Why now

Owning your community is the headline pitch. Owning it includes being able to wire it to the rest of your stack: pipe new posts to a Slack channel, fire a Loops welcome series from a sign-up, mirror moderator decisions to your internal incident log, drop a CSV of last week's posts into a BI tool. None of that is interesting work, but skipping it means the community lives in a silo. Today's release fixes that.

What shipped

API keys with hashed storage and live/test environments

Create a key from /admin/api-keys. It is shown once, then stored as a SHA-256 hash; constant-time comparison on lookup. Each key has an environment (live or test) and a scope set (read or write, per resource), so the key you hand a sandbox script cannot mint posts in production. Last-used timestamp and IP get recorded on every request so a dormant key is obvious before it becomes a liability.

A cursor-paginated event log

Every public event your tenant emits lands in an append-only log with a ULID-style id. GET /api/v1/events returns them newest-first with a cursor parameter for paging through history. Event types cover post creation and updates, user lifecycle (registered, left), and webhook delivery state, with more to follow.

Webhooks that retry, sign, and replay

POST a URL to /api/v1/webhooks with the event types you care about (or ["*"] for all). Each delivery carries a Mobieus-Signature header that is an HMAC-SHA256 of the timestamp and the raw body, so your receiver can verify the payload came from us and is not a replay of an old one (we include a five-minute timestamp tolerance). Failed deliveries retry on a 0, 1, 5, 30, 120, 360, 1440-minute schedule; an endpoint that fails too many times in a row is auto-disabled and surfaces in the dashboard. Every attempt is logged with status code, latency, and the first 2KB of the response body, so debugging is one click into /admin/webhooks/{id} instead of "let me check our logs."

Secret rotation without downtime

Rotating a signing secret keeps the previous secret active for a configurable grace window (default 24 hours, max 7 days). During the window, every delivery carries both v1= and v1_prev= headers so your receivers can update on their own pace. The previous secret expires automatically.

SSRF protection at both ends

Webhook URLs go through a guard that rejects HTTP, loopback, RFC1918 private addresses, link-local, IPv6 unique-local, and the cloud-provider metadata endpoint. The guard runs at registration and again at every delivery so a DNS rebind cannot trick the worker into hitting an internal service later.

OpenAPI and Redoc

The OpenAPI 3.1 spec is the source of truth; /api/docs renders it via Redoc in a light theme with the Mobieus brand palette. Hand the URL to anyone — a contractor, an internal team, an AI agent — and they have an interactive contract to work against.

The tenant-isolation guarantee

A common API risk on multi-tenant SaaS is filter-by-tenant going wrong: a forgotten WHERE clause, a misrouted lookup, a path-param the wrong layer trusted. Mobieus avoids that class of bug by structure. Every tenant has its own database, and the request connects to that database before the controller runs. Your API key is looked up in your tenant's database; there is no cross-tenant lookup table. The result is that a key minted in your tenant literally cannot read another tenant's data because the connection is wrong. We verified this with a live cross-tenant test that confirms keys from one tenant get 401 from the others.

What you can do today

  • Mint a key at /admin/api-keys, copy it once, store it in your secret manager.
  • Subscribe a Slack-compatible webhook to post.created and start mirroring new posts in seconds.
  • Pipe user.registered to your email tool so welcome series fire from the source of truth.
  • Read /api/v1/events with a cursor on a cron to build a local replica or analytics view.
  • Read the OpenAPI at /api/openapi.yaml to scaffold a typed client in the language of your choice.

Update — 2026-05-29: mobieusMarket, files, moderation, and the admin rate-limit UI shipped

The follow-ups we promised landed the next day. The API now covers:

  • mobieusMarketGET /api/v1/listings, GET /api/v1/listings/{id}, and four new event types: listing.created, listing.updated, listing.sold, listing.withdrawn.
  • File uploadsGET /api/v1/files, GET /api/v1/files/{id}, and the file.uploaded event (fires when a file clears quarantine).
  • ModerationGET /api/v1/reports, GET /api/v1/reports/{id}, POST /api/v1/reports/{id}/dismiss, POST /api/v1/reports/{id}/resolve, and GET /api/v1/moderation/actions reading the moderator action log. New events: report.created, report.resolved, moderation.action_taken.
  • Four new scopes: listings:read, files:read, reports:read, reports:manage.
  • Rate-limit knobs in the admin UI: per-key override on /admin/api-keys/{id}/edit, tenant default on /admin/api/settings. Precedence: per-key → tenant default → platform default (600 req/min).
  • Plan gate: the public API is now available on Pro, Creator Plus, and Sovereign. Starter tenants get a 403 plan_gated response with the current and required plans named in the envelope. Upgrade in /admin/billing and it lights up immediately.

Webhook subscribers using "*" got the new event types for free. The OpenAPI spec at /api/docs reflects every change.

