mikrotik-stats/{site} Returns info about missed heartbeats from mikrotik checkins within the last 24 hours. Requires `site` middleware. # Get last checkin time for a site Source: https://docs.sdx.altostrat.io/api-reference/spa/metrics/mikrotikstats/get-last-checkin-time-for-a-site sdx-api/spa/metrics.json get /last-seen/{site} Returns how long ago the last MikrotikStats record was inserted. Requires `site` middleware. # Get raw Mikrotik stats from the last 8 hours Source: https://docs.sdx.altostrat.io/api-reference/spa/metrics/mikrotikstats/get-raw-mikrotik-stats-from-the-last-8-hours sdx-api/spa/metrics.json get /mikrotik-stats-all/{site} Returns stats such as CPU load, memory for the last 8 hours. Requires `site` middleware. # List syslog entries for a site Source: https://docs.sdx.altostrat.io/api-reference/spa/metrics/syslog/list-syslog-entries-for-a-site sdx-api/spa/metrics.json get /syslogs/{site} Returns syslog data for a given site. Requires 'site' middleware and typically `inventory:view` scope or similar. # Get ping stats for a WAN tunnel Source: https://docs.sdx.altostrat.io/api-reference/spa/metrics/tunnels/get-ping-stats-for-a-wan-tunnel sdx-api/spa/metrics.json post /wan-tunnels/{tunnel}/ping-stats Retrieves a time-series of ping metrics for the specified WAN tunnel. Requires 'tunnel' middleware, plus date range input. # Get tunnels ordered by average jitter or packet loss Source: https://docs.sdx.altostrat.io/api-reference/spa/metrics/tunnels/get-tunnels-ordered-by-average-jitter-or-packet-loss sdx-api/spa/metrics.json get /tunnel-order Aggregates last 24h data from ping_stats and returns an array sorted by either 'mdev' or 'packet_loss'. Typically used to see worst/best tunnels. Requires user’s WAN data scope. # (Internal) List WAN Tunnels for a site Source: https://docs.sdx.altostrat.io/api-reference/spa/metrics/tunnels/internal-list-wan-tunnels-for-a-site sdx-api/spa/metrics.json get /wan-tunnels-int/{site} Similar to /wan-tunnels/{site}, but does not require Bearer. Possibly uses an internal token or no auth. Returns 200 or 204 if no tunnels found. # (Internal) Retrieve summarized ping stats for a tunnel Source: https://docs.sdx.altostrat.io/api-reference/spa/metrics/tunnels/internal-retrieve-summarized-ping-stats-for-a-tunnel sdx-api/spa/metrics.json post /wan-tunnels/{tunnel}/int-ping-stats Given a site and tunnel, returns average or max stats in the date range. Possibly used by internal microservices. # List WAN tunnels for a site Source: https://docs.sdx.altostrat.io/api-reference/spa/metrics/tunnels/list-wan-tunnels-for-a-site sdx-api/spa/metrics.json get /wan-tunnels/{site} Returns all WAN Tunnels associated with that site ID. Requires `site` middleware. # Multi-tunnel or aggregated ping stats Source: https://docs.sdx.altostrat.io/api-reference/spa/metrics/tunnels/multi-tunnel-or-aggregated-ping-stats sdx-api/spa/metrics.json post /wan/ping-stats Retrieves a chart-friendly data series for one or multiple tunnels. Possibly used by a front-end chart. This is a single endpoint returning timestamps and data arrays. Requires date range, optional tunnel list. # Create a new notification group Source: https://docs.sdx.altostrat.io/api-reference/spa/notifications/groups/create-a-new-notification-group sdx-api/spa/notifications.json post / Creates a group with name, schedule, topics, recipients, and sites. Requires `notification:create` scope. # Delete a notification group Source: https://docs.sdx.altostrat.io/api-reference/spa/notifications/groups/delete-a-notification-group sdx-api/spa/notifications.json delete /{group} Removes the group, its recipients, site relationships, and topic references. Requires `notification:delete` scope. # Example Ably webhook endpoint Source: https://docs.sdx.altostrat.io/api-reference/spa/notifications/groups/example-ably-webhook-endpoint sdx-api/spa/notifications.json get /notifications/ably/hook Used for testing. Returns request data. Does not require user scope. # List all notification groups for the customer Source: https://docs.sdx.altostrat.io/api-reference/spa/notifications/groups/list-all-notification-groups-for-the-customer sdx-api/spa/notifications.json get / Retrieves all groups belonging to the authenticated customer. Requires `notification:view` scope. # Show a specific notification group Source: https://docs.sdx.altostrat.io/api-reference/spa/notifications/groups/show-a-specific-notification-group sdx-api/spa/notifications.json get /{group} Retrieve the detail of one group by ID. Requires `notification:view` scope. # Update a notification group Source: https://docs.sdx.altostrat.io/api-reference/spa/notifications/groups/update-a-notification-group sdx-api/spa/notifications.json put /{group} Update name, schedule, recipients, and other properties. Requires `notification:update` scope. # List all topics Source: https://docs.sdx.altostrat.io/api-reference/spa/notifications/topics/list-all-topics sdx-api/spa/notifications.json get /topics Returns all possible topics that can be attached to a notification group. # Delete a generated SLA report Source: https://docs.sdx.altostrat.io/api-reference/spa/reports/sla-reports/delete-a-generated-sla-report sdx-api/spa/reports.json delete /sla/reports/{id} Deletes the JSON data object from S3 (and presumably the PDF). Requires `sla:run` scope. # List generated SLA reports Source: https://docs.sdx.altostrat.io/api-reference/spa/reports/sla-reports/list-generated-sla-reports sdx-api/spa/reports.json get /sla/reports Lists recent SLA JSON results objects in S3 for the user. Requires `sla:run` scope to view generated reports. # Create a new SLA schedule Source: https://docs.sdx.altostrat.io/api-reference/spa/reports/sla-schedules/create-a-new-sla-schedule sdx-api/spa/reports.json post /sla/schedules Creates a new SLA report schedule object in DynamoDB and sets up CloudWatch event rules (daily/weekly/monthly). Requires `sla:create` scope. # Delete an SLA schedule Source: https://docs.sdx.altostrat.io/api-reference/spa/reports/sla-schedules/delete-an-sla-schedule sdx-api/spa/reports.json delete /sla/schedules/{id} Deletes a single SLA schedule from DynamoDB and removes CloudWatch events. Requires `sla:delete` scope. # Get a single SLA schedule Source: https://docs.sdx.altostrat.io/api-reference/spa/reports/sla-schedules/get-a-single-sla-schedule sdx-api/spa/reports.json get /sla/schedules/{id} Retrieves a single SLA schedule by UUID from DynamoDB. Requires `sla:view` scope. # List all SLA schedules Source: https://docs.sdx.altostrat.io/api-reference/spa/reports/sla-schedules/list-all-sla-schedules sdx-api/spa/reports.json get /sla/schedules Fetches SLA reporting schedules from DynamoDB for the authenticated user. Requires `sla:view` scope. # Manually run an SLA schedule Source: https://docs.sdx.altostrat.io/api-reference/spa/reports/sla-schedules/manually-run-an-sla-schedule sdx-api/spa/reports.json post /sla/schedules/{id}/run Triggers a single SLA schedule to run now, with specified date range. Requires `sla:run` scope. This is done by posting `from_date` and `to_date` in the body. # Update an SLA schedule Source: https://docs.sdx.altostrat.io/api-reference/spa/reports/sla-schedules/update-an-sla-schedule sdx-api/spa/reports.json put /sla/schedules/{id} Updates a single SLA schedule and re-configures the CloudWatch event rule(s). Requires `sla:update` scope. # Retrieve a specific schedule (internal) Source: https://docs.sdx.altostrat.io/api-reference/spa/schedules/internal/retrieve-a-specific-schedule-internal sdx-api/spa/schedules.json get /internal/schedules/{schedule} This route is for internal usage. It requires a special token in the `X-Bearer-Token` header (or `Authorization: Bearer `), validated by the `internal` middleware. # Create a new schedule Source: https://docs.sdx.altostrat.io/api-reference/spa/schedules/schedules/create-a-new-schedule sdx-api/spa/schedules.json post /schedules # Delete an existing schedule Source: https://docs.sdx.altostrat.io/api-reference/spa/schedules/schedules/delete-an-existing-schedule sdx-api/spa/schedules.json delete /schedules/{schedule} # List all schedules Source: https://docs.sdx.altostrat.io/api-reference/spa/schedules/schedules/list-all-schedules sdx-api/spa/schedules.json get /schedules # Retrieve a specific schedule Source: https://docs.sdx.altostrat.io/api-reference/spa/schedules/schedules/retrieve-a-specific-schedule sdx-api/spa/schedules.json get /schedules/{schedule} # Update an existing schedule Source: https://docs.sdx.altostrat.io/api-reference/spa/schedules/schedules/update-an-existing-schedule sdx-api/spa/schedules.json put /schedules/{schedule} # Generate RouterOS script via AI prompt Source: https://docs.sdx.altostrat.io/api-reference/spa/scripts/ai-generation/generate-routeros-script-via-ai-prompt sdx-api/spa/scripts.json post /gen-ai Calls an OpenAI model to produce a RouterOS script from the user’s prompt. Returns JSON with commands, error, destructive boolean, etc. Throttled to 5 requests/minute. Requires `script:create` scope. # Create a new community script Source: https://docs.sdx.altostrat.io/api-reference/spa/scripts/community-scripts/create-a-new-community-script sdx-api/spa/scripts.json post /community-scripts Registers a new script from a GitHub raw URL (.rsc) and optional .md readme URL. Automatically triggers background jobs to fetch code, parse README, and create an AI description. # List community scripts Source: https://docs.sdx.altostrat.io/api-reference/spa/scripts/community-scripts/list-community-scripts sdx-api/spa/scripts.json get /community-scripts Returns a paginated list of community-contributed scripts with minimal info. No authentication scope is specifically enforced in code, but presumably behind `'auth'` or `'api'` guard. # Raw readme.md content Source: https://docs.sdx.altostrat.io/api-reference/spa/scripts/community-scripts/raw-readmemd-content sdx-api/spa/scripts.json get /community-scripts/{id}.md Fetches README from GitHub and returns as text/plain, if `readme_url` is set. # Raw .rsc content of a community script Source: https://docs.sdx.altostrat.io/api-reference/spa/scripts/community-scripts/raw-rsc-content-of-a-community-script sdx-api/spa/scripts.json get /community-scripts/{id}.rsc Fetches the script content from GitHub and returns as text/plain. # Show a single community script Source: https://docs.sdx.altostrat.io/api-reference/spa/scripts/community-scripts/show-a-single-community-script sdx-api/spa/scripts.json get /community-scripts/{id} Provides script details including name, description, user info, repo info, etc. # Authorize a scheduled script Source: https://docs.sdx.altostrat.io/api-reference/spa/scripts/scheduled-scripts/authorize-a-scheduled-script sdx-api/spa/scripts.json put /scheduled/{scheduledScript}/authorize/{token} Sets `authorized_at` if provided token matches `md5(id)`. Requires `script:authorize` scope. Fails if already authorized. # Create a new scheduled script Source: https://docs.sdx.altostrat.io/api-reference/spa/scripts/scheduled-scripts/create-a-new-scheduled-script sdx-api/spa/scripts.json post /scheduled Requires `script:create` scope. Specifies a script body, description, launch time, plus sites and notifiable user IDs. Also sets whether backups should be made, etc. # Delete or cancel a scheduled script Source: https://docs.sdx.altostrat.io/api-reference/spa/scripts/scheduled-scripts/delete-or-cancel-a-scheduled-script sdx-api/spa/scripts.json delete /scheduled/{scheduledScript} If script not authorized & not started, it's fully deleted. Otherwise sets `cancelled_at`. Requires `script:delete` scope. # Immediately run the scheduled script Source: https://docs.sdx.altostrat.io/api-reference/spa/scripts/scheduled-scripts/immediately-run-the-scheduled-script sdx-api/spa/scripts.json put /scheduled/{scheduledScript}/run Requires the script to be authorized. Dispatches jobs to each site. Requires `script:run` scope. # List all scheduled scripts Source: https://docs.sdx.altostrat.io/api-reference/spa/scripts/scheduled-scripts/list-all-scheduled-scripts sdx-api/spa/scripts.json get /scheduled Lists scripts that are scheduled for execution. Requires `script:view` scope. Includes site relationships and outcome data. # Request authorization (trigger notifications) Source: https://docs.sdx.altostrat.io/api-reference/spa/scripts/scheduled-scripts/request-authorization-trigger-notifications sdx-api/spa/scripts.json get /scheduled/{scheduledScript}/authorize Sends a WhatsApp or other message to configured notifiables to authorize the script. Requires `script:update` scope. # Run scheduled script test Source: https://docs.sdx.altostrat.io/api-reference/spa/scripts/scheduled-scripts/run-scheduled-script-test sdx-api/spa/scripts.json put /scheduled/{scheduledScript}/run-test Sends the script to the configured `test_site_id` only. Requires `script:run` scope. # Script execution progress Source: https://docs.sdx.altostrat.io/api-reference/spa/scripts/scheduled-scripts/script-execution-progress sdx-api/spa/scripts.json get /scheduled/{scheduledScript}/progress Returns which sites are pending, which have completed, which have failed, etc. Requires `script:view` scope. # Show a single scheduled script’s details Source: https://docs.sdx.altostrat.io/api-reference/spa/scripts/scheduled-scripts/show-a-single-scheduled-script’s-details sdx-api/spa/scripts.json get /scheduled/{scheduledScript} Returns a single scheduled script with all relationships (sites, outcomes, notifications). Requires `script:view` scope. # Update a scheduled script Source: https://docs.sdx.altostrat.io/api-reference/spa/scripts/scheduled-scripts/update-a-scheduled-script sdx-api/spa/scripts.json put /scheduled/{scheduledScript} Edits a scheduled script’s fields, re-syncs sites and notifiables. Requires `script:update` scope. # Create a new VPN instance Source: https://docs.sdx.altostrat.io/api-reference/spa/vpn/instances/create-a-new-vpn-instance sdx-api/spa/vpn.json post /instances Provisions a new VPN instance, automatically deploying a server. Requires `vpn:create` scope. # Delete a VPN instance Source: https://docs.sdx.altostrat.io/api-reference/spa/vpn/instances/delete-a-vpn-instance sdx-api/spa/vpn.json delete /instances/{instance} Tears down the instance. Requires `vpn:delete` scope. # Fetch bandwidth usage Source: https://docs.sdx.altostrat.io/api-reference/spa/vpn/instances/fetch-bandwidth-usage sdx-api/spa/vpn.json get /instances/{instance}/bandwidth Returns the bandwidth usage metrics for the instance's primary server. Requires `vpn:view` scope. # List all VPN instances Source: https://docs.sdx.altostrat.io/api-reference/spa/vpn/instances/list-all-vpn-instances sdx-api/spa/vpn.json get /instances Returns a list of instances the authenticated user has created. Requires `vpn:view` scope. # Show details for a single VPN instance Source: https://docs.sdx.altostrat.io/api-reference/spa/vpn/instances/show-details-for-a-single-vpn-instance sdx-api/spa/vpn.json get /instances/{instance} Retrieves a single instance resource by its ID. Requires `vpn:view` scope. # Update a VPN instance Source: https://docs.sdx.altostrat.io/api-reference/spa/vpn/instances/update-a-vpn-instance sdx-api/spa/vpn.json put /instances/{instance} Allows modifications to DNS, routes, firewall, etc. Requires `vpn:update` scope. # Internal instance counts per customer