/alerts - List active alerts (cross-hierarchy)

GET /alerts
Bearer auth

Retrieves active alerts from Mimir for the caller's scope, paginated. Each alert is enriched with a system object (name, type) looked up from the local systems table, so the UI can render the system column without an extra round-trip per row.

Sortable by starts_at (default desc), severity (criticality rank: critical

warning > info), alertname, or status (Alertmanager state). fingerprint is used as a stable tiebreaker so pagination doesn't shift between requests.

Scope follows the same three modes as /alerts/totals:

  • organization_id omitted → caller's full hierarchy (cross-tenant fan-out).
  • organization_id=X → single tenant X.
  • organization_id=X&include=descendantsX plus its sub-tree.

All filter params support multiple values (repeat the param): values within the same filter are matched as OR; different filters AND together. Example: ?severity=critical&severity=warning&alertname=CVE-2024-1234 returns CVE-2024-1234 alerts that are critical or warning.

Per-tenant failures during fan-out (timeout, 5xx) are non-fatal: the rest of the result is returned and the failure is reported in the warnings array.

Query parameters

  • organization_id array[string]

    Target organization ID(s). Repeat the param to pass multiple values. Optional for all roles except Customer (where it is ignored).

  • include string

    Set to descendants together with organization_id to expand each value to its sub-tree.

    Value is descendants.

  • page integer

    1-based page number.

    Minimum value is 1. Default value is 1.

  • page_size integer

    Page size. Default 50, max 100.

    Minimum value is 1, maximum value is 100. Default value is 50.

  • sort_by string

    Sort column (allowlist).

    Values are starts_at, severity, alertname, or status. Default value is starts_at.

  • sort_direction string

    Values are asc or desc. Default value is desc.

  • status array[string]

    Filter alerts by Alertmanager state. Supports multiple values.

    Values are active, suppressed, or unprocessed.

  • severity array[string]

    Filter alerts by severity label. Supports multiple values.

    Values are critical, warning, or info.

  • system_key array[string]

    Filter alerts by system_key label. Supports multiple values.

  • alertname array[string]

    Filter alerts by alertname label (the alert "type" — e.g. HighCPU, DiskFull, CVE-2024-1234). Supports multiple values.

Responses

  • 200 application/json

    Paginated list of active alerts

    Hide response attributes Show response attributes object
    • code integer
    • message string
    • data object
      Hide data attributes Show data attributes object
      • alerts array[object]
        Hide alerts attributes Show alerts attributes object

        Active alert returned by Mimir Alertmanager. The fan-out includes silenced and inhibited alerts (not just active ones), so callers can render the muted/suppressed state. System identity (id, key, name, type) is carried as labels (system_id, system_key, system_name, system_type), stamped server-side at ingest time.

        • fingerprint string

          Alertmanager fingerprint (hex hash of labels)

        • labels object

          Alert labels. Always includes server-stamped identity labels (system_id, system_key, system_name, system_type, system_fqdn, system_ipv4, organization_id, organization_name, organization_vat, organization_type) plus the alert's own labels (alertname, severity, ...). Use system_id to link to the system detail page (/systems/:id) and organization_id to link to the organization.

          Hide labels attribute Show labels attribute object
          • * string Additional properties
        • annotations object
          Hide annotations attribute Show annotations attribute object
          • * string Additional properties
        • status object
          Hide status attributes Show status attributes object
          • state string

            Values are active, suppressed, or unprocessed.

          • silencedBy array[string]

            Active silence IDs muting this alert (non-empty → state is "suppressed")

          • inhibitedBy array[string]
        • startsAt string(date-time)
        • endsAt string(date-time)
        • generatorURL string

          Source URL of the alert (set by the pushing agent), if any

      • pagination object
        Hide pagination attributes Show pagination attributes object
        • page integer

          Current page number

          Minimum value is 1.

        • page_size integer

          Number of items per page

          Minimum value is 1, maximum value is 200.

        • total_count integer

          Total number of items

          Minimum value is 0.

        • total_pages integer

          Total number of pages

          Minimum value is 0.

