Management API - Monitoring And Logs
Use these endpoints to retrieve dashboard analytics, subscribe to real-time portal notifications, query audit activity, query device events, and manage App Integrity configurations.
Query only the data your organization needs, and align exports with your privacy, retention, and access policies.
Integration Notes
| Need | Recommendation |
|---|---|
| Compliance export | Run scheduled exports before portal retention windows expire. |
| Incident review | Preserve query strings, cursors, time ranges, and exported records with the incident timeline. |
| Support tooling | Redact or minimize device data before copying logs into external systems. |
| Dashboard parity | Expect API output to support the same operational questions as portal dashboard views. |
| Permissions | Use scoped API tokens and review who can access exported telemetry. |
Security Dashboard
Get aggregate security analytics for your tenant.
POST /frontend/security_dashboard_dataPermission: None (read-only)
Request Body:
{}No dashboard request filters are currently supported.
Response:
{
"detections_last_30_days": 45000,
"number_of_active_devices": 890,
"android_versions": {
"14": 320,
"13": 210
},
"ios_versions": {
"17.2": 180,
"16.7": 90
},
"event_types_count": {
"root_detection": 145,
"emulator_detection": 67,
"hooking_detection": 42
},
"event_locations": [
{
"latLng": [37.0902, -95.7129],
"name": "United States : 450",
"country_name": "United States"
}
],
"device_locations": [
{
"latLng": [55.3781, -3.4360],
"name": "United Kingdom : 120",
"country_name": "United Kingdom"
}
]
}WebSocket - Real-Time Notifications
Use WebSocket notifications to receive best-effort portal updates such as build progress, build completion, support-ticket updates, and library-build updates.
Get WebSocket Ticket
POST /frontend/ws-ticketPermission: None
Request Body:
{}Response:
{
"ticket": "ws-ticket-uuid"
}Tickets are single-use and expire after 30 seconds. Connect to your AppTego WebSocket endpoint with both the ticket and tenant ID:
wss://<your-websocket-endpoint>?ticket=ws-ticket-uuid&tenant=tenant-uuidMessage Examples
Build progress:
{
"type": "build_progress",
"start_time": 1700000000,
"version": "production",
"platform": "android",
"status_message": "Decompiling APK..."
}Build completion:
{
"type": "build_complete",
"start_time": 1700000000,
"version": "production",
"platform": "android",
"success": true
}Support ticket update:
{
"type": "support_ticket",
"ticket_id": "ticket-uuid-1234",
"update_type": "new_comment",
"data": {}
}WebSocket delivery is best effort. Keep polling build history as the source of truth for release automation.
Audit Logs
Query the audit trail of API and portal actions within your tenant. Requires an Enterprise plan.
POST /frontend/audit_logs_queryPermission: None (read-only for Enterprise tenants) Plan: Enterprise
Request Body:
{
"from": 1700000000,
"to": 1700100000,
"query": "api_call CONTAINS 'config' AND successful = true",
"last_event": 2450
}| Field | Type | Required | Description |
|---|---|---|---|
from | Integer | Yes | Unix timestamp at the start of the query range. |
to | Integer | Yes | Unix timestamp at the end of the query range. |
query | String | Yes | SQL-like filter. Use an empty string to match all audit rows in the time range. |
last_event | Integer | No | Cursor for the next page. Use the smallest event value from the previous page. |
The API returns up to 50 rows ordered by newest event first.
Supported audit query columns:
| Column | Type |
|---|---|
event | Integer |
user_id | String |
api_call | String |
creation_time | Integer |
successful | Boolean |
raw_data | String |
Supported operators include =, !=, <>, >, <, >=, <=, LIKE, NOT LIKE, CONTAINS, IN (...), IS NULL, IS NOT NULL, AND, OR, NOT, and parentheses.
Response:
{
"results": [
{
"event": 2450,
"user_id": "admin@example.com",
"api_call": "config_update",
"creation_time": 1700050000,
"successful": true,
"raw_data": "{\"version\":\"production\",\"name\":\"RootDetectionResponse\"}"
}
]
}Device Logs
Query device-level security event logs for protected apps. Requires an Enterprise plan.
POST /frontend/device_logs_queryPermission: None (read-only for Enterprise tenants) Plan: Enterprise
Request Body:
{
"from": 1700000000,
"to": 1700100000,
"event_type": "root_detection",
"device_id": "device-fragment",
"query": "country = 'US' AND event_data CONTAINS 'Pixel'",
"last_evaluated_key": "2025-01-16 12:34:56.789+00"
}| Field | Type | Required | Description |
|---|---|---|---|
from | Integer | No | Unix timestamp at the start of the query range. |
to | Integer | No | Unix timestamp at the end of the query range. |
event_type | String | No | Exact event type filter. |
device_id | String | No | Partial device ID filter. |
query | String | No | SQL-like filter or plain keyword search. Maximum 2000 characters. |
last_evaluated_key | String | No | Cursor returned by the previous page. |
The API returns up to 50 rows ordered by newest event first.
