Skip to content
Xplorr Docs

Xplorr API Reference

Xplorr API Reference

Section titled “Xplorr API Reference”

The Xplorr API is a REST API served over HTTPS. All endpoints require authentication unless noted otherwise. Base URL: https://api.xplorr.io/api/v1.

Authentication

Section titled “Authentication”

All requests must include a Bearer token in the Authorization header:

Terminal window
curl -H "Authorization: Bearer xplorr_your_token" \
  https://api.xplorr.io/api/v1/costs

Get your API token from Settings → API in the console. See the Authentication guide for detailed setup.

Auth Endpoints

Section titled “Auth Endpoints”
MethodPathRate LimitDescription
POST/auth/login20/15minLog in with email + password. Returns access + refresh tokens.
POST/auth/signup20/15minRegister a new account with business email.
POST/auth/refreshExchange refresh token for new access token.
POST/auth/logoutRevoke the current refresh token.
GET/auth/meGet current user profile.
POST/auth/forgot-password20/15minSend password reset email.
POST/auth/reset-password5/30minReset password with token.
POST/auth/change-passwordChange password (authenticated).
POST/auth/verify-emailVerify email address with token.
POST/auth/resend-verification20/15minResend verification email.
POST/auth/inviteInvite user to org (admin only).
GET/auth/invitation/:tokenCheck invitation status.
POST/auth/accept-invitationAccept invite and create account.

Two-Factor Authentication

Section titled “Two-Factor Authentication”
MethodPathRate LimitDescription
POST/auth/2fa/setupStart TOTP 2FA setup. Returns QR code.
POST/auth/2fa/confirmConfirm TOTP code to enable 2FA.
POST/auth/2fa/authenticate10/15minVerify TOTP code during login.
POST/auth/2fa/disable5/15minDisable 2FA.

WebAuthn / Passkeys

Section titled “WebAuthn / Passkeys”
MethodPathDescription
GET/auth/webauthn/register/optionsGet registration challenge.
POST/auth/webauthn/register/verifyVerify and register credential.
GET/auth/webauthn/authenticate/optionsGet authentication challenge.
POST/auth/webauthn/authenticate/verifyAuthenticate with passkey.
GET/auth/webauthn/credentialsList registered security keys.
DELETE/auth/webauthn/credentials/:idRemove a security key.

SSO / SAML

Section titled “SSO / SAML”
MethodPathDescription
GET/auth/sso/check?email=...Check if SSO is required for email domain.
GET/auth/saml/init?org_slug=...Start SAML authentication flow.
POST/auth/saml/acsSAML Assertion Consumer Service callback.
GET/auth/saml/metadata/:org_slugGet SP metadata XML.
GET/auth/sso/configGet org SSO configuration (admin).
PATCH/auth/sso/configConfigure SSO (admin).
DELETE/auth/sso/configDisable SSO (admin).

Costs

Section titled “Costs”
MethodPathRate LimitDescription
GET/costs30/minCost breakdown with grouping.
GET/costs/trend30/minDaily cost trend over time range.

Query parameters for /costs:

ParameterTypeDescription
startDatestringStart date (YYYY-MM-DD). Default: 30 days ago.
endDatestringEnd date (YYYY-MM-DD). Default: today.
providerstringFilter: aws, azure, or gcp.
accountIdstringFilter to a specific cloud account.
groupBystringGroup by: provider, service, region, date, account.

Cloud Accounts

Section titled “Cloud Accounts”
MethodPathRate LimitDescription
GET/cloud-accountsList all connected cloud accounts.
POST/cloud-accounts20/hourConnect a new cloud account (admin).
GET/cloud-accounts/:idGet account details.
PATCH/cloud-accounts/:idUpdate account credentials (admin).
DELETE/cloud-accounts/:idDisconnect a cloud account (admin).
GET/cloud-accounts/server-aws-configCheck if server-level AWS credentials are configured.

Sync

Section titled “Sync”
MethodPathRate LimitDescription
POST/sync/all10/hourTrigger full sync for all accounts (admin).
POST/sync/:accountId10/hourTrigger sync for one account (admin).
GET/sync/statusGet last sync status for all accounts.
GET/sync/jobsList sync jobs (paginated). Query: limit, offset.

Resource Inventory

Section titled “Resource Inventory”
MethodPathDescription
GET/inventoryQuery resources with filters (paginated).
GET/inventory/filtersGet distinct filter values for dropdowns.
GET/inventory/exportExport inventory as CSV (max 50,000 rows).

Query parameters for /inventory:

ParameterTypeDescription
accountIdstringFilter by cloud account.
providerstringFilter: aws, azure, gcp.
regionstringFilter by region.
typestringFilter by resource type (e.g., EC2 Instance).
statusstringFilter by status (e.g., Running, Stopped).
searchstringFree-text search across name and ID.
pagenumberPage number (default: 1).
limitnumberResults per page (max: 100).