        • has_next boolean

          Whether there is a next page

        • has_prev boolean

          Whether there is a previous page

        • next_page integer | null

          Next page number if available

        • prev_page integer | null

          Previous page number if available

        • sort_by string | null

          Field used for sorting

        • sort_direction string | null

          Sort direction

          Values are asc or desc.

      • warnings array[string]

        Per-tenant errors encountered during fan-out. Always present (empty array when every tenant responded OK). Each entry is a string org <logto_id>: <error>.
  • 400 application/json

    Bad request - validation error

    Hide response attributes Show response attributes object
    • code integer

      HTTP error code

    • message string

      Error message

    • data object
      Hide data attributes Show data attributes object
      • type string

        Type of error

        Values are validation_error or external_api_error.

      • errors array[object]
        Hide errors attributes Show errors attributes object
        • key string

          Field name that failed validation

        • message string

          Error code or message

        • value string

          Value that failed validation

      • details

        Additional error details
  • 401 application/json

    Unauthorized - invalid or missing token

    Hide response attributes Show response attributes object
    • code integer
    • message string
    • data object | null
  • 403 application/json

    Forbidden - insufficient permissions

    Hide response attributes Show response attributes object
    • code integer
    • message string
    • data object | null
  • 500 application/json

    Internal server error

    Hide response attributes Show response attributes object
    • code integer
    • message string
    • data object | null
GET /alerts 
curl \
 --request GET 'https://api.your-domain.com/api/alerts' \
 --header "Authorization: Bearer $ACCESS_TOKEN"
Response examples (200)
A single warning alert. System identity (id, key, name, type) is carried as labels, stamped at ingest time. `state="active"` means Mimir has not been told to silence it; an actively-muted alert would have `state="suppressed"` and a non-empty `silencedBy`. 
{
  "code": 200,
  "message": "alerts retrieved successfully",
  "data": {
    "alerts": [
      {
        "fingerprint": "0a9d04bb6eed523f",
        "labels": {
          "alertname": "DiskFilling",
          "severity": "warning",
          "system_id": "e4eb4844-46f6-448c-8279-7cfedf5e1037",
          "system_key": "NETH-D417-A2C2-7810-43D2-984B-2164-34C1-B22E",
          "system_name": "test-sys",
          "system_type": "ns8"
        },
        "annotations": {
          "summary": "/var is 92% full on test-sys",
          "description": "Disk usage exceeded the warning threshold."
        },
        "status": {
          "state": "active",
          "silencedBy": [],
          "inhibitedBy": []
        },
        "startsAt": "2026-05-12T08:14:00Z",
        "endsAt": "2026-05-12T08:44:00Z"
      }
    ],
    "pagination": {
      "page": 1,
      "page_size": 50,
      "total_count": 1,
      "total_pages": 1,
      "has_next": false,
      "has_prev": false
    },
    "warnings": []
  }
}
When `organization_id` is omitted (or `include=descendants` is used), the request fans out to every tenant in scope. A single slow Mimir does not fail the whole request — the rest of the results are returned and the failing tenant lands in `warnings`. 
{
  "code": 200,
  "message": "alerts retrieved successfully",
  "data": {
    "alerts": [],
    "pagination": {
      "page": 1,
      "page_size": 50,
      "total_count": 0,
      "total_pages": 0,
      "has_next": false,
      "has_prev": false
    },
    "warnings": [
      "org pt8gqs6y5wpr: context deadline exceeded"
    ]
  }
}
Response examples (400) 
{
  "code": 400,
  "message": "validation failed",
  "data": {
    "type": "validation_error",
    "errors": [
      {
        "key": "username",
        "message": "required",
        "value": "string"
      }
    ]
  }
}
Response examples (401) 
{
  "code": 401,
  "message": "invalid token",
  "data": {}
}
Response examples (403) 
{
  "code": 403,
  "message": "insufficient permissions",
  "data": {}
}
Response examples (500) 
{
  "code": 500,
  "message": "internal server error",
  "data": {}
}