/alerts/config/effective - Inspect a tenant's effective merged config

GET /alerts/config/effective
Bearer auth

Privileged troubleshooting view. Returns the configuration a tenant ACTUALLY receives: the per-layer contribution of every organization in its ancestor chain (Owner → tenant), the merged effective layer, and the rendered Alertmanager YAML pushed to Mimir for that tenant.

Unlike GET /alerts/config (which returns only the caller's own layer), this exposes the full inherited + merged view, so it is gated by the dedicated config:alerts permission. That permission lives solely on the super user role, which is owner-assignable only — so in practice only an Owner-org Super Admin can reach this. It is not reachable by Distributor/Reseller admins.

Secrets are redacted in the response: telegram bot_token and webhook URL path/query in every layer and in the effective layer, and SMTP credentials / bearer / bot tokens in the rendered YAML.

organization_id is required and may target ANY tenant. A nonexistent id returns an empty effective config (no error) — the honest answer for a diagnostic tool. Read-only: no Mimir push, no DB writes.

Query parameters

  • organization_id string Required

    Logto organization id of the tenant to inspect.

Responses

  • 200 application/json

    Effective configuration report

    Hide response attributes Show response attributes object
    • code integer
    • message string
    • data object
      Hide data attributes Show data attributes object
      • organization_id string
      • chain array[object]

        Contributing layers ordered Owner first → tenant last. Orgs with no saved layer are listed with has_layer: false and an empty layer.

        Hide chain attributes Show chain attributes object
        • organization_id string
        • organization_name string
        • organization_role string

          Values are owner, distributor, reseller, or customer.

        • has_layer boolean
        • layer object

          The caller's alerting configuration. This is what POST /alerts/config accepts and what GET /alerts/config returns; the merged effective config that backs Mimir is computed server-side and never exposed.

          Each recipient carries its own severities[] (empty = all severities); email recipients additionally carry per-recipient language and format. Channel toggles under enabled are tri-state: null = no opinion at this layer (inherit), true = enabled, false = disabled (Owner only — non-Owner false is normalised to null on save).

          Body size: the request body is capped at 1 MiB on POST. Oversized requests are rejected with HTTP 413 before binding.

          Hide layer attributes Show layer attributes object
          • enabled object

            Per-layer enable/disable for each notification channel. Each value is tri-state:

            • true — explicitly enabled at this layer
            • false — explicitly disabled (Owner only; non-Owner false is normalised to null on save)
            • null — no opinion at this layer; effective state inherits from the merge of any ancestor layer that took a position. If no layer in the chain enables a channel, the channel stays off.
            Hide enabled attributes Show enabled attributes object
            • email boolean | null
            • webhook boolean | null
            • telegram boolean | null
          • email_recipients array[object]

            Not more than 50 elements.

            Hide email_recipients attributes Show email_recipients attributes object
            • address string(email) Required

              Maximum length is 320.

            • severities array[string]

              Severity scope for this recipient. Empty (or omitted) means "all severities" — the recipient lands on every per-severity receiver. A non-empty subset narrows delivery to those severities.

              Not more than 3 elements. Values are critical, warning, or info.

            • language string

              Rendering language for this recipient's email body and subject. Defaults to en when omitted.

              Values are en or it.

            • format string

              Body format preference. html (default) emits multipart with an html primary body and text alternative; plain emits only a text body.

              Values are html or plain.

          • webhook_recipients array[object]

            Not more than 20 elements.

            Hide webhook_recipients attributes Show webhook_recipients attributes object
            • name string Required

              Descriptive label for the webhook target (UI only).

              Maximum length is 100.

            • url string(uri) Required

              Webhook URL. Validation rejects non-public destinations (loopback, RFC1918, RFC6598 CGNAT, link-local, multicast, cloud metadata) and requires a canonical hostname (containing at least one letter) or a valid IP literal. Only http/https schemes are accepted; URLs cannot embed userinfo.

              Maximum length is 2048.

            • severities array[string]

              Not more than 3 elements. Values are critical, warning, or info.

          • telegram_recipients array[object]

            Not more than 20 elements.

