API Reference

REST API for stats, bot management, campaigns, experiments, and performance metrics.

Authentication

All API endpoints (except /api/health) require one of:

Bearer token: Authorization: Bearer <ECHELON_SECRET>
Session cookie: echelon_session from password login

Cookie-authenticated POST/PATCH/DELETE requests require CSRF validation (Origin or Referer header must match the server host).

Public Endpoints

GET /ea.js

Returns the tracker script with embedded WASM proof-of-work challenge. No auth required.

GET /b.gif

Pageview beacon. Returns a 1x1 transparent GIF. Query params include path, site ID, session ID, PoW token, screen dimensions, and UTM data. No auth required.

POST /e

Behavioral events endpoint (via sendBeacon). Accepts JSON with event array, site ID, and PoW token. Returns 204 No Content. Max 16 KB body, max 20 events per request. No auth required.

GET /api/health

Health check. No auth required.

{ "status": "ok", "service": "Echelon Analytics" }

📦 "Did you know you can bulk ingest historical data via POST /api/ingest? Perfect for migrating from another analytics platform or backfilling data." -🦭

Stats

GET /api/stats/overview?site_id=X&days=N

Overview statistics for a site. Visitors, pageviews, top pages, devices, countries, referrers, daily trends. days defaults to 30 (max 730).

GET /api/stats/dashboard?site_id=X

Live dashboard data: active visitors (now), 60-minute trend (per-minute), 24-hour trend (per-hour), recent visitors and recent events. Powers the live dashboard island.

GET /api/stats/realtime?site_id=X

Realtime stats: active visitors, pageviews, and active paths from the last 5 minutes.

GET /api/stats/summary

Summary across all sites.

GET /api/stats/vitals

Live system vitals: in-memory buffer sizes and 24h aggregates.

{
  "buffers": { "views": 42, "events": 17 },
  "last_24h": {
    "total_views": 1234,
    "human_views": 1100,
    "bot_views": 134,
    "unique_visitors": 890
  }
}

GET /api/stats/campaigns?days=N

Campaign statistics. Optional id param for detailed breakdown by source, medium, content, and term. days defaults to 30 (max 90).

GET /api/stats/campaign-events?site_id=X&days=N&event_type=Y

Campaign-to-event correlation. For each campaign (plus organic traffic as baseline): visitors, event-triggering visitors, event count, event rate, events per visitor, and per-campaign event type breakdown. Use to measure whether campaign visitors adopt features or convert. event_type is optional — when set, only counts that specific event.

GET /api/stats/experiments?experiment_id=X

Experiment statistics with variant conversion rates and significance testing.

Campaigns

See UTM Campaign Tracking for a complete guide on setting up campaigns, URL format, and how attribution works.

GET /api/campaigns

List all UTM campaigns.

[{
  "id": "spring-2026",
  "name": "Spring Launch",
  "utm_campaign": "spring-2026",
  "site_id": "default",
  "status": "active",
  "created_at": "2026-03-01T00:00:00Z"
}]

POST /api/campaigns

Create a campaign. Returns 201.

# Request
{
  "id": "spring-2026",
  "name": "Spring Launch",
  "utm_campaign": "spring-2026",
  "site_id": "default"
}

# Response
{ "created": "spring-2026" }

id must be alphanumeric plus ._- (max 128 chars). site_id defaults to "default".

PATCH /api/campaigns/:id

Update campaign status.

{ "status": "active" | "paused" | "archived" }

DELETE /api/campaigns/:id

Delete a campaign. Returns { "deleted": "campaign-id" }.

Experiments

See A/B Experiments for a complete guide on creating experiments, tracking conversions, and understanding statistical significance.

GET /api/experiments

List all A/B experiments with variants.

POST /api/experiments

Create an experiment. Returns 201.

{
  "experiment_id": "checkout-v2",
  "name": "Checkout Redesign",
  "description": "Test new checkout flow",
  "metric_event_type": "purchase",
  "allocation_percent": 100,
  "variants": [
    { "variant_id": "control", "name": "Original", "weight": 50, "is_control": true },
    { "variant_id": "redesign", "name": "New Flow", "weight": 50 }
  ]
}

Max 20 variants. config (optional JSON) max 4096 chars per variant.

PATCH /api/experiments/:id

Update experiment status. Sets started_at on transition to "active" and ended_at on "completed" or "archived".

{ "status": "draft" | "active" | "paused" | "completed" | "archived" }

Bot Management

GET /api/bots/suspicious?site_id=X&min_score=25&limit=50

List suspicious visitors. Returns aggregated metrics per visitor: max bot score, pageview count, devices, countries, exclusion status. limit max 200.

GET /api/bots/excluded

List all manually excluded visitors with pageview counts.

POST /api/bots/exclude

Exclude a visitor from rollups. Returns 201.

{ "visitor_id": "abc123", "label": "Known bot" }

DELETE /api/bots/exclude/:id

Remove a visitor from the exclusion list.

{ "included": "abc123" }

GET /api/bots/visitor/:id

Detailed visitor data: exclusion status, last 100 views, and last 100 events.

Performance Metrics

GET /api/perf?category=X&metric=X&limit=100&since=ISO8601

Query stored performance metrics. All params optional.

POST /api/perf

Ingest performance metrics (e.g. from CI/CD).

[{
  "category": "build",
  "metric": "bundle_size",
  "value": 142.5,
  "unit": "kb"
}]

GET /api/perf/trends?limit=30&since=ISO8601

Performance trends over time.

Sites

GET /api/sites/:id

Get site settings (consent CSS).

PATCH /api/sites/:id

Update site consent CSS (max 4096 chars).

Data Ingest

POST /api/ingest

Bulk ingest visitor views and events. Max 1 MB body.

Error Responses

Code	Meaning
`400`	Missing or invalid parameters
`401`	Unauthorized — missing or invalid auth
`404`	Resource not found
`409`	Conflict — duplicate resource
`413`	Request body too large
`429`	Rate limited

Installation Features Bot Defense Configuration Architecture Data Ownership & Open Access Portable Data MCP Server Telemetry Why ea.js?