Source: https://docs.sdx.altostrat.io/api-reference/spa/vpn/internal/internal-instance-counts-per-customer sdx-api/spa/vpn.json post /vpn/internal/instance-counts Used internally to retrieve aggregated peer or instance usage counts. Requires an internal token (not standard Bearer). # Create a new peer on an instance Source: https://docs.sdx.altostrat.io/api-reference/spa/vpn/peers/create-a-new-peer-on-an-instance sdx-api/spa/vpn.json post /instances/{instance}/peers Adds a client peer or site peer to the instance. Requires `vpn:create` scope. # Delete a peer Source: https://docs.sdx.altostrat.io/api-reference/spa/vpn/peers/delete-a-peer sdx-api/spa/vpn.json delete /instances/{instance}/peers/{peer} Removes a peer from the instance. Requires `vpn:delete` scope. # List all peers under an instance Source: https://docs.sdx.altostrat.io/api-reference/spa/vpn/peers/list-all-peers-under-an-instance sdx-api/spa/vpn.json get /instances/{instance}/peers Lists all VPN peers (clients or site-peers) attached to the specified instance. Requires `vpn:view` scope. # Show a single peer Source: https://docs.sdx.altostrat.io/api-reference/spa/vpn/peers/show-a-single-peer sdx-api/spa/vpn.json get /instances/{instance}/peers/{peer} Returns detail about a single peer for the given instance. Requires `vpn:view` scope. # Update a peer Source: https://docs.sdx.altostrat.io/api-reference/spa/vpn/peers/update-a-peer sdx-api/spa/vpn.json put /instances/{instance}/peers/{peer} Update subnets, route-all, etc. Requires `vpn:update` scope. # List available server regions Source: https://docs.sdx.altostrat.io/api-reference/spa/vpn/servers/list-available-server-regions sdx-api/spa/vpn.json get /servers/regions Retrieves a list of possible Vultr (or other provider) regions where a VPN instance can be deployed. # Server build complete callback Source: https://docs.sdx.altostrat.io/api-reference/spa/vpn/servers/server-build-complete-callback sdx-api/spa/vpn.json get /vpn/servers/{server}/heartbeat Called by the server itself upon final provisioning. Signed route with short TTL. Updates IP, sets DNS records, etc. # Get site subnets Source: https://docs.sdx.altostrat.io/api-reference/spa/vpn/sites/get-site-subnets sdx-api/spa/vpn.json get /site/{id}/subnets Retrieves potential subnets from the specified site (used for configuring a site-to-site VPN peer). # Download WireGuard config as a QR code Source: https://docs.sdx.altostrat.io/api-reference/spa/vpn/vpn-client-tokens/download-wireguard-config-as-a-qr-code sdx-api/spa/vpn.json get /vpn/instances/{instance}/peers/{peer}.svg Returns the config in a QR code SVG. Signed route with short TTL. Requires the peer to be a client peer. # Download WireGuard config file Source: https://docs.sdx.altostrat.io/api-reference/spa/vpn/vpn-client-tokens/download-wireguard-config-file sdx-api/spa/vpn.json get /vpn/instances/{instance}/peers/{peer}.conf Returns the raw WireGuard client config for a peer (type=client). Signed route with short TTL. Requires the peer to be a client peer. # Retrieve ephemeral client config references Source: https://docs.sdx.altostrat.io/api-reference/spa/vpn/vpn-client-tokens/retrieve-ephemeral-client-config-references sdx-api/spa/vpn.json get /vpn/client Uses a client token to retrieve a short-lived reference for WireGuard config or QR code download. The token is validated by custom client-token auth. Returns a JSON with config_file URL, QR code URL, etc. # Create WAN failover for a site Source: https://docs.sdx.altostrat.io/api-reference/spa/wan-failover/failover/create-wan-failover-for-a-site sdx-api/spa/wan-failover.json post /{site_id}/failover Sets up a new failover resource for the site if not already present, plus some default tunnels. Requires `wan:create` scope. # Delete WAN failover Source: https://docs.sdx.altostrat.io/api-reference/spa/wan-failover/failover/delete-wan-failover sdx-api/spa/wan-failover.json delete /{site_id}/failover/{id} Deletes failover from DB, tears down related tunnels, and unsubscribes. Requires `wan:delete` scope. # Get failover info for a site Source: https://docs.sdx.altostrat.io/api-reference/spa/wan-failover/failover/get-failover-info-for-a-site sdx-api/spa/wan-failover.json get /{site_id}/failover Retrieves the failover record for a given site, if any. Requires `wan:view` scope. # List failover services for current user Source: https://docs.sdx.altostrat.io/api-reference/spa/wan-failover/failover/list-failover-services-for-current-user sdx-api/spa/wan-failover.json get /service-counts Returns minimal array of failover objects (id, site_id) for user. Possibly used to see how many failovers they have. # Set tunnel priorities for a site Source: https://docs.sdx.altostrat.io/api-reference/spa/wan-failover/failover/set-tunnel-priorities-for-a-site sdx-api/spa/wan-failover.json post /{site_id}/failover/priorities Updates the `priority` field on each tunnel for this failover. Requires `wan:update` scope. # Update tunnel gateway (router callback) Source: https://docs.sdx.altostrat.io/api-reference/spa/wan-failover/gateway/update-tunnel-gateway-router-callback sdx-api/spa/wan-failover.json post /{site_id}/tunnel/{tunnel_id}/gateway Allows a router script to update the gateway IP after DHCP/PPP changes. Typically uses X-Bearer-Token or similar, not standard BearerAuth. No standard scope enforced. # List count of failovers per customer Source: https://docs.sdx.altostrat.io/api-reference/spa/wan-failover/services/list-count-of-failovers-per-customer sdx-api/spa/wan-failover.json get /services_all Returns an object mapping customer_id => count (how many site failovers). # List site IDs for a customer (failover services) Source: https://docs.sdx.altostrat.io/api-reference/spa/wan-failover/services/list-site-ids-for-a-customer-failover-services sdx-api/spa/wan-failover.json get /services/{customer_id} Returns an array of site IDs that have failover records for the given customer. # List tunnels for a site (unauth? or partial auth?) Source: https://docs.sdx.altostrat.io/api-reference/spa/wan-failover/services/list-tunnels-for-a-site-unauth?-or-partial-auth? sdx-api/spa/wan-failover.json get /services/{site_id}/tunnels Returns array of Tunnels for the given site if any exist. Possibly used by external or different auth flow. # Create a new tunnel Source: https://docs.sdx.altostrat.io/api-reference/spa/wan-failover/tunnel/create-a-new-tunnel sdx-api/spa/wan-failover.json post /{site_id}/tunnel Creates a new WAN tunnel record for the site. Requires `wan:create` scope. # Delete a tunnel Source: https://docs.sdx.altostrat.io/api-reference/spa/wan-failover/tunnel/delete-a-tunnel sdx-api/spa/wan-failover.json delete /{site_id}/tunnel/{id} Removes the tunnel from the DB and notifies system to remove config. Requires `wan:delete` scope. # Detect eligible gateways for an interface Source: https://docs.sdx.altostrat.io/api-reference/spa/wan-failover/tunnel/detect-eligible-gateways-for-an-interface sdx-api/spa/wan-failover.json post /{site_id}/tunnel/gateways Find potential gateway IP addresses for the given interface. Requires `wan:view` scope. # Get router interfaces Source: https://docs.sdx.altostrat.io/api-reference/spa/wan-failover/tunnel/get-router-interfaces sdx-api/spa/wan-failover.json get /{site_id}/tunnel/interfaces Lists valid router interfaces for a site. Possibly from router print. Requires `wan:view` scope. # List all tunnels for current user Source: https://docs.sdx.altostrat.io/api-reference/spa/wan-failover/tunnel/list-all-tunnels-for-current-user sdx-api/spa/wan-failover.json get /tunnels Returns all Tunnels for the authenticated user’s customer_id. Requires `wan:view` scope. # List tunnels for a