Developers · Partner API
One REST API. A working session in your first request.
This page is the real shape of the API, not a sales mockup: the exact auth header, request fields, and response your integration will see. Enough to evaluate feasibility before you talk to us — the full 17-endpoint reference, SDKs, and a live sandbox come with approved access.
Authentication
A bearer token, issued per organization.
Every request except your onboarding portal links and the health check requires an Authorization: Bearer header. The token encodes your org identity, so no separate org header is needed. You get yours from the dashboard the moment your account is approved (Settings → API Token) — no separate credential request, no waiting on a second approval.
Base URL
https://dashboard.aiseptor.com in production. A staging environment is available for integration testing before you go live.
Rate limits
120 requests/minute per IP on the standard gateway. Exceeding it returns 429 with a Retry-After header.
Create your first session
One request. One candidate. One secured session.
external_id is your own candidate or session identifier and doubles as an idempotency key — send the same value twice and you get the same session back, not a duplicate.
POST /api/v1/sessions
Authorization: Bearer $ARES_API_TOKEN
{
"external_id": "candidate-abc-123",
"candidate_name": "Jane Smith",
"exam_title": "Backend Engineer L4 — Coding Round",
"duration_minutes": 90,
"preset": "codility",
"callback_url": "https://your-platform.com/webhooks/ares"
}
// → 201 Created
{
"session_id": "550e8400-e29b-41d4-a716-446655440000",
"status": "PENDING",
"onboarding_url": "https://dashboard.aiseptor.com/onboard?s=550e8400...",
"expires_at": "2026-07-06T22:30:00.000Z"
}Redirect the candidate to onboarding_url. They download the agent, it connects using the join code shown there, and you get a candidate.joined webhook the moment the connection is live — no polling required.
Webhooks
Every session event, pushed and signed.
Ten event types cover the full session lifecycle — join, leave, threat detected, verdict ready, ended, and more. Every delivery is signed with HMAC-SHA256 so you can verify it actually came from Aiseptor.
Payload shape
{
"event": "candidate.joined",
"session_id": "550e8400-...",
"timestamp": "2026-07-06T21:15:00.000Z",
"data": { "hardware_id": "..." }
}Verifying the signature
const crypto = require('crypto');
function verify(body, sig, secret) {
const expected = 'sha256=' + crypto
.createHmac('sha256', secret)
.update(body)
.digest('hex');
return crypto.timingSafeEqual(
Buffer.from(sig), Buffer.from(expected)
);
}That's the whole shape of it.
Approved partners get the full 17-endpoint reference (live session controls, DNS and activity logs, embeddable audit reports), an OpenAPI spec, a Node.js SDK, and a staging environment to build against before going live. Most integrations are running in production in under a business day.