Supported structured query columns:
| Column | Type |
|---|---|
event_id | String |
device_id | String |
event_type | String |
event_data | JSON text search |
ip_address | String |
country | String |
created_at | Timestamp |
If query is not a structured expression, it is treated as a keyword search across device ID, event type, country, and event data.
Response:
{
"results": [
{
"event_id": "evt-uuid-1234",
"device_id": "dev-uuid-5678",
"event_type": "root_detection",
"event_data": {
"model": "Pixel 8",
"os_version": "14",
"app_version": "2.1.0"
},
"ip_address": "203.0.113.50",
"country": "US",
"timestamp": 1700050000
}
],
"last_evaluated_key": "2025-01-16 12:20:00.000+00"
}last_evaluated_key is present only when another page may exist.
App Integrity
Manage Google Play Integrity and Apple App Attest configuration. App Integrity supports multiple configurations per tenant and version. Requires an Enterprise plan.
Action values match the standard response-control model: log, die, redirect, and message.
Get App Integrity Settings
POST /frontend/app_integrity_settingsPermission: None (read-only) Plan: Enterprise
Request Body:
{
"version": "production"
}Response:
{
"configs": [
{
"config_id": "integrity-uuid-1234",
"name": "Android production",
"platform": "android",
"enabled": true,
"action": "log",
"package_name": "com.example.myapp",
"decryption_key": "masked-decryption-key-ending-ABCD",
"verification_key": "masked-verification-key-ending-WXYZ",
"required_device_verdict": "MEETS_DEVICE_INTEGRITY",
"require_play_recognized": true
}
]
}Secret fields such as Android decryption and verification keys are masked when returned. The masked value preserves only the final characters.
Create App Integrity Config
Create a disabled configuration shell for one platform.
POST /frontend/app_integrity_createPermission: Configuration Plan: Enterprise
Request Body:
{
"version": "production",
"platform": "android",
"name": "Android production"
}| Field | Type | Required | Description |
|---|---|---|---|
version | String | Yes | development, staging, or production. |
platform | String | Yes | android or ios. |
name | String | Yes | Display name, maximum 100 characters. Letters, numbers, spaces, hyphens, underscores, and dots are accepted. |
Response:
{
"success": true,
"config": {
"config_id": "integrity-uuid-1234",
"name": "Android production",
"platform": "android",
"enabled": false,
"action": "log"
}
}Update App Integrity Config
Update an existing configuration. The platform is set at creation and cannot be changed by update.
POST /frontend/app_integrity_updatePermission: Configuration Plan: Enterprise
Android Request Body:
{
"version": "production",
"config_id": "integrity-uuid-1234",
"name": "Android production",
"enabled": true,
"action": "log",
"decryption_key": "base64-decryption-key",
"verification_key": "base64-verification-key",
"package_name": "com.example.myapp",
"cloud_project_number": "123456789012",
"required_device_verdict": "MEETS_DEVICE_INTEGRITY",
"require_play_recognized": true
}iOS Request Body:
{
"version": "production",
"config_id": "integrity-uuid-5678",
"name": "iOS production",
"enabled": true,
"action": "die",
"team_id": "ABCDE12345",
"bundle_id": "com.example.myapp"
}| Common Field | Type | Required | Description |
|---|---|---|---|
version | String | Yes | development, staging, or production. |
config_id | String | Yes | ID returned by create/list. |
name | String | No | Updated display name. |
enabled | Boolean | No | Enable or disable this integrity configuration. Required platform credentials must be present before enabling. |
action | String | No | log, die, redirect, or message. |
App Integrity configuration payloads can be up to 9 MB (9,437,184 UTF-8 bytes) after compact JSON serialization. If the App Integrity action uses a message response, the same message field limits apply as standard response controls: 8 KB for the title, 16 KB for the body, and 8 KB for each button label.
| Android Field | Required When Enabled | Description |
|---|---|---|
decryption_key | Yes | Google Play Integrity decryption key. |
verification_key | Yes | Google Play Integrity verification key. |
package_name | Yes | Android package name. |
cloud_project_number | No | Numeric Google Cloud project number. |
required_device_verdict | No | MEETS_BASIC_INTEGRITY, MEETS_DEVICE_INTEGRITY, or MEETS_STRONG_INTEGRITY. |
require_play_recognized | No | Require Play Store recognition. |
| iOS Field | Required When Enabled | Description |
|---|---|---|
team_id | Yes | Apple Team ID. |
bundle_id | Yes | App bundle identifier. |
Response:
{
"config": {
"config_id": "integrity-uuid-1234",
"name": "Android production",
"platform": "android",
"enabled": true,
"action": "log",
"package_name": "com.example.myapp",
"decryption_key": "masked-decryption-key-ending-ABCD",
"verification_key": "masked-verification-key-ending-WXYZ",
"cloud_project_number": "123456789012",
"required_device_verdict": "MEETS_DEVICE_INTEGRITY",
"require_play_recognized": true
}
}Delete App Integrity Config
Delete one App Integrity configuration.
POST /frontend/app_integrity_deletePermission: Configuration Plan: Enterprise
Request Body:
{
"version": "production",
"config_id": "integrity-uuid-1234"
}Response:
{
"success": true
}