Anomalies

Section titled “Anomalies”
MethodPathDescription
GET/anomaliesList cost anomalies. Query: status, severity, limit, accountId.
PATCH/anomalies/:idUpdate anomaly status. Body: { "status": "acknowledged" } or "resolved".

Recommendations

Section titled “Recommendations”
MethodPathDescription
GET/recommendationsList recommendations with filters.
PATCH/recommendations/:idUpdate recommendation status.
POST/recommendations/:id/snoozeSnooze a recommendation until a date.
GET/ai-recommendationsGet AI-generated recommendations.

Query parameters for /recommendations:

ParameterTypeDescription
statusstringopen, in_progress, applied, dismissed.
typestringRecommendation type filter.
providerstringaws, azure, gcp.
accountIdstringFilter by cloud account.
categorystringCategory filter.
limitnumberMax results (default: 50).
offsetnumberPagination offset.
includeSnoozedbooleanInclude snoozed recommendations.

Budgets

Section titled “Budgets”
MethodPathRate LimitDescription
GET/budgetsList all budgets with current spend.
POST/budgets30/minCreate a budget.
PATCH/budgets/:id30/minUpdate a budget.
DELETE/budgets/:idDelete a budget.

Request body for POST /budgets:

{
  "name": "AWS Production",
  "amount": 5000,
  "currency": "USD",
  "cloud_account_id": "uuid-optional",
  "alert_at_80": true,
  "alert_at_100": true
}

Alerts

Section titled “Alerts”
MethodPathRate LimitDescription
GET/alertsList all alert rules.
POST/alerts30/minCreate an alert rule.
GET/alerts/:idGet alert rule details.
PATCH/alerts/:id30/minUpdate an alert rule.
DELETE/alerts/:idDelete an alert rule.

Request body for POST /alerts:

{
  "name": "Daily AWS > $500",
  "metric": "daily_spend",
  "conditionOp": ">",
  "threshold": 500,
  "currency": "USD",
  "notifyEmails": ["[email protected]"],
  "serviceFilter": "Amazon EC2",
  "regionFilter": "us-east-1",
  "cloudAccountId": "uuid-optional",
  "slackWebhookUrl": "https://hooks.slack.com/..."
}

Approval Workflows

Section titled “Approval Workflows”
MethodPathDescription
GET/approvalsList approval requests. Query: status, limit, offset.
GET/approvals/:idGet approval details.
POST/approvalsCreate approval request. Body: { "recommendation_id": "uuid" }.
PATCH/approvals/:idApprove or reject. Body: { "status": "approved" } or "rejected".

Tagging Policies

Section titled “Tagging Policies”
MethodPathRate LimitDescription
GET/tagging-policiesList all tagging policies.
POST/tagging-policies30/minCreate a tagging policy (admin).
DELETE/tagging-policies/:id30/minDelete a tagging policy (admin).
GET/tagging-policies/violationsGet resources violating tagging policies (max 200).

Request body for POST /tagging-policies:

{
  "tag_key": "team",
  "required": true,
  "allowed_values": ["api", "data", "frontend"],
  "applies_to": "all"
}

Valid applies_to values: all, ec2, rds, s3, compute, storage.

Cost Allocation Rules

Section titled “Cost Allocation Rules”
MethodPathRate LimitDescription
GET/allocation-rulesList cost allocation rules.
POST/allocation-rules30/minCreate allocation rule (admin).
PATCH/allocation-rules/:id30/minUpdate allocation rule.
DELETE/allocation-rules/:idDelete allocation rule.

Unit Economics

Section titled “Unit Economics”
MethodPathRate LimitDescription
GET/unit-economicsGet cost per unit over date range. Query: startDate, endDate, metricName.
POST/unit-economics/metrics30/minIngest a unit metric data point.

Request body for POST /unit-economics/metrics:

{
  "name": "Active Customers",
  "metric_type": "customers",
  "value": 1247,
  "date": "2026-03-21"
}

Valid metric_type values: api_calls, transactions, customers, requests, custom.

Reports

Section titled “Reports”
MethodPathRate LimitDescription
GET/reports10/15minGet report data as JSON. Query: startDate, endDate, accountId, format.
GET/reports/pdf10/15minGenerate and download PDF report.
GET/reports/excel10/15minGenerate and download Excel report.
GET/reports/cost-summaryGet cost summary data.

Scheduled Reports

Section titled “Scheduled Reports”
MethodPathRate LimitDescription
GET/scheduled-reportsList scheduled reports.
POST/scheduled-reports30/minCreate a scheduled report (admin).
GET/scheduled-reports/:idGet scheduled report details.
PATCH/scheduled-reports/:id30/minUpdate a scheduled report.
DELETE/scheduled-reports/:idDelete a scheduled report.