Update — 2026-06-02: API 1.3.0 — mobieusLearn, mobieusKnow, and mobieusHelp expand the surface with 8 AI hooks

Three product surfaces got first-class API coverage in one bump:

  • mobieusLearn (25 endpoints) — author courses end-to-end: courses, modules, lessons, activities, enrollments, attempts, certificates, certificate templates, SCORM packages. Two new scopes: learn:read, learn:write. Sample flow: POST /api/v1/learn/coursesPOST /api/v1/learn/courses/{id}/modulesPOST /api/v1/learn/enrollments → the cert is mintable + verifiable through the API too.
  • mobieusKnow (10 endpoints) — wiki page CRUD with the same approve/reject revision flow the in-product UI uses. Two scopes: know:read, know:write. GET /api/v1/know/search lets an AI agent ground answers in your community's wiki.
  • mobieusHelp + 8 AI hooks (22 endpoints) — tickets, queues, agents, canned responses, tags, help topics, notification prefs, audit log, plus the eight AI hooks for reply suggestions, summary, sentiment, categorize, resolution prediction, KB-gap detection, audit Q&A, and canned-response generation. Scope: helpdesk:read, helpdesk:write.

That's 57 new endpoints in one minor — most of the platform's product surface is now scriptable.

Update — 2026-06-03: API 1.4.0 — live sessions on Google Meet, Zoom, and Webex

Cohort owners can now schedule synchronous sessions from the API. Paste a Meet, Zoom, or Webex join URL; we detect the provider from the host, build the ICS calendar invite, and send 1-day and 1-hour reminder emails to every active cohort member. No OAuth, no provider API key — Mobieus owns the schedule and the reminder cron, the meeting itself runs on the chosen provider.

  • GET /api/v1/learn/live-sessions — list upcoming sessions, filter by cohort_id or starts_after.
  • POST /api/v1/learn/live-sessions — schedule a session. Required: cohort_id, title, join_url, starts_at. Optional: description, duration_min (5-720).
  • POST /api/v1/learn/live-sessions/{id}/cancel — cancel + skip pending reminders.
  • POST /api/v1/learn/live-sessions/{id}/recording — attach a recording URL after the session ends.

Several mobieusLearn additions that ship admin-only (LTI 1.3 Advantage services, SCIM 2.0 provisioning, outbound xAPI bridge, cmi5 packages) aren't on the /api/v1/* surface yet — they have dedicated admin UIs at /admin/learn/* and, in the case of SCIM, their own RFC 7644 bearer-token surface at /scim/v2/*.

Update — 2026-06-07: API 1.6.0 — CORS, Idempotency-Key, richer pagination, 9 new webhook events, and SCIM 2.0

Several long-requested capabilities land at once.

  • CORS. Every /api/v1/* endpoint now emits CORS headers and handles OPTIONS preflight with 204 No Content. Your browser-based apps can call the API directly. Restrict origins by setting cors.allowed_origins[] in your tenant config.
  • Idempotency-Key. POST requests accept an Idempotency-Key header. Same key, same bearer token, same path, within 24 hours — the original response is replayed instantly. Safe retries for network hiccups and no more duplicate tickets.
  • Richer pagination. Every list response now includes total_count (integer) and has_more (boolean) alongside next_cursor. Build "showing 1–20 of 847" without a separate count call.
  • 9 new webhook events. The mobieusHelp surface now fires ticket.created, ticket.replied, ticket.status_changed, and ticket.assigned. mobieusLearn fires enrollment.created, enrollment.completed, and course.published. mobieusKnow fires page.created and page.updated. The full event catalog is in the webhooks guide.
  • SCIM 2.0 documented. The /scim/v2/* provisioning surface — Users and Groups, RFC 7644 — is now in the API guide and the OpenAPI spec.

The spec is at /api/openapi.yaml and the Redoc viewer is at /api/docs. Version: 1.6.0.

Update - 2026-06-14: API 1.7.0 - the complete reference for mobieusHelp, mobieusAI support assists, mobieusLearn, and mobieusKnow is now published

The full API reference is live at /api/docs. Every helpdesk, learning, and knowledge-base call you can make is documented in one place, so building support automations, course integrations, and knowledge-base sync is a copy-from-the-docs job instead of a guessing game.

The headline is the mobieusAI support assists. Eight endpoints under /api/v1/helpdesk/ai/* put your own AI to work on the queue: POST .../reply-suggest drafts a reply, .../summary condenses a long thread, .../categorize routes a ticket, .../sentiment flags the unhappy ones, .../resolution-predict estimates how a ticket will land, .../audit-qa reviews agent quality, and .../canned-generate writes a reusable macro from one good answer. GET /api/v1/helpdesk/ai/knowledge-gaps tells you which questions your knowledge base does not yet answer. Each one runs on your tenant's own AI key and is gated by a feature flag, so you turn on exactly what you want.

The reference covers the rest of the surface in full. mobieusHelp documents tickets (read plus create, reply, and status), queues, agents, canned responses, tags, help topics, notification preferences, and the audit trail. mobieusLearn covers courses (publish, unpublish, archive), modules, lessons, activities, enrollments, cohort grants, attempts, certificates, certificate templates, SCORM packages, and the native xAPI 1.0.3 LRS. mobieusKnow covers pages with the revision review flow. Helpdesk calls live under /api/v1/helpdesk; SCIM 2.0 stays on its own /scim/v2/* surface, separate from /api/v1.

The API is on Pro plans and up. Mint a key at /admin/api-keys, point your tooling at /api/docs, and every webhook stays HMAC-signed. Version: 1.7.0.

What is next

The catalog keeps growing. On the short list: events for purchases and payouts, write endpoints for community core (threads, posts, DMs), per-event delivery filters beyond the wildcard, and a managed AI tier so tenants without a BYOK Anthropic key can still use mobieusAI. If there is an event or endpoint you need that we have not exposed, tell us in support and we will prioritize.