Skip to main content
The SDK handles this for you. Read on if you’re calling the REST endpoints directly — from a language without an official SDK, or for ad-hoc curl debugging.

The header

Full request example

A success response:
202 Accepted confirms the event was enqueued, not that it has been fully processed. Vibefollow’s ingest pipeline is asynchronous — the event lands in your project’s event stream within a few hundred milliseconds.

Failure modes

Header missing, malformed, or key revoked. Body: { "errors": [{ "code": "auth_required", ... }] }.
Key valid but doesn’t authorise access to the resource (e.g. wrong project).
Request body failed validation. errors[0].field names the offending field.
Rate limited. Respect the Retry-After header.
Safe to retry — the Idempotency-Key prevents duplicates.
The full mapping to typed SDK errors is documented in Errors.

Idempotency in detail

The Idempotency-Key is required on every mutating request — the SDK auto-generates one if you don’t pass it. The backend dedupes within a 24-hour window keyed by (project_id, idempotency_key).
Use a fresh UUID per logical write. Don’t share keys across unrelated events.

CORS

The API does not send Access-Control-Allow-Origin headers. The browser cannot call Vibefollow directly — build a server proxy if you need browser-originated events.

TLS

HTTPS only. Plaintext HTTP requests are refused at the edge with a redirect to https://. TLS 1.2+ required. We do not support TLS 1.0/1.1.