API

Sleuth Skills (skills.new) is API-first. Every action you can take in the web UI — listing the assets installed for a user, downloading a skill bundle, creating a bot, recording a usage event — is also available over HTTP.

There are two surfaces:

Both surfaces share the same authentication model — an org-scoped credential identifies the caller, and the credential type (bot API key, personal access token, or browser session) determines what the caller can see and do.

Quick orientation

• Bot API keys are the recommended credential for unattended automation. Issue one per bot, scope it to that bot's teams, and rotate without downtime. See Authentication.

• Personal access tokens are for scripts and CLI tools that should act as you — issue them from your user settings. See Authentication.

• sx itself is just a REST client. Everything sx install, sx update, and sx vault do is a documented call against the REST API on this page — see REST API.

• GraphQL is introspectable. Open https://app.skills.new/graphql while signed in to explore the full schema in GraphiQL. See GraphQL API for the high-level shape.

Where to go next

• Authentication — API keys, bot keys, and how to pass them.

• REST API — every endpoint sx and CI agents use.

• GraphQL API — the management surface for assets, bots, profiles, and metrics.