Ingestion API
The ingestion API receives security events from your forwarders and connectors and writes them into Jutsu for enrichment and triage. You authenticate each request with your ingest API key.
Authentication
Send your ingest API key in the X-API-Key header, or as Authorization: Bearer <key>. Generate and rotate ingest API keys in your organization settings. Each key is scoped to a single organization, so events land only in your tenant. Requests without a valid, active key receive 401.
Wazuh webhook
Send Wazuh alerts to the Wazuh webhook. The body is a single alert object or an array of alert objects, indexed in one batch.
/api/v1/webhooks/wazuhA successful response reports how many events were received, indexed, and failed:
{
"success": true,
"received": 2,
"indexed": 2,
"failed": 0,
"results": [
{ "id": "<event-id>", "index": "<index>", "isAlert": true }
]
}If a payload is shaped like a Wazuh alert but sent to the wrong endpoint, the API rejects it and tells you which endpoint to use instead.
Syslog webhook
Send connector-formatted syslog events to the syslog webhook. As with Wazuh, the body is a single event object or an array of objects.
/api/v1/webhooks/syslogEach syslog event includes a full_log string and may carry fields such as timestamp, hostname, app, severity, and an optional id. A minimal batch looks like:
[
{
"full_log": "Failed password for invalid user admin from 203.0.113.10",
"hostname": "edge-01",
"app": "sshd",
"severity": "high",
"id": "evt-001"
}
]The API validates each entry, indexes the valid ones, and returns the same received / indexed / failed / results shape as the Wazuh webhook. Events that fail validation are recorded and reported back in the response.
Sending custom events
There is no separate generic endpoint — custom and host-level events are delivered through the syslog webhook above using the connector format. Map your event into a full_log line (plus any optional fields) and POST it to /api/v1/webhooks/syslog. See Custom events for the connector setup.