site Source: https://docs.sdx.altostrat.io/api-reference/spa/wan-failover/tunnel/list-tunnels-for-a-site sdx-api/spa/wan-failover.json get /{site_id}/tunnel Returns all Tunnels associated with this site’s failover. Requires `wan:view` scope. # Show a single tunnel Source: https://docs.sdx.altostrat.io/api-reference/spa/wan-failover/tunnel/show-a-single-tunnel sdx-api/spa/wan-failover.json get /{site_id}/tunnel/{id} Returns details of the specified tunnel. Requires `wan:view` scope. # Update tunnel properties Source: https://docs.sdx.altostrat.io/api-reference/spa/wan-failover/tunnel/update-tunnel-properties sdx-api/spa/wan-failover.json put /{site_id}/tunnel/{id} Modifies name, gateway, interface, or SLA references on the tunnel. Requires `wan:update` scope. # Test a Slack or MS Teams webhook Source: https://docs.sdx.altostrat.io/api-reference/spa/webhooks/integrations/test-a-slack-or-ms-teams-webhook sdx-api/spa/webhooks.json post /test Sends a test message to the specified Slack or MS Teams webhook URL. **Requires** valid JWT authentication with appropriate scope (e.g., `webhook:test` or similar). # Content Filtering Source: https://docs.sdx.altostrat.io/core-concepts/content-filtering Manage and restrict access to undesirable or harmful content across your network. ![Placeholder: Content Filtering Hero](https://mintlify.s3.us-west-1.amazonaws.com/altostratnetworks/images/content-filtering-hero-placeholder.jpg) **Content Filtering** allows you to **block or restrict** websites and services based on categories (e.g., adult content, streaming media, social networking). This ensures your network stays aligned with your **Acceptable Use Policies**. ## Key Features * **Category-Based Blocking** Block access to large groups of undesirable sites (e.g., adult content, illegal activities). * **SafeSearch & Restricted Mode** Enforce Google SafeSearch, Bing SafeSearch, and YouTube Restricted Mode to filter out explicit material. * **Filtering Avoidance Prevention** Prevent access to known proxy or anonymizer domains. * **Detailed Traffic Statistics** Review logs and analytics to understand which categories or domains are being blocked. *** ## Creating a Content Filter Policy From your Altostrat **Dashboard**, go to Policies → Content Filtering. Click Add or + New to start creating a new policy. Provide a Policy Name (e.g., "Block Adult & Streaming"). * **Choose Categories**: Select categories of undesirable sites. You can expand or collapse category groups to pick sub-categories. * **SafeSearch Settings**: Enable SafeSearch for Google and Bing search engines, and set YouTube Restricted Mode. * **Custom Domains**: Manually allow or block specific domains (e.g., whitelist your corporate site or blacklist known proxies). Click Save or Add. To apply it immediately: * Navigate to your Sites * Select a site * Under Content Filter Policy, choose the newly created policy Allow a few moments for changes to propagate to the router. If the router is behind NAT, ensure the [Management VPN](/management/management-vpn) is configured correctly. *** ## Editing a Content Filtering Policy Navigate to Policies → Content Filtering in Altostrat. Click on the policy you want to edit to open its configuration pane. Toggle categories on or off, adjust SafeSearch settings, or add/remove custom domains. Changes will automatically propagate to any sites using this policy. *** ## Removing a Content Filtering Policy Deleting a policy removes its configuration from any sites that use it. These sites will revert to having no content filter or fall back to a default policy if one exists. Under Policies → Content Filtering, locate the policy you want to remove. Select the policy, then click the Trash or Remove icon. Confirm your decision in the dialog box. To **completely disable** Content Filtering on specific sites, either switch them to a different policy or remove their association with the feature entirely. *** ## Best Practices * **Start Broad, Refine Gradually**: Begin by blocking major content categories, then fine-tune with exceptions as needed. * **Regularly Review Logs**: Monitor which domains are being blocked or allowed, and adjust your policy accordingly. * **Combine with Other Security**: Implement a comprehensive approach by enabling [Security Essentials](/core-concepts/security-essentials). * **Educate Users**: Ensure employees and guests understand your Acceptable Use Policies to minimize confusion and resistance. # Control Plane Source: https://docs.sdx.altostrat.io/core-concepts/control-plane Configure inbound management services (WinBox, SSH, API) and firewall rules at scale in Altostrat. ![Placeholder: Control Plane Hero](https://mintlify.s3.us-west-1.amazonaws.com/altostratnetworks/images/control-plane-hero-placeholder.jpg) Altostrat's **Control Plane Policies** define how MikroTik devices handle inbound connections for critical management services such as **WinBox**, **SSH**, and **API**. By centralizing firewall rules and trusted networks, you ensure consistent security across all routers under a given policy. ## Default Policy When you sign up, Altostrat automatically creates a **Default Control Plane Policy** for basic protection. This policy includes: * **Trusted Networks** (e.g., private IP ranges like 10.x, 192.168.x) * **WinBox**, **API**, and **SSH** enabled on default ports * **Custom Input Rules** toggled on or off The IP address `154.66.115.255/32` may be added by default as a trusted address for Altostrat's Management API. ## Creating a Control Plane Policy Under Policies, select Control Plane. You'll see a list of existing policies, including the default one. Click + Add Policy. Give your policy a descriptive name (e.g., "Strict Admin Access"). Add or remove IP addresses or CIDR ranges that you consider trusted. For example: 192.168.0.0/16. Decide whether your MikroTik firewall input rules should take precedence. If set to ON, your custom rules will be applied first. Under IP Services, specify ports for WinBox, SSH, and API. These services must remain enabled if you plan to manage devices via Altostrat's API. Assign the policy to specific sites if desired. You can also assign it later. Click Add to finalize. ![Placeholder: Control Plane Policy Creation](https://mintlify.s3.us-west-1.amazonaws.com/altostratnetworks/images/control-plane-policy-creation-placeholder.jpg) ## Editing a Control Plane Policy Navigate to Policies → Control Plane. Click on the policy to open its settings. Add or remove CIDRs, toggle whether Custom Input Rules override Altostrat's default drop rules, and modify ports for WinBox, API, and SSH. Changes will propagate automatically to any sites using this policy. Allow a short period for routers to update. ## Removing a Control Plane Policy Deleting a policy from an active site may disrupt management access if no other policy is assigned. In Policies → Control Plane, locate the policy you wish to remove. Click the Trash icon and confirm the action. If any routers depend on this policy for inbound admin services, assign them another policy first. ## Best Practices * **Maintain Essential Services**: Keep WinBox, SSH, and API enabled if you plan to manage devices through Altostrat. * **Limit Trusted Networks**: Restrict access to reduce exposure. * **Regular Review**: Review and update policies as your network changes. * **Security Layering**: Combine with [Security Essentials](/core-concepts/security-essentials) for a comprehensive security approach. # Notification Groups Source: https://docs.sdx.altostrat.io/core-concepts/notification-groups Define groups of users, schedules, and alert types for more targeted notifications. ![Placeholder: