Events API
Open Analytics provides two ingest endpoints: one for the browser tracking script, and a separate endpoint for sending events from your server with API key authentication.
Browser events — POST /api/events
The tracking script sends events to this endpoint using your public site_key in the request body. Use this for client-side pageviews and custom events only.
POST https://analytics.gitopen.dev/api/events Content-Type: application/json
Request body
{
"site_key": "YOUR_SITE_KEY",
"event_type": 1,
"visitor_id": "d4f9c2a1",
"session_id": "abc12345",
"visit_id": "visit_xyz",
"path": "/blog/post-1",
"hostname": "example.com",
"referrer": "https://twitter.com",
"event_name": "Signup",
"source": "{\"plan\":\"pro\"}",
"duration_ms": 42000
}Tip
event_type: 1 = pageview, 2 = page leave, 10 = custom event.Server events — POST /api/server-events
Send events from your backend, webhooks, or serverless functions using your private API key. Do not use this endpoint from browser JavaScript — the API key must stay server-side only.
POST https://analytics.gitopen.dev/api/server-events Content-Type: application/json x-api-key: YOUR_API_KEY
Where to find your API key
- Open your site in the dashboard.
- Go to Settings → Tracking code.
- Copy the value under Server API key.
Each project has one API key, generated automatically when the site is created. It is different from the public site_key used in the browser tracking script.
Authentication
Every request must include your API key in the x-api-key header. The key identifies which site the event belongs to — you do not need to send site_key in the body.
Note
Request body
{
"event_type": 10,
"visitor_id": "user_12345",
"session_id": "srv_session_abc",
"visit_id": "srv_visit_xyz",
"path": "/api/webhook",
"hostname": "example.com",
"event_name": "Purchase",
"source": "{\"amount\":99,\"currency\":\"USD\"}"
}Example — Node.js
await fetch("https://analytics.gitopen.dev/api/server-events", {
method: "POST",
headers: {
"Content-Type": "application/json",
"x-api-key": process.env.OPEN_ANALYTICS_API_KEY,
},
body: JSON.stringify({
event_type: 10,
visitor_id: "user_12345",
session_id: "srv_session_abc",
path: "/checkout/complete",
hostname: "example.com",
event_name: "Purchase",
source: JSON.stringify({ plan: "pro" }),
}),
});Example — curl
curl -X POST "https://analytics.gitopen.dev/api/server-events" \
-H "Content-Type: application/json" \
-H "x-api-key: YOUR_API_KEY" \
-d '{
"event_type": 10,
"visitor_id": "user_12345",
"session_id": "srv_session_abc",
"path": "/checkout/complete",
"hostname": "example.com",
"event_name": "Purchase"
}'Response
Both endpoints return the same response format:
// 200 OK
{ "ok": true }
// 400 Bad Request
{ "error": "Invalid event payload" }
// 403 Forbidden
{ "error": "Missing API key" }
{ "error": "Invalid API key" }
{ "error": "Unknown site key" }
// 429 Too Many Requests
{ "error": "Too many requests" }Rate limiting
Requests are rate-limited per IP address. For high-volume server-side tracking, batch events on your server and send them with reasonable spacing.
Path and IP exclusions
Events matching paths or IPs configured in Settings → Tracking exclusions are silently dropped. This applies to both browser and server-side events.