Resolve REST API
query resolve investigations from scripts, dashboards, or any http client if you're connecting a coding agent (claude code, codex, cursor) or another mcp client, use plugins & mcp docid\ g2pgeuxxoqhztmh6dbvxf instead authentication all requests require a bearer token recommended a personal token from user menu > api tokens personal tokens attribute all actions to your user identity for shared service integrations or scripts that run on behalf of the organization, use an organization token from admin > api tokens instead include the token in all requests authorization bearer \<your token> trigger an investigation post /api/v1/investigations base url https //app0 resolve ai requires a personal token ( user menu > api tokens ) organization tokens cannot trigger investigations ( 401 ), because every investigation is attributed to a real user body exactly one of the following field type description source string free form text describing the problem (e g built from a servicenow incident short description plus context) alertid string the alert id of an alert resolve already ingested (from the list investigations docid\ rtvjx3omc1ou7slg abri endpoint) example (free form text) curl ss x post "https //app0 resolve ai/api/v1/investigations" \\ h "authorization bearer $token" \\ h "content type application/json" \\ d '{"source" "inc12345678 checkout p99 latency spiked to 4s starting 14 32 utc, only us east 1, correlated with the deploy of svc checkout 1 42 0"}' example (existing alert) curl ss x post "https //app0 resolve ai/api/v1/investigations" \\ h "authorization bearer $token" \\ h "content type application/json" \\ d '{"alertid" "alert 123"}' response returns 202 accepted immediately; the investigation continues in the background poll get investigation details docid\ rtvjx3omc1ou7slg abri until iscomplete is true , then read the markdown report from the reports array canvasurl is the link to paste into the servicenow work notes { "canvasid" "01knw9eydmcj35a9f2pd630zyg", "canvasurl" "https //app0 resolve ai/canvas/01knw9eydmcj35a9f2pd630zyg" } errors status cause 400 the body does not contain exactly one of source or alertid , or the referenced event is not an alert 401 the request used an organization token instead of a personal token 404 the alertid was not found in your organization to find the alert id for an incident, if the alert carries the inc number as a label, look it up first with list investigations docid\ rtvjx3omc1ou7slg abri , then trigger by id curl ss h "authorization bearer $token" \\ "https //app0 resolve ai/api/v1/investigations?starttime=2026 07 01t00 09 59z\&label number=inc12345678" list investigations get /api/v1/investigations base url https //app0 resolve ai query parameters parameter type description starttime iso datetime start of search window (default 1 hour ago) endtime iso datetime end of search window (default now) cursor string pagination cursor from a previous response label string filter by alert labels (e g label service name=checkout api ) multiple label filters use and logic all specified labels must match example curl h "authorization bearer $token" \\ "https //app0 resolve ai/api/v1/investigations?label service name=checkout api\&label severity=critical" response { "investigations" \[ { "canvasid" "01knw9eydmcj35a9f2pd630zyg", "name" "high error rate on checkout api", "alert" { "id" "alert 123", "name" "checkout error rate > 5%", "labels" { "service name" "checkout api", "severity" "critical" } }, "createdat" "2025 03 01t10 00 00 000z" } ], "nextcursor" null } get investigation details get /api/v1/investigations/\ canvasid returns the full investigation including status, completion state, and report files (problem summary, status updates, theories) example curl h "authorization bearer $token" \\ "https //app0 resolve ai/api/v1/investigations/01knw9eydmcj35a9f2pd630zyg" response { "canvasid" "01knw9eydmcj35a9f2pd630zyg", "name" "high error rate on checkout api", "status" "stopped", "iscomplete" true, "reports" \[ { "filepath" "/problem md", "versions" \[ { "versionid" 0, "createdat" "2025 03 01t10 05 00 000z", "content" "# problem\n " } ] }, { "filepath" "/status update md", "versions" \[ ] } ] }