REST API reference.
JSON over HTTPS. Bearer token authentication. Idempotent writes. Available on the Enterprise tier.
Base URL
https://api.parallaxos.com.au/v1
Authentication
All requests require a Bearer token in the Authorization header.
curl https://api.parallaxos.com.au/v1/workers \ -H "Authorization: Bearer pk_live_••••••••••••" \ -H "Content-Type: application/json"
Versioning
The API is versioned in the URL (/v1). Backwards-incompatible changes go to a new major version. Deprecation notices are sent via the configured webhook URL and email at least 90 days before any breaking change.
Rate limits
Default rate limit: 600 requests per minute per API key, with a burst of 100. Webhook deliveries: separate limit of 200 events per minute. Rate limit headers (X-RateLimit-Remaining, X-RateLimit-Reset) are returned on every response.
Workers
| Endpoint | Description |
|---|---|
| GET/workers | List workers with optional filters (network, status, role) |
| GET/workers/{id} | Retrieve a single worker with full compliance status |
| POST/workers | Create a worker (CSV import is the recommended path) |
| POST/workers/{id}/certifications | Add a certification (RIW, network competency, medical) |
| DELETE/workers/{id} | Soft-delete a worker (retained in audit log) |
Shifts
| Endpoint | Description |
|---|---|
| GET/shifts | List shifts in a date range |
| POST/shifts | Create a shift; runs through the compliance gate |
| POST/shifts/{id}/clock_on | Clock on with GPS coordinates and device hash |
| POST/shifts/{id}/clock_off | Clock off and seal the timesheet |
| POST/shifts/{id}/approve | Approve a submitted timesheet |
Compliance
| Endpoint | Description |
|---|---|
| GET/compliance/{worker_id} | Live compliance status (RIW, FAID, medical, certifications) |
| GET/compliance/expiring?days=30 | List certifications expiring in N days |
| POST/compliance/check | Pre-flight check: can worker X work network Y on date Z? |
Reports
| Endpoint | Description |
|---|---|
| POST/reports/avetta_pack | Generate the Avetta Monthly Pack for a period |
| POST/reports/avetta_push | Push the assembled pack to the Avetta API |
| POST/reports/esg | Generate Scope 1 / Scope 2 emissions report |
| POST/reports/custom | Run a custom report from a saved template |
Incidents
| Endpoint | Description |
|---|---|
| GET/incidents | List incidents with optional filters |
| POST/incidents | Log an incident with photo, GPS, and outcome |
| GET/incidents/{id} | Retrieve an incident with full audit trail |
Webhooks
Configure webhook endpoints in Settings → Webhooks. ParallaxOS will POST a JSON payload to your URL when subscribed events occur.
Available events
- worker.created
- worker.cert_expiring (fires 30 / 14 / 7 days before expiry)
- worker.cert_expired
- worker.faid_alert (fires when FAID exceeds threshold)
- worker.dna_positive
- timesheet.submitted
- timesheet.approved
- timesheet.rejected
- incident.logged
- avetta.pack_generated
- avetta.pack_pushed
Example payload
{
"event": "worker.faid_alert",
"timestamp": "2026-02-14T22:18:42+11:00",
"data": {
"worker_id": "WK-00471",
"worker_name": "Mike Davies",
"faid_score": 78,
"shift_id": "SH-2026-02-14-J001-001",
"location": {
"site": "Muswellbrook Yard",
"lat": -32.2569,
"lng": 150.8893
},
"action_taken": "supervisor_alerted_uber_dispatched"
},
"signature": "sha256=a8b2..."
}
Webhook security
Every webhook request is signed with a shared secret using HMAC-SHA256. Verify the X-ParallaxOS-Signature header against your shared secret to confirm authenticity. Replay protection: each event ID is unique and includes an ISO timestamp.
SDKs
An official JavaScript / TypeScript SDK is available via npm install @parallaxos/sdk. Python is on the roadmap for late 2026.
import { ParallaxOS } from "@parallaxos/sdk"; const client = new ParallaxOS({ apiKey: process.env.PARALLAXOS_API_KEY }); const { ok, faidAllowed } = await client.compliance.check({ workerId: "WK-00471", network: "ARTC", shiftStart: "2026-02-14T22:00+11:00", shiftEnd: "2026-02-15T06:00+11:00", });