CAPABILITY · REST API & WEBHOOKS

Integrate Itamite
with your entire stack.

REST API documented with OpenAPI 3.0. Webhooks with HMAC-SHA256 signature. Native integrations with Slack, Teams, Jira, ServiceNow, Splunk, Sentinel, Elastic. Events available for everything that happens on the platform.

API documentation Request demo

Itamite is not a closed box

Any data you see in the console is available via REST API. Any event that happens triggers webhooks your system can consume. And everything the console does, you can do programmatically from your scripts, your CI/CD or your platform. Your data is yours, and our API reflects that.

REST API

Standard REST, JSON, OpenAPI 3.0

Base URL and authentication

Base: https://api.itamite.com/api/v1/. Authentication with Bearer token (1h JWT or API key without expiration). Header: Authorization: Bearer ... OpenAPI 3.0 spec at /api/docs. Importable in Postman, Insomnia, openapi-generator.

API keys with scopes

Create API keys per integration with specific scopes: read:assets, write:assets, read:commands, write:commands, read:reports, write:reports, read:audit, read:billing, admin (all permissions). Immediate rotation and revocation from UI.

Most used endpoints

GET /assets — list assets with filters and pagination. GET /assets/{id} — full detail. POST /commands — sends command to asset(s). GET /assets/{id}/posture — asset posture. POST /reports — generates on-demand report. GET /audit?from=&to= — exports audit.

Rate limiting per plan

Business: 1,000 req/min. Professional: 5,000 req/min. Enterprise: 20,000 req/min. Header X-RateLimit-Remaining indicates how many requests remain in current window (1 minute). If you hit 0, HTTP 429 until reset.

WEBHOOKS

Push notifications to your system

01

Available events

asset.created/updated/deleted, command.succeeded/failed, alert.created/resolved, report.generated, compliance.changed, license.expiring, session.started/ended, policy.violated. Granular subscription or wildcard *.

02

HMAC-SHA256 signature

Each request includes header X-Itamite-Signature with HMAC-SHA256 signature of payload using a secret you configure. Your server verifies signature before processing — protection against spoofing.

03

Exponential retries

If your endpoint returns 5xx or doesn't respond, Itamite retries at 1min, 4min, 16min. After 3 attempts, marks event as "not delivered" in webhook panel (you can resend manually).

04

Logs and debugging

Webhook panel shows: last 100 requests per webhook with status, latency, request body, response body. One-click replay on any event. Useful for debugging integrations.

NATIVE INTEGRATIONS

Connectors ready without writing code

  • Slack and Teams: Notifications to Slack or Teams channel with incoming webhook. Configure which events go to which channel: critical alerts to #incidents, expiring licenses to #procurement, failed commands to #support. Messages with direct links to Itamite detail.
  • Jira and ServiceNow: Automatically create tickets in Jira (Cloud/Server) or ServiceNow when a critical alert fires. Ticket includes context: affected asset, technical value, and recommended action. When alert resolves, ticket updates automatically.
  • SIEM Splunk, Sentinel, Elastic: Export entire immutable audit to your SIEM in real time: Splunk HEC (HTTP Event Collector), Microsoft Sentinel (Log Analytics API), Elastic (Logstash HTTP input). Step-by-step configuration with integrated wizard.
  • Own SMTP email: Enterprise plan: configure your corporate SMTP server so Itamite notifications (alerts, reports, invitations) come from your domain (alerts@yourcompany.com), not from itamite.com.
  • Discord, Mattermost, Rocket.Chat: Support via incoming webhook for alternative chat tools. Same pattern as Slack/Teams. Useful for technical teams using open-source stack.
  • Generic webhook: For any system not natively integrated, generic webhook sends POST JSON to URL you configure, with customizable headers (including Authorization). JSON schema documented in /api/docs.
FAQ

API questions

Does the API have additional cost?
No. REST API and webhooks are included in all plans. Only rate limits change per plan.
Is there official SDK?
Yes. Official SDKs in Python, JavaScript/TypeScript and Go. PHP and Java on roadmap. For other languages, you automatically generate the client from OpenAPI spec with openapi-generator.
API versioning?
URL versioning: /api/v1/. Commitment: any breaking change announced 12 months in advance. Old versions kept 24 months after new version introduction. No surprises.
Can I embed Itamite console in my internal portal?
Yes, in Enterprise plan. You can embed Itamite dashboards in your internal portal with SSO/SAML authentication. You can also build your own UI consuming the API.
Is there sandbox/staging to test the API?
Yes. Each Enterprise client has free staging tenant with synthetic data to test integrations without affecting production. For Business and Professional, the 30-day trial serves as sandbox.

Build on Itamite

Complete OpenAPI documentation. Official SDKs. No additional cost.

See API documentation See pricing