Skip to main content

Developers · Partner API

One REST API. A working session in your first request.

This page is the real shape of the API, not a sales mockup: the exact auth header, request fields, and response your integration will see. Enough to evaluate feasibility before you talk to us — the full 17-endpoint reference, SDKs, and a live sandbox come with approved access.

Authentication

A bearer token, issued per organization.

Every request except your onboarding portal links and the health check requires an Authorization: Bearer header. The token encodes your org identity, so no separate org header is needed. You get yours from the dashboard the moment your account is approved (Settings → API Token) — no separate credential request, no waiting on a second approval.

Base URL

https://dashboard.aiseptor.com in production. A staging environment is available for integration testing before you go live.

Rate limits

120 requests/minute per IP on the standard gateway. Exceeding it returns 429 with a Retry-After header.

Create your first session

One request. One candidate. One secured session.

external_id is your own candidate or session identifier and doubles as an idempotency key — send the same value twice and you get the same session back, not a duplicate.

POST /api/v1/sessions
POST /api/v1/sessions
Authorization: Bearer $ARES_API_TOKEN

{
  "external_id": "candidate-abc-123",
  "candidate_name": "Jane Smith",
  "exam_title": "Backend Engineer L4 — Coding Round",
  "duration_minutes": 90,
  "preset": "codility",
  "callback_url": "https://your-platform.com/webhooks/ares"
}

// → 201 Created
{
  "session_id": "550e8400-e29b-41d4-a716-446655440000",
  "status": "PENDING",
  "onboarding_url": "https://dashboard.aiseptor.com/onboard?s=550e8400...",
  "expires_at": "2026-07-06T22:30:00.000Z"
}

Redirect the candidate to onboarding_url. They download the agent, it connects using the join code shown there, and you get a candidate.joined webhook the moment the connection is live — no polling required.

Webhooks

Every session event, pushed and signed.

Ten event types cover the full session lifecycle — join, leave, threat detected, verdict ready, ended, and more. Every delivery is signed with HMAC-SHA256 so you can verify it actually came from Aiseptor.

Payload shape

POST your callback_url
{
  "event": "candidate.joined",
  "session_id": "550e8400-...",
  "timestamp": "2026-07-06T21:15:00.000Z",
  "data": { "hardware_id": "..." }
}

Verifying the signature

verify.js
const crypto = require('crypto');

function verify(body, sig, secret) {
  const expected = 'sha256=' + crypto
    .createHmac('sha256', secret)
    .update(body)
    .digest('hex');
  return crypto.timingSafeEqual(
    Buffer.from(sig), Buffer.from(expected)
  );
}

That's the whole shape of it.

Approved partners get the full 17-endpoint reference (live session controls, DNS and activity logs, embeddable audit reports), an OpenAPI spec, a Node.js SDK, and a staging environment to build against before going live. Most integrations are running in production in under a business day.

We use essential cookies to run this site and, with your consent, first-party analytics cookies to understand how it's used. We don't use advertising or third-party tracking cookies. Learn more