Notification Groups Hero](https://mintlify.s3.us-west-1.amazonaws.com/altostratnetworks/images/notification-groups-hero-placeholder.jpg) A **Notification Group** is a way to organize who receives alerts, **when** they receive them, and for **which events**. This helps ensure relevant teams get the notifications they need while avoiding unnecessary notifications for others. ## Setting Up a Notification Group Go to Notifications → Notification Groups in the Altostrat Portal. Click Add or + New to create a new Notification Group. Provide a Group Name. Choose who should receive alerts—either individual users or an entire role (e.g., "NOC Team"). Only selected users will receive notifications tied to this group. If desired, link a policy specifying time windows for sending alerts (to reduce off-hours messages). Select which types of notifications are relevant (e.g., Heartbeat Failures, Security Alerts, WAN Failover). If alerts should only apply to specific sites, limit them here. Otherwise, the group will cover all sites by default. Confirm your settings. The new group will now be active. *** ## Editing a Notification Group Under Notifications → Notification Groups, locate the group you want to modify. Adjust the group's name, add or remove users, modify the Business Hours Policy, or expand/restrict topics. Most changes save automatically. Users may need to log out and log back in to see updates in some cases. *** ## Removing a Notification Group Deleting a group means its members will no longer receive those alerts. Ensure critical notifications are covered by another group if needed. In Notifications → Notification Groups, select the group to remove. Click the Trash icon. Confirm your choice in the dialog. If the group was tied to certain **Business Hours Policies** or **Alert Topics**, you might need to reassign them to another group to maintain coverage. *** ## Tips & Best Practices * **Segment Based on Function**: Create separate groups for Security Teams, NOC Teams, Management, etc. * **Use Business Hours Policies**: Reduce alert fatigue by only notifying off-hours for critical events. * **Review Groups Regularly**: Ensure each group's membership and topics remain relevant. * **Combine with Integrations**: Forward alerts to Slack or Microsoft Teams if needed—see [Integrations](/integrations/integrations-overview). # Notifications Source: https://docs.sdx.altostrat.io/core-concepts/notifications Define, manage, and route alerts for important network events in Altostrat. ![Placeholder: Notifications Hero](https://mintlify.s3.us-west-1.amazonaws.com/altostratnetworks/images/notifications-hero-placeholder.jpg) Altostrat **Notifications** keep you informed about key events—like **Network Outages**, **SLA Breaches**, and **Security Issues**—so you can react quickly. Customize notifications to ensure the right teams or individuals get the right alerts at the right time. ## Why Notifications Matter * **Proactive Issue Management:** Address potential problems before they escalate into major outages. * **Improved Network Uptime:** Quick response to alerts shortens downtime. * **Enhanced Security:** Security-related notifications highlight suspicious activity, enabling quick risk mitigation. * **Customizable:** Assign notifications to specific users or groups based on their roles. ## Notification Types Here are common notifications sent by Altostrat: | **Type** | **Description** | | ----------------------- | ---------------------------------------------------------------------------------- | | **SLA Reports** | Alerts you when agreed Service Level Agreements (uptime, latency) aren't met | | **Heartbeat Failures** | Informs administrators when a device stops sending health signals | | **WAN Failover Events** | Indicates connectivity issues or automatic failover events that affect the network | | **Security Alerts** | Notifies you about malicious IP blocks, intrusion attempts, or suspicious traffic | *** ## Setting Up Notifications From your Altostrat Dashboard, go to the Notifications section. This page displays an overview of existing notification rules. Click Add or New Notification to create a rule. Define conditions such as Fault Type, SLA Breach, or Security Trigger. Select specific users, roles, or Notification Groups who should receive these alerts. You can configure delivery methods including Email or SMS (subject to [Supported SMS Regions](/resources/supported-sms-regions)). Review and confirm the notification settings. If possible, test by simulating a trigger (e.g., forcing a Heartbeat Failure). Recipients should receive a test alert when everything is configured correctly. ## Customizing Alerts * **Business Hour Policies:** Receive notifications only during specified times * **Targeted Alerts:** Direct SLA or Security notifications to relevant teams * **Limit Redundancy:** Prevent notification fatigue by avoiding duplicate messages *** ## Best Practices * **Review Regularly:** Ensure your notification settings align with current organizational needs * **Use Notification Groups:** Organize recipients by function (e.g., NOC Team, Security Team) * **Integrate with Other Tools:** Connect notifications with external services (e.g., Slack, Microsoft Teams) for streamlined workflows If you experience issues or need to configure advanced behavior, consult the [Notification Groups](/core-concepts/notification-groups) page or review the [Orchestration Log](/management/orchestration-log) for troubleshooting assistance. # Policies Source: https://docs.sdx.altostrat.io/core-concepts/policies Manage essential policies for Security, Content Filtering, and Control Plane settings in Altostrat. ![Placeholder: Policies Overview](https://mintlify.s3.us-west-1.amazonaws.com/altostratnetworks/images/policies-overview-placeholder.jpg) In Altostrat, **Policies** let you **centralize** and **automate** configurations that apply across multiple sites or devices. By defining a policy, you ensure consistent rules for **Security**, **Content Management**, and **Control Plane** access. ## Introduction Altostrat supports various policy types: * **Security Essentials**: Block malicious IPs, intrusions, or suspicious traffic * **Content Filtering**: Restrict websites and categories (e.g., adult content, streaming) * **Control Plane**: Manage inbound access (WinBox, SSH, API) and Firewall input rules at scale * **Notification Policies**: Decide who receives alerts and under which conditions Policies are created and edited under the **Policies** section in the Altostrat Portal. You can **assign** them to specific sites to enforce the same configuration across your organization. ## Creating a New Policy Navigate to Policies from your Altostrat Dashboard. You'll see different types (e.g., Security Essentials, Content Filtering, Control Plane). Choose the category (e.g., Security Essentials) or click Add if you're creating a new policy instance for that category. Depending on the policy type: * Security Essentials: Enable specific block lists * Content Filtering: Configure site categories and SafeSearch toggles * Control Plane: Define input Firewall rules, IP services, and trusted IPs After naming and configuring your policy, click Save. Then navigate to the relevant Site page to assign the policy if needed. ## Editing an Existing Policy Under Policies, click on the relevant category (e.g., Content Filtering). Toggle categories, add or remove block lists, or update inbound Firewall rules, depending on the policy type. All changes will automatically propagate to assigned sites after a brief delay. ## Removing a Policy Deleting a policy removes its configuration from any site currently using it. Those