# API

Sleuth Skills ([skills.new](https://skills.new)) is API-first. Every action you can take in the web UI — listing the assets installed for a user, downloading a skill bundle, creating a bot, recording a usage event — is also available over HTTP.

There are two surfaces:

| Surface     | Base URL                             | Use it for                                                                                                                                       |
| ----------- | ------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------ |
| **REST**    | `https://app.skills.new/api/skills/` | Asset distribution: lock-file resolution, version listing, bundle download, upload, profile selection, usage reporting. This is what `sx` calls. |
| **GraphQL** | `https://app.skills.new/graphql`     | Everything else: managing assets, bots, profiles, installations, change requests, audit log, AI metrics. This is what the web UI calls.          |

Both surfaces share the same authentication model — an org-scoped credential identifies the caller, and the credential type (bot API key, personal access token, or browser session) determines what the caller can see and do.

## Quick orientation

* **Bot API keys** are the recommended credential for unattended automation. Issue one per bot, scope it to that bot's teams, and rotate without downtime. See [Authentication](/sleuth-skills/api/authentication.md).
* **Personal access tokens** are for scripts and CLI tools that should act as *you* — issue them from your user settings. See [Authentication](/sleuth-skills/api/authentication.md#personal-access-tokens).
* **`sx` itself is just a REST client.** Everything `sx install`, `sx update`, and `sx vault` do is a documented call against the REST API on this page — see [REST API](/sleuth-skills/api/rest.md).
* **GraphQL is introspectable.** Open <https://app.skills.new/graphql> while signed in to explore the full schema in GraphiQL. See [GraphQL API](/sleuth-skills/api/graphql.md) for the high-level shape.

## Where to go next

* [Authentication](/sleuth-skills/api/authentication.md) — API keys, bot keys, and how to pass them.
* [REST API](/sleuth-skills/api/rest.md) — every endpoint `sx` and CI agents use.
* [GraphQL API](/sleuth-skills/api/graphql.md) — the management surface for assets, bots, profiles, and metrics.

{% hint style="info" %}
This API is for the **Sleuth Skills** product at skills.new. If you're looking for the DORA / deployment-tracking API at app.sleuth.io, see [Sleuth API](/sleuth-dora/sleuth-api.md) instead.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.sleuth.io/sleuth-skills/api.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.