Home/Documentation

Events API

Open Analytics provides two ingest endpoints: one for the browser tracking script, and a separate endpoint for sending events from your server with API key authentication.

Browser events — POST /api/events

The tracking script sends events to this endpoint using your public site_key in the request body. Use this for client-side pageviews and custom events only.

POST https://analytics.gitopen.dev/api/events
Content-Type: application/json

Request body

{
  "site_key": "YOUR_SITE_KEY",
  "event_type": 1,
  "visitor_id": "d4f9c2a1",
  "session_id": "abc12345",
  "visit_id": "visit_xyz",
  "path": "/blog/post-1",
  "hostname": "example.com",
  "referrer": "https://twitter.com",
  "event_name": "Signup",
  "source": "{\"plan\":\"pro\"}",
  "duration_ms": 42000
}

Tip

event_type: 1 = pageview, 2 = page leave, 10 = custom event.

Server events — POST /api/server-events

Send events from your backend, webhooks, or serverless functions using your private API key. Do not use this endpoint from browser JavaScript — the API key must stay server-side only.

POST https://analytics.gitopen.dev/api/server-events
Content-Type: application/json
x-api-key: YOUR_API_KEY

Where to find your API key

  1. Open your site in the dashboard.
  2. Go to Settings → Tracking code.
  3. Copy the value under Server API key.

Each project has one API key, generated automatically when the site is created. It is different from the public site_key used in the browser tracking script.

Authentication

Every request must include your API key in the x-api-key header. The key identifies which site the event belongs to — you do not need to send site_key in the body.

Note

Never expose your API key in frontend code, mobile app bundles, or public Git repositories. Use environment variables on your server.

Request body

{
  "event_type": 10,
  "visitor_id": "user_12345",
  "session_id": "srv_session_abc",
  "visit_id": "srv_visit_xyz",
  "path": "/api/webhook",
  "hostname": "example.com",
  "event_name": "Purchase",
  "source": "{\"amount\":99,\"currency\":\"USD\"}"
}

Example — Node.js

await fetch("https://analytics.gitopen.dev/api/server-events", {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
    "x-api-key": process.env.OPEN_ANALYTICS_API_KEY,
  },
  body: JSON.stringify({
    event_type: 10,
    visitor_id: "user_12345",
    session_id: "srv_session_abc",
    path: "/checkout/complete",
    hostname: "example.com",
    event_name: "Purchase",
    source: JSON.stringify({ plan: "pro" }),
  }),
});

Example — curl

curl -X POST "https://analytics.gitopen.dev/api/server-events" \
  -H "Content-Type: application/json" \
  -H "x-api-key: YOUR_API_KEY" \
  -d '{
    "event_type": 10,
    "visitor_id": "user_12345",
    "session_id": "srv_session_abc",
    "path": "/checkout/complete",
    "hostname": "example.com",
    "event_name": "Purchase"
  }'

Response

Both endpoints return the same response format:

// 200 OK
{ "ok": true }

// 400 Bad Request
{ "error": "Invalid event payload" }

// 403 Forbidden
{ "error": "Missing API key" }
{ "error": "Invalid API key" }
{ "error": "Unknown site key" }

// 429 Too Many Requests
{ "error": "Too many requests" }

Rate limiting

Requests are rate-limited per IP address. For high-volume server-side tracking, batch events on your server and send them with reasonable spacing.

Path and IP exclusions

Events matching paths or IPs configured in Settings → Tracking exclusions are silently dropped. This applies to both browser and server-side events.