sites will revert to having no policy or a default policy if one is set. Under Policies, find the policy you want to remove. Click the Trash or Remove icon and confirm the action. If the policy is critical, consider assigning a different one to your sites first. ## Best Practices * **Minimal Overlap**: Avoid assigning multiple policies with conflicting rules to the same site * **Versioning**: If you need major changes, consider creating a new policy rather than drastically editing an existing one * **Audit Regularly**: Check which policies are active and ensure they still match business requirements * **Combine**: Use [Security Essentials](/core-concepts/security-essentials) plus [Content Filtering](/core-concepts/content-filtering) or [Control Plane](/core-concepts/control-plane) for layered defense # Roles & Permissions Source: https://docs.sdx.altostrat.io/core-concepts/roles-and-permissions Control user access levels in Altostrat through roles, permissions, and fine-grained capabilities. Altostrat uses **Roles** to group **Permissions**, determining who can view, create, update, or delete resources in your organization. ## System Roles vs. Custom Roles * **System Roles**: Predefined roles (e.g., Administrator) with typical permissions * **Custom Roles**: User-defined roles with precise permission settings for advanced control ## Permissions Overview Permissions are grouped by category (Teams, Sites, Security, etc.). When assigned to a role, any user with that role inherits these capabilities. Here's a detailed look at key permission categories: | **Permission** | **Explanation** | | ------------------ | -------------------------------- | | Teams View | View team-related information | | Teams Create | Create new teams | | Teams Update | Update existing team information | | Teams Delete | Delete teams | | Teams Invite Users | Invite other users to a team | | Teams Remove Users | Remove users from a team | | **Permission** | **Explanation** | | -------------- | ---------------------------------------- | | Site View | View site-related information | | Site Create | Create new sites | | Site Update | Update existing sites | | Site Delete | Delete sites | | Site Action | Perform actions on a site (e.g., reboot) | | **Permission** | **Explanation** | | --------------- | ---------------------------------------------- | | Security View | View security configurations and rules | | Security Create | Create new security policies or configurations | | Security Update | Update existing security configurations | | Security Delete | Delete security configurations | > **Additional categories** include **WAN**, **Jobs**, **Notifications**, and more. Assign these permissions based on your organizational needs. ## Creating a Role Navigate to **Settings → Roles & Permissions** in the Altostrat Dashboard. You'll see a list of existing roles. {/* Images */} Click **+ Add**. Enter a descriptive name (e.g., "NOC Ops") that reflects the role's responsibilities. {/* Images */} From the permissions list, select the appropriate checkboxes (e.g., `Teams View`, `Site View`, `Site Action`) for this role. {/* Images */} Click **Save** to create the role. It's now ready for user assignment. {/* Images */} ## Editing a Role In **Roles & Permissions**, find and click the role name you want to modify. {/* Images */} Adjust permissions by selecting or deselecting checkboxes. For example, add site action permissions or remove security privileges as needed. {/* Images */} Click **Update ->** to apply your changes. All users with this role will receive the updated permissions. Users may need to refresh their page or log in again to see the changes. {/* Images */} ## Deleting a Role Deleting a role immediately revokes all associated permissions from users who have that role. Go to **Settings → Roles & Permissions** and find the role you want to delete. {/* Images */} {/* Images */} Click the menu icon (three dots) or trash icon next to the role name. Confirm the deletion. Ensure affected users have alternative roles assigned if they need to maintain certain permissions. You may need to scroll to the side of the page if there are roles with a lot of permissions. ## Best Practices * **Start with System Roles**: Use predefined roles when first setting up your permissions structure * **Create Custom Roles**: Develop specialized roles for specific teams (e.g., "Security Ops," "Support Agents") * **Conduct Regular Audits**: Review and update role permissions to maintain security * **Apply Least Privilege**: Grant only the minimum permissions necessary for users to perform their tasks # Security Essentials Source: https://docs.sdx.altostrat.io/core-concepts/security-essentials Core security features in Altostrat, from blocking malicious traffic to proactive monitoring. ![Placeholder: Security Essentials Hero](https://mintlify.s3.us-west-1.amazonaws.com/altostratnetworks/images/security-essentials-hero-placeholder.jpg) Altostrat's **Security Essentials** feature helps you block or restrict **malicious traffic** and **undesirable content**, improving overall **network resilience**. ## Key Features * **Blocking Known Malicious IPs** Auto-updated lists of IPs associated with threats (e.g., botnets) * **Intrusion Prevention** Detection and mitigation of suspicious traffic patterns * **MikroTik Firewall Integration** Seamless interaction with MikroTik firewall rules to reduce attack surface * **Logging & Alerts** Comprehensive monitoring of security events for rapid incident response *** ## Default Policy When you first sign up, Altostrat creates a default **Security Essentials** policy. This policy includes critical block lists such as: * **RFC 1918** IP Ranges * **Team Cymru FullBogons** * **FireHOL Level 1** * **Emerging Threats Block IPs** You can customize or replace this default policy at any time. *** ## Creating a Security Essentials Policy Navigate to Policies → Security Essentials to view existing policies, including the default one. Click Add or + New. Enter a policy name (e.g., "High Security"). Choose from available lists such as Team Cymru FullBogons, Compromised IPs, and AlienVault OTX. Enable or disable features based on your security requirements. Confirm your policy changes: * Assign the policy to a site from the site's overview * The router will update automatically via the [Management VPN](/management/management-vpn) ![Placeholder: Security Essentials Policy Creation](https://mintlify.s3.us-west-1.amazonaws.com/altostratnetworks/images/security-essentials-creation-placeholder.jpg) *** ## Editing a Security Essentials Policy Access the Altostrat portal and navigate to Policies → Security Essentials. Select an existing policy. Toggle block lists on or off, or add new ones as needed. Sites using this policy will receive updates after a brief synchronization period. *** ## Removing a Security Essentials Policy Removing a security policy from a site may expose it to threats if no alternative protection is in place. Navigate to Policies → Security Essentials and find the policy you want to delete. Click the Remove or Trash icon and confirm your choice. Sites using this policy will no longer enforce the associated block lists. *** ## Best Practices * **Monitor Logs**: Regularly check the [Orchestration Log](/management/orchestration-log) for security-related events or anomalies * **Combine with Content Filtering**: Implement [Content Filtering](/core-concepts/content-filtering) to block unwanted website categories * **Regularly Audit Policies**: Review your block lists and settings periodically as new threats emerge * **Educate Users**: Maintain a strong **human** firewall to complement technical