Request body for POST /scheduled-reports:

{
  "name": "Monthly CFO Report",
  "frequency": "monthly",
  "day_of_month": 1,
  "recipients": ["[email protected]", "[email protected]"],
  "cloud_account_id": null,
  "format": "pdf",
  "is_active": true
}

Commitment Analysis

Section titled “Commitment Analysis”
MethodPathDescription
GET/commitments/analysisGet RI/SP coverage analysis with AI advice.

Network Costs

Section titled “Network Costs”
MethodPathDescription
GET/network/summaryGet network cost summary. Query: account_id, days.

Users

Section titled “Users”
MethodPathDescription
GET/usersList org users (admin: all, member: self).
GET/users/:idGet user details.
PATCH/users/:idUpdate user profile or role.
DELETE/users/:idDeactivate user (admin).
GET/users/available-accountsGet accounts available for invite modal (admin).
GET/users/invitations/listList pending invitations (admin).
GET/users/:id/accountsList user’s cloud account access (admin).
POST/users/:id/accountsGrant account access (admin).
DELETE/users/:id/accounts/:accountIdRevoke account access (admin).
GET/users/notification-preferencesGet notification settings.
PATCH/users/notification-preferencesUpdate notification settings.

Organizations

Section titled “Organizations”
MethodPathDescription
GET/organizations/currentGet current organization.
PATCH/organizations/currentUpdate org name (admin).
GET/organizations/statsGet org statistics (admin).
DELETE/organizations/closeClose org and delete all data (admin). Requires x-confirm-close: DELETE_MY_ORGANIZATION header.
PATCH/organizations/require-2faEnforce mandatory 2FA (admin).

Audit Logs

Section titled “Audit Logs”
MethodPathDescription
GET/auditList audit logs (admin). Query: page, limit, action, user_email, from, to.
GET/audit/actionsGet distinct action types for filter dropdown.
GET/audit/exportExport audit logs as CSV (max 10,000 rows).

API Tokens

Section titled “API Tokens”
MethodPathRate LimitDescription
GET/tokensList API tokens.
POST/tokensCreate API token.
DELETE/tokens/:idRevoke API token.
POST/tokens/exchange30/15minExchange xplorr_ token for JWT (used by MCP server).

Slack & Teams Integration

Section titled “Slack & Teams Integration”
MethodPathDescription
GET/slack/installStart Slack OAuth flow (admin).
GET/slack/oauth_redirectSlack OAuth callback.
GET/slack/installationGet Slack installation status.
DELETE/slack/installationDisconnect Slack (admin).
GET/teams/installStart Teams OAuth flow (admin).
GET/teams/oauth_redirectTeams OAuth callback.
GET/teams/installationGet Teams installation status.
DELETE/teams/installationDisconnect Teams (admin).

Channel Configuration

Section titled “Channel Configuration”
MethodPathDescription
GET/channelsList Slack channel configs (admin).
POST/channelsCreate channel config (admin).
PATCH/channels/:idUpdate channel config (admin).
DELETE/channels/:idDelete channel config (admin).

Digest Settings

Section titled “Digest Settings”
MethodPathDescription
GET/digest-settingsList digest schedules (admin).
POST/digest-settingsCreate digest schedule (admin).
PATCH/digest-settings/:idUpdate digest schedule (admin).
DELETE/digest-settings/:idDelete digest schedule (admin).

Settings

Section titled “Settings”
MethodPathDescription
GET/settingsGet org-level settings.
PATCH/settingsUpdate settings (admin).
POST/settings/slack/testSend test Slack message (admin).

Error Format

Section titled “Error Format”

All errors follow a consistent format:

{
  "error": {
    "code": "BUDGET_NOT_FOUND",
    "message": "Budget with ID 'abc123' not found.",
    "status": 404
  }
}

Common error codes: UNAUTHORIZED (401), FORBIDDEN (403), NOT_FOUND (404), RATE_LIMITED (429), INTERNAL_ERROR (500).

Pagination

Section titled “Pagination”

List endpoints support page-based pagination:

Terminal window
GET /api/v1/recommendations?page=2&limit=25

Response includes pagination metadata:

{
  "data": [...],
  "total": 142,
  "page": 2,
  "limit": 25
}

Rate Limiting

Section titled “Rate Limiting”

Rate limits vary by endpoint type:

Endpoint TypeLimit
Login / Auth20 requests per 15 minutes
Cost Queries30 requests per minute
Sync Triggers10 requests per hour
Write Operations30 requests per minute
Report Generation10 requests per 15 minutes
Token Exchange30 requests per 15 minutes

When rate limited, the API returns 429 Too Many Requests with a Retry-After header.