API Reference
Fabrik REST API — base URL, authentication, pagination, throttling, error format, and the OpenAPI schema you can feed to any code generator.
Fabrik's backend is a Django REST Framework API behind a Daphne ASGI server. Everything the frontend does — login, run a query, schedule a task, talk to AWX — goes through the same JSON HTTP API documented here. There is nothing the UI can do that a script can't.
Base URL
All endpoints live under /api/:
https://your-fabrik-host/api/<app>/<resource>/The frontend Vite dev server proxies /api/* to the backend container in development; production deployments route it through nginx (see Production setup).
The OpenAPI schema
Fabrik generates an OpenAPI 3.0 schema from the code at runtime using drf-spectacular. Three endpoints expose it:
| Endpoint | Use |
|---|---|
GET /api/schema/ | Raw OpenAPI JSON. Feed it to openapi-generator, orval, or any other client generator. |
GET /api/docs/ | Interactive Swagger UI. Try endpoints from the browser. |
GET /api/redoc/ | ReDoc rendering. Easier to read for exploration. |
This reference is hand-written and curated — the OpenAPI schema is exhaustive. Use this reference for how to use the API. Use /api/schema/ when you need every field of every response for code generation.
Authentication
Fabrik uses JWT bearer tokens. All endpoints require authentication unless explicitly noted. Pass the access token in the Authorization header:
GET /api/queries/saved-queries/ HTTP/1.1
Host: fabrik.example.com
Authorization: Bearer <access_token>Access tokens live 15 minutes; refresh tokens live 7 days. See Authentication for the full login flow, refresh mechanics, and MFA.
Content types
- Requests:
application/jsonfor everything. Multipart uploads (e.g. MIM dump files) usemultipart/form-data— the endpoint docs call that out where it matters. - Responses:
application/json, UTF-8. Dates are ISO 8601 with timezone (2026-04-22T14:30:00+00:00). UUIDs are lowercase hex strings with dashes.
Pagination
List endpoints paginate with DRF's PageNumberPagination:
- Default page size: 50 items.
- Max page size: 200 (enforced per-endpoint where it matters).
- Query params:
?page=<n>&page_size=<n>.
Response envelope:
{
"count": 142,
"next": "https://fabrik.example.com/api/queries/saved-queries/?page=3",
"previous": "https://fabrik.example.com/api/queries/saved-queries/?page=1",
"results": [ /* 50 objects */ ]
}Some endpoints (stats, aggregates) don't paginate — they return a bare object. Endpoint docs mark these.
Filtering and ordering
Where supported:
?search=<term>— full-text search across documented fields.?ordering=<field>or?ordering=-<field>— sort ascending / descending.?<field>=<value>— exact-match filter on indexed fields.
Each endpoint page lists the supported filters for that resource.
Throttling
Two layers of rate limiting apply:
Application-level (DRF throttles):
| Scope | Rate |
|---|---|
| Anonymous requests | 60 / minute |
| Authenticated requests | 300 / minute |
| Sensitive actions (password reset, MFA disable, admin ops) | Lower, per-endpoint — see Authentication |
Reverse-proxy (nginx):
| Zone | Rate |
|---|---|
/api/* | 30 requests/second per IP, burst 50 |
/api/auth/login/, /api/auth/password-reset/ | 5 requests/minute per IP, burst 3 |
Exceeding either returns 429 Too Many Requests with a Retry-After header.
Error format
Successful responses vary by endpoint. Errors follow a consistent shape:
// 400 Bad Request — validation error
{
"field_name": ["This field is required."],
"another_field": ["Must be a valid UUID."]
}
// 401 Unauthorized — missing or invalid token
{ "detail": "Authentication credentials were not provided." }
// 403 Forbidden — authenticated but not allowed
{ "detail": "You do not have permission to perform this action." }
// 404 Not Found
{ "detail": "Not found." }
// 429 Too Many Requests
{ "detail": "Request was throttled. Expected available in 42 seconds." }
// 500 Internal Server Error
{ "detail": "Internal server error.", "request_id": "..." }Every 5xx response carries a request_id — include it when reporting bugs.
HTTP verbs
Standard REST semantics everywhere:
| Verb | Meaning |
|---|---|
GET | Read. Idempotent, cacheable. |
POST | Create, or invoke an action (/action/ sub-routes). |
PUT | Full replace. Send every field. |
PATCH | Partial update. Send only fields you're changing. |
DELETE | Remove. Returns 204 No Content on success. |
WebSockets
Long-running operations (query execution, AWX job monitoring, MIM import) stream progress over WebSocket. Connections are short-lived JWT-authenticated using a one-shot ticket exchanged through /api/ws-ticket/. See WebSockets.
Where to go next
Authentication
Login, refresh, MFA, password reset, user and group management.
APIC connections
Manage the APIC controllers Fabrik queries against.
Queries
Saved queries, execution, scheduled tasks, post-processors.
AI builder
Configure AI providers and use natural-language query generation.
AWX
AWX connections, automation templates, executions, webhooks.
MIM
Class hierarchy, search, and MIM registry imports.
Time Machine
Snapshots, comparisons, cleanup.
Audit and notifications
Read the audit log, manage notification preferences.
WebSockets
Real-time channels for execution progress and notifications.