security measures # Teams Source: https://docs.sdx.altostrat.io/core-concepts/teams Organize users into teams for resource ownership and collaboration in Altostrat. ## Introduction In Altostrat, a **Team** is a structured group of users collaborating to manage devices, sites, and associated resources. Teams form the backbone of **resource ownership** and let you easily control **who** can see and change **what**. ### Resource Ownership * **All resources** (like sites, policies, scripts) belong to a **team**. * Only members of that team can interact with its resources (view, update, or delete), depending on their [Roles & Permissions](/core-concepts/roles-and-permissions). ### Collaboration * Teams enable groups working on the **same projects** to share device access and policy controls. * For instance, a **NoC Team** might manage daily operations, while a **Security Team** focuses on threat monitoring and policy enforcement. ### Flexibility * A single user can join **multiple teams**, useful for large organizations with overlapping duties. * Teams can also represent **departments**, **projects**, or **clients**. ## Creating a Team 1. **Navigate to Settings → Teams** From your Altostrat dashboard, select **Teams** to open the **Team Overview** page. {/* Images */}
2. **Click +New** {/* Images */} 3. Provide a **Team Name** that fits your business context (e.g., “NoC Team,” “Security,” or “Project X”), and then click on **Add ->**. {/* Images */} 4. **Owner & Defaults** By default, the user creating the team is the owner and is automatically added to the team. 5. **Invite Additional Members** (optional) See [Users](/core-concepts/users) to learn how to add or invite people into this team. ## Editing a Team 1. **Select the Team** In **Team Overview**, click on the team you want to update. {/* Images */} 2. **Update Team Info** Modify the **Team Name**, add or remove **members**, or adjust settings like the **Site Limit**. {/* Images */} 3. **Auto-Save** Changes typically save automatically, so no extra button is required. 4. **Check Roles** Members' capabilities also hinge on their [Roles & Permissions](/core-concepts/roles-and-permissions). ## Removing a Team Deleting a team also removes all resources owned by that team unless they are transferred elsewhere first. 1. **Open the Team** From the **Team Overview**, choose the team you wish to remove. 2. **Click the Trash Icon**; A confirmation dialog will appear. {/* Images */} 3. **Confirm Deletion** {/* Images */} If you're sure, proceed. The team and its resources will be deleted permanently. Double-check that you've migrated any vital devices or sites to another team beforehand. # Users Source: https://docs.sdx.altostrat.io/core-concepts/users Manage portal and notification users, and understand how resource access is granted in Altostrat. ## Introduction Altostrat manages access to resources through **users** and **teams**. Each user has a profile that determines their **roles**, **notification preferences**, and **team membership**. ## Types of Users | **Type** | **Can Log In** | **Receives Notifications** | **Own Resources** | | --------------------- | -------------: | -------------------------: | ----------------: | | **Portal User** | **Yes** | **Yes** | **Yes** | | **Notification User** | **No** | **Yes** | **No** | ### Portal User * Has an **Altostrat** account with a username/password (or SSO). * Can log in, view and manage resources, and receive notifications. * A portal user can also **own** resources if they belong to a team that holds resources. ### Notification User * **Cannot log in** to Altostrat. * Receives alerts (e.g., SLA breaches, network outages). * Ideal for stakeholders who only need updates but don’t manage devices. ## Creating a User There are two ways to create a user in Altostrat: 1. **User Self-Registration** * The person goes to [https://auth.altostrat.app](https://auth.altostrat.app) and signs up. * Once verified, they can join or create a team in your organization. * See [User Registration](/getting-started/user-registration). 2. **Portal Admin Creates a User** * An existing portal admin with the right [Roles & Permissions](/core-concepts/roles-and-permissions) can manually create a new user. * This user can be assigned as either a **Portal User** or a **Notification User**. ## Granting Someone Access to Your Resources Because **all resources are owned by a team**, you must add the user to the relevant team. 1. **Open Teams** Go to **Settings → Teams** and select the team that owns the resources. {/* Images */} 2. **Invite or Add User** Use the **Invite** or **Add Member** button. {/* Images */} 3. **Assign a Role** The role (with specific permissions) defines what this user can do within the team. If the user doesn’t appear in the user list, make sure you have privileges to add new users and that the user has already [registered](/getting-started/user-registration) or has been created as a new portal user by an admin. ## User Management Tasks ### Updating User Details 1. **Navigate to Users** From the **Settings** or **Team** page, locate the user. {/* Images */} 2. **Edit Profile** Update attributes like email, display name, or phone number for notifications. 3. **Roles & Permissions** If you have the correct role, you can alter the user’s assigned role. {/* Images */} ### Deleting or Disabling a User If a user no longer requires access or notifications: 1. **Locate the User** Under **Settings → Users** (or in a specific **Team**). {/* Images */} 2. **Delete or Disable** Confirm the action. If they have owned resources, you may need to reassign ownership first. ## Email & Phone Verification To enhance security, Altostrat supports verification processes: * **Email Verification**: Required for portal logins. * **Phone Verification**: Can be used for SMS notifications. Must be in [Supported SMS Regions](/resources/supported-sms-regions). ## Best Practices * **Keep Team Membership** Updated to ensure proper resource access. * **Use Different Roles** to enforce the principle of least privilege. * **Regularly Audit** users in your organization to ensure no unnecessary active accounts linger. With a clear user strategy—combining **portal** and **notification** accounts, plus proper **team membership**—you’ll maintain a secure and efficient environment for everyone using Altostrat. # Adding a Router Source: https://docs.sdx.altostrat.io/getting-started/adding-a-router Follow these steps to onboard your MikroTik router to the Altostrat portal. ## Introduction Welcome to the guide on connecting your **MikroTik router** to the Altostrat portal. By following these steps, you'll quickly and securely integrate your device for centralized management. {/* ## Video Guide (Optional) If you prefer a visual tutorial, watch this **placeholder video** explaining how to add your router. */} ## Detailed Step-by-Step Guide ### Step 1: Access the Altostrat Portal 1. Log in at [https://sdx.altostrat.app](https://sdx.altostrat.app). 2. Navigate to **Sites** in the main menu. {/* Images */} ### Step 2: Create or Select a Site 1. Click **+ Add** to begin the onboarding process. {/* 2. Assign a **Site Name** and confirm basic settings. */} {/* Images */} ### Step 3: Express Deploy 1. On the site's overview page, click **Add Router** (or a similarly labeled button). 