Webhooks & API

REST endpoints, GitHub webhooks, SSE log streams, MCP tools, and authentication for Molar Guard.

Webhooks & API

Molar Guard exposes a Fastify REST API at https://api.molar.it/v1 (or http://localhost:4000/v1 locally), GitHub webhooks for PR automation, Server-Sent Events for live logs, and an MCP server for AI agent integration.

OpenAPI spec: GET /v1/openapi.json on your Guard API host.


Authentication

MethodUse caseHeader
Session cookieDashboard browser (Better Auth)HttpOnly cookie — do not extract for scripts
API keyCI, GitHub Action, scriptsAuthorization: Bearer molar_…
Org scopeAll tenant-scoped callsx-org-id: <uuid>
Signed URL JWTOne-shot PR comment Approve/RejectQuery param token= (short-lived)
MCP OAuthIDE agents via Molar APIBearer from OAuth AS

Create API keys: app.molar.itSettings → API keys.

API keys support scoped permissions (mcp:read, mcp:write, mcp:run, scheduled_checks:manage, etc.).


GitHub webhooks (inbound)

Guard receives GitHub App events at:

POST https://api.molar.it/v1/webhooks/github

Security

Every delivery is validated before processing:

  • HMAC-SHA256 signature (X-Hub-Signature-256) via webhook secret
  • Replay prevention: delivery ID stored in Redis (SETEX guard:webhook:delivery:{id} 86400 1, NX)
  • Body size limit: 25 MB
  • Timestamp skew: reject deliveries older than 10 minutes

Subscribed events

pull_request, push, check_run, check_suite, installation, installation_repositories, pull_request_review

Typical flow

GitHub → POST /v1/webhooks/github
      → verify + dedupe
      → enqueue BullMQ (guard-pr | guard-schedule | mender)
      → 200 OK within seconds
      → worker processes asynchronously

If GH_APP_ID is unset (plug-and-play mode), GitHub webhooks are ignored — use the GitHub Action + API key path instead.


Outbound webhooks (alerts)

Configure generic webhooks in Settings → Notifications. Guard POSTs JSON on:

  • Incident opened / resolved
  • PR gate failure (optional)
  • Mender PR opened
  • Shadow-prod diff detected

Payload shape (example):

{
  "event": "incident.opened",
  "orgId": "00000000-0000-0000-0000-000000000001",
  "incidentId": "…",
  "scenarioSlug": "stripe-subscription-upgrade",
  "region": "us-east-1",
  "runId": "…",
  "failureSignature": "step-7: assertion .subscription-status",
  "traceUrl": "https://trace.molar.it/…",
  "timestamp": "2026-05-19T14:22:00Z"
}

Verify webhook authenticity via shared secret in notification settings (HMAC on request body).


REST API reference

Base URL: https://api.molar.it/v1

Runs

MethodPathDescription
POST/runs/manualTrigger manual run
GET/runsList runs (filters: type, status, scenario, repo)
GET/runs/:idRun detail + metadata
GET/runs/:id/logsSSE log stream
GET/runs/:id/artifacts/{kind}Presigned URL (screenshot, video, har, trace, etc.)

Manual run example:

curl -X POST https://api.molar.it/v1/runs/manual \
  -H "Authorization: Bearer $MOLAR_API_KEY" \
  -H "x-org-id: $ORG_ID" \
  -H "Content-Type: application/json" \
  -d '{
    "scenarioId": "00000000-0000-0000-0000-000000000001",
    "region": "us-east-1",
    "baseUrl": "https://staging.example.com"
  }'

SSE logs:

curl -N https://api.molar.it/v1/runs/$RUN_ID/logs \
  -H "Authorization: Bearer $MOLAR_API_KEY" \
  -H "x-org-id: $ORG_ID"

Scheduled checks

MethodPathDescription
POST/scheduled_checksCreate
GET/scheduled_checksList
PUT/scheduled_checks/:idUpdate
DELETE/scheduled_checks/:idDelete
POST/scheduled_checks/:id/pausePause N hours

Incidents

MethodPathDescription
GET/incidentsList (filter by status, type)
GET/incidents/:idDetail + timeline
POST/incidents/:id/ackAcknowledge
POST/incidents/:id/suppressSuppress with reason

Mender

MethodPathDescription
GET/menderList attempts
GET/mender/:idAttempt detail
GET/mender/:id/previewPatch diff preview
POST/mender/:id/applySuggestive → open GitHub PR
POST/mender/:id/rejectReject with reason (RLHF)

Scenarios & affected detection

MethodPathDescription
GET/scenariosList scenarios
GET/scenarios/:idScenario detail
GET/scenarios/:id/affected_by/:shaDebug affected graph for commit

Monitoring & status

MethodPathDescription
GET/monitoring/gridProduction health matrix
GET/shadow-diff/:runIdShadow-prod observation pair
GET/statusPublic status page data (overall + per-scenario health)

Onboarding

MethodPathDescription
POST/onboarding/analytics-ackAcknowledge analytics filters
GET/onboarding/statusOnboarding checklist progress

Org & billing

MethodPathDescription
GET/orgs/:idOrg metadata
GET/billing/usageMetered usage vs plan
POST/api-keysCreate API key
DELETE/api-keys/:idRevoke

Audit

MethodPathDescription
GET/audit-eventsTamper-evident audit log (Owner/Admin)

Error responses

Standard shape:

{ "error": "<code>", "message": "<human explanation>" }

Common codes: 401 Unauthorized, 403 Forbidden, 429 Quota Exceeded, 429 Too Many Requests, 422 validation, 503 unavailable.

Full reference: Error codes


MCP server

Guard also publishes a standalone MCP server (stdio transport) with org-scoped API key auth:

Resources

URIContent
molar://incidents/{orgId}Open incidents
molar://orgs/{orgId}/runs/{runId}/traceRun trace
molar://scenarios/{id}/healthcheck?orgId=…Current scenario status

Tools (standalone Guard MCP)

ToolDescription
molar_rerunRe-enqueue a failed run
molar_mender_rejectReject a Mender suggestion (RLHF)
molar_ack_incidentAcknowledge an incident
molar_suppress_incidentSuppress an incident
molar_list_scenariosList scenarios for an org

The unified Molar MCP connector at mcp.molar.cloud (via molar-platform/packages/guards-mcp) exposes additional tools — molar_get_run, molar_get_mender_attempts, molar_run_scenarios, etc. — proxied through the Molar API.

Capability manifest: docs.molar.it/.well-known/molar-capabilities.json

MCP auth

Org API key with MCP scopes, or OAuth2 via the Molar API (mcp:read, mcp:write, mcp:run). MCP credentials do not use dashboard session cookies.


Rate limits

  • GitHub API calls: Octokit throttling + retry (per installation)
  • Guard REST: per-IP and per-org limits; honor Retry-After on 429
  • Webhook processing: per-installation BullMQ partition prevents noisy-neighbor starvation

Health & metrics

EndpointPurpose
GET /healthzLiveness
GET /readyzPostgres + Redis readiness
GET /metricsPrometheus metrics (ops)

SDKs and CLI

ToolInstall
CLInpx @molar/guard
GitHub Actionmolar/guard-action@v1
Synthetic middleware@molar/synthetic-middleware (npm)

No official language SDK yet — use REST + API key. OpenAPI client generation supported via /v1/openapi.json.


Next