API Reference (preview).

A high-level overview of the Andora API surface. This page describes the core resources and patterns; full versioned docs will live in the customer portal.

Authentication

The Andora API is secured via API keys scoped to your workspace. Keys can be created and rotated from the dashboard. All requests must be sent over HTTPS and include a bearer token in the Authorization header.

This is a marketing-facing outline only; concrete endpoints and schemas will be exposed to customers inside the product.

Core resources

The API is organized around a small set of core resources:

  • Guardrails – definitions of spend policies and enforcement rules.
  • Integrations – connected cloud and AI providers.
  • Metrics – normalized spend and usage signals over time.
  • Events – audit trail of spend-affecting changes and alerts.

Use cases

Typical integrations with the Andora API include:

  • • Syncing guardrail decisions into your internal approval tools.
  • • Pushing alerts into chat, incident, or ticketing systems.
  • • Exporting normalized metrics into a warehouse for custom reporting.

Enforcement check (preview)

Before calling an AI or cloud provider, your gateway can ask Andora whether the request is within policy ceilings for a given team, feature, or agent. The response tells you to allow, block, throttle, or route the request.

POST /api/enforcement/check

{
  "provider": "openai",
  "team": "Data Science",
  "agentId": "agent-123",
  "metric": {
    "type": "tokens",
    "unit": "tokens",
    "value": 2500000,
    "window": "day"
  }
}

// Example response
{
  "allowed": false,
  "action": "route",
  "routeTarget": "gpt-4o-mini",
  "guardrailId": "gr_...",
  "message": "Reroute request according to guardrail GPT‑4 tokens/day – Data Science"
}

Quick start — enforcement check

Copy-paste examples. Auth: use your session cookie (from dashboard login) or call from a Next.js API route where the session is automatic.

cURL

curl -X POST "https://your-app.vercel.app/api/enforcement/check" \
  -H "Content-Type: application/json" \
  -b "next-auth.session-token=YOUR_SESSION_COOKIE" \
  -d '{
    "provider": "openai",
    "team": "Data Science",
    "metric": {
      "type": "tokens",
      "unit": "tokens",
      "value": 1500000,
      "window": "day"
    }
  }'

Node (Next.js API route)

// Forward the incoming request cookie so the enforcement API sees the session.
export async function POST(req: Request) {
  const res = await fetch(new URL("/api/enforcement/check", req.url).href, {
    method: "POST",
    headers: { "Content-Type": "application/json", cookie: req.headers.get("cookie") ?? "" },
    body: JSON.stringify({
      provider: "openai",
      team: "Data Science",
      metric: { type: "tokens", unit: "tokens", value: 1_500_000, window: "day" },
    }),
  });
  const decision = await res.json();
  if (!decision.allowed) {
    return Response.json({ error: decision.message }, { status: 429 });
  }
  // Proceed to call OpenAI...
}