2. A pop-up or new page will appear, guiding you through **Express Deploy**. {/* Images */} ### Step 4: View Control Plane Policy 1. Select a **Control Plane Policy** (Default or custom). > If you only have a default **Control Planee Policy**, it will automatically take you to the next step. 2. A new pop up will open showing the settings for your **Control Plane Policy** {/* Images */} > For more info on policies, see [Control Plane Docs](/core-concepts/control-plane). ### Step 5: Review and Accept Changes 1. Preview the router settings that will be applied (e.g., firewall rules, VPN configs). {/* Images */} 2. Click **Accept** if everything looks correct. ### Step 6: Copy the Bootstrap Command 1. A unique **Bootstrap Command** will be shown. 2. Copy this command to your clipboard. {/* Images */} ### Step 7: Run the Command on Your MikroTik Device 1. Open **Winbox** or **SSH** into the MikroTik CLI. 2. Paste the **Bootstrap Command** and press **Enter**. 3. Wait a few moments for scripts to execute and finalize the onboarding. {/* Images */} ![bootstrap command](https://mintlify.s3.us-west-1.amazonaws.com/altostratnetworks/images/getting-started/adding-a-router/getting_started_adding-a-router-step7.jpg) ### Step 8: Confirm Router Visibility in Altostrat 1. Return to the **Sites** page in Altostrat. 2. Verify that your router is listed and showing **Online**. {/* Images */} If it's **offline** or not visible, verify internet connectivity, recheck the bootstrap command, or consult [Orchestration Logs](/management/orchestration-log). You've now successfully added your MikroTik router to Altostrat and can begin monitoring or configuring it from the portal. If you need more advanced setup, explore additional docs like [WAN Failover](/management/wan-failover) or [Management VPN](/management/management-vpn). # Captive Portal Setup Source: https://docs.sdx.altostrat.io/getting-started/captive-portal-setup Learn how to configure a Captive Portal instance and enable network-level authentication. This document outlines the **fundamentals** and a **step-by-step guide** for setting up a Captive Portal in Altostrat. You'll also learn about **custom configurations** you can apply. Before proceeding, confirm you have an [IDP Instance](/integrations/identity-providers) configured if you plan to use **OAuth 2.0** authentication (e.g., Google, Microsoft Azure). Otherwise, you won't be able to authenticate users via third-party providers. ## Step 1: Navigate to the Captive Portal Page 1. From your **Dashboard**, select **Captive Portal** (or a similarly named menu option). 2. You'll see an **Overview** or **Get Started** button to create a new Captive Portal instance. 3. Click **Get Started** (or **+ Add**). ![Placeholder: Captive Portal Overview](https://mintlify.s3.us-west-1.amazonaws.com/altostratnetworks/images/captive-portal-overview-placeholder.jpg) ## Step 2: Create Your Captive Portal Instance 1. Provide a **Name** for the instance, e.g. “Guest Wi-Fi Portal.” 2. Set the **Authentication Strategy** (currently OAuth 2.0 only). 3. Pick the **Identity Provider** you previously configured, or click **+** to create a new one. 4. Click **Next** to confirm and move to customization. If you haven't created an IDP yet, follow our [Identity Providers](/integrations/identity-providers) guide before continuing. ### Captive Portal Customization After initial setup, you'll be redirected to a **Customization** page where you can: * **Branding**: Add logos, colors, and messaging. * **Terms of Use**: Insert disclaimers or acceptable use policies for users to accept before accessing the network. * **Redirects**: Control where users land post-authentication. * **Voucher or Coupon Codes**: Issue time-limited or usage-limited codes for guests. ![Placeholder: Captive Portal Customization](https://mintlify.s3.us-west-1.amazonaws.com/altostratnetworks/images/captive-portal-customization-placeholder.jpg) ## Network Considerations 1. **Firewall Rules** Ensure your MikroTik's firewall permits traffic for the Captive Portal flow. 2. **DHCP & DNS** Confirm your router provides IP addresses and DNS resolution for guest clients. ## Step 3: Finalizing & Applying the Captive Portal After you finish customizing: 1. Click **Add** or **Save** to finalize. 2. If your router is behind NAT, verify that the required ports are open or that the [Management VPN](/management/management-vpn) is set up for behind-NAT usage. ### Testing the Captive Portal 1. Connect a **test device** (phone, laptop, etc.) to your Wi-Fi or LAN. 2. When prompted by the Captive Portal, **log in** with the IDP you configured or a local account. 3. Confirm the **authentication** process succeeds, and you're able to browse the permitted network resources. For public or guest-facing portals, regularly monitor the captive portal logs to ensure usage is within acceptable limits. If you run into issues or need advanced behavior (like custom login pages or deeper policy integration), consult additional docs on [Transient Access](/getting-started/transient-access) or [Security Essentials](/core-concepts/security-essentials). # Initial Configuration Source: https://docs.sdx.altostrat.io/getting-started/initial-configuration Learn how to reset, connect, and update your MikroTik device before adding it to Altostrat. This page walks you through the **initial setup** of your MikroTik device: * Resetting and clearing existing configurations * Establishing an Internet connection * Upgrading to the latest firmware ## Setting up Your Router 1. **Power On** Plug in your MikroTik router and wait 10 – 60 seconds for it to boot up. 2. **Check Indicators** Confirm via LCD panel, LEDs, or beeps that the device is ready. 1. **Ethernet Cable** Connect an Ethernet cable from the MikroTik's ether1 port to your upstream device (e.g., modem or switch). 2. **Placeholder Image** {/* ![Placeholder: Ethernet Connection](../images/ethernet-connection-placeholder.jpg) */} {/* Images */} Should you need more info, you can refer to this official documentation from MikroTik: [https://help.mikrotik.com/docs/spaces/ROS/pages/328151/First+Time+Configuration](https://help.mikrotik.com/docs/spaces/ROS/pages/328151/First+Time+Configuration) Choose one of two methods: #### Option 1: Reset via LCD Panel 1. On the front LCD panel, locate Factory Reset or equivalent. 2. Enter the default PIN: 1234 (if you haven't changed it). The device reboots. Look for a displayed IP like 192.168.88.1 (additional IPs can be ignored). #### Option 2: Reset via Winbox 1. Use the Winbox utility from [MikroTik docs](https://help.mikrotik.com/docs/display/ROS/WinBox). 2. Under System → Reset Configuration, confirm to wipe the router back to factory defaults. Ensure the router can reach the internet: **Check for IP Address** * In Winbox, go to IP → DHCP Client. * If you see ether1 with a valid IP (not 0.0.0.0), skip to Confirm Internet Access. #### Get an IP via DHCP 1. Click Add New in the DHCP Client window. 2. Select ether1 for Interface. 3. Check Use Peer DNS. 4. Click Apply, then OK. 5. Verify a valid IP appears under IP Address. #### Confirm Internet Access Open a terminal in Winbox: ```bash ping altostrat.io ``` If you see continuous pings, the router is online. 1. In Winbox, go to System → Packages. 2. Click Check for Updates. 3. Choose stable from the Channel dropdown. 4. Click Check for Updates again. Compare Installed Version to Latest Version. If different, click Download & Install. The router reboots after installing firmware. Log back in and check Packages to confirm. If an upgrade channel is available for a major version jump, select it and repeat the process. See MikroTik's official docs for more details. Your MikroTik router is now ready to connect with Altostrat. Visit [Adding a Router](/getting-started/adding-a-router) to onboard the router to your Altostrat portal. # Introduction Source: https://docs.sdx.altostrat.io/getting-started/introduction Welcome to Altostrat SDX—your unified platform for MikroTik management and more.