Swishing Internal API
Operator/internal-only API powering the internal-web admin tool: tenant provisioning + lifecycle, Cognito user management, season/wave scheduling, incident triage, lead inbox, dashboard rollups, system email templates, and the AI-driven phishing-template authoring tool.
This is internal documentation only — not a customer-facing contract. Most
endpoints require a Cognito-issued operator bearer token. A small number
of cron/scheduler endpoints use a shared internal secret instead, and the
/api/leads/ingest endpoint uses its own ingest token.
Authentication
- HTTP: Bearer Auth
- API Key: internalSharedSecret
- API Key: leadsIngestToken
Cognito-issued operator access token (verified against the internal Cognito pool).
Security Scheme Type: | http |
|---|---|
HTTP Authorization Scheme: | bearer |
Bearer format: | JWT |
Shared secret used by cron/scheduler-style callers. The handler also accepts the value via X-Internal-Key or the Authorization header.
Security Scheme Type: | apiKey |
|---|---|
Header parameter name: | X-Internal-Api-Key |
Shared secret for the public marketing-site lead ingest endpoint.
Security Scheme Type: | apiKey |
|---|---|
Header parameter name: | X-Leads-Token |