            Hide telegram_recipients attributes Show telegram_recipients attributes object
            • bot_token string Required

              Maximum length is 256.

            • chat_id integer(int64) Required
            • severities array[string]

              Not more than 3 elements. Values are critical, warning, or info.

        • updated_by_name string | null
        • updated_at string(date-time) | null
      • effective object

        The caller's alerting configuration. This is what POST /alerts/config accepts and what GET /alerts/config returns; the merged effective config that backs Mimir is computed server-side and never exposed.

        Each recipient carries its own severities[] (empty = all severities); email recipients additionally carry per-recipient language and format. Channel toggles under enabled are tri-state: null = no opinion at this layer (inherit), true = enabled, false = disabled (Owner only — non-Owner false is normalised to null on save).

        Body size: the request body is capped at 1 MiB on POST. Oversized requests are rejected with HTTP 413 before binding.

        Hide effective attributes Show effective attributes object
        • enabled object

          Per-layer enable/disable for each notification channel. Each value is tri-state:

          • true — explicitly enabled at this layer
          • false — explicitly disabled (Owner only; non-Owner false is normalised to null on save)
          • null — no opinion at this layer; effective state inherits from the merge of any ancestor layer that took a position. If no layer in the chain enables a channel, the channel stays off.
          Hide enabled attributes Show enabled attributes object
          • email boolean | null
          • webhook boolean | null
          • telegram boolean | null
        • email_recipients array[object]

          Not more than 50 elements.

          Hide email_recipients attributes Show email_recipients attributes object
          • address string(email) Required

            Maximum length is 320.

          • severities array[string]

            Severity scope for this recipient. Empty (or omitted) means "all severities" — the recipient lands on every per-severity receiver. A non-empty subset narrows delivery to those severities.

            Not more than 3 elements. Values are critical, warning, or info.

          • language string

            Rendering language for this recipient's email body and subject. Defaults to en when omitted.

            Values are en or it.

          • format string

            Body format preference. html (default) emits multipart with an html primary body and text alternative; plain emits only a text body.

            Values are html or plain.

        • webhook_recipients array[object]

          Not more than 20 elements.

          Hide webhook_recipients attributes Show webhook_recipients attributes object
          • name string Required

            Descriptive label for the webhook target (UI only).

            Maximum length is 100.

          • url string(uri) Required

            Webhook URL. Validation rejects non-public destinations (loopback, RFC1918, RFC6598 CGNAT, link-local, multicast, cloud metadata) and requires a canonical hostname (containing at least one letter) or a valid IP literal. Only http/https schemes are accepted; URLs cannot embed userinfo.

            Maximum length is 2048.

          • severities array[string]

            Not more than 3 elements. Values are critical, warning, or info.

        • telegram_recipients array[object]

          Not more than 20 elements.

          Hide telegram_recipients attributes Show telegram_recipients attributes object
          • bot_token string Required

            Maximum length is 256.

          • chat_id integer(int64) Required
          • severities array[string]

            Not more than 3 elements. Values are critical, warning, or info.

      • yaml string

        Rendered Alertmanager YAML (secrets redacted).
  • 400 application/json

    Bad request - validation error

    Hide response attributes Show response attributes object
    • code integer

      HTTP error code

    • message string

      Error message

    • data object
      Hide data attributes Show data attributes object
      • type string

        Type of error

        Values are validation_error or external_api_error.

      • errors array[object]
        Hide errors attributes Show errors attributes object
        • key string

          Field name that failed validation

        • message string

          Error code or message

        • value string

          Value that failed validation

      • details

        Additional error details
  • 401 application/json

    Unauthorized - invalid or missing token

    Hide response attributes Show response attributes object
    • code integer
    • message string
    • data object | null
  • 403 application/json

    Forbidden - insufficient permissions

    Hide response attributes Show response attributes object
    • code integer
    • message string
    • data object | null
  • 422 application/json

    Unprocessable entity - business logic error

    Hide response attributes Show response attributes object
    • code integer

      HTTP error code

    • message string

      Error message

    • data object
      Hide data attributes Show data attributes object
      • type string

        Type of error

        Values are validation_error or external_api_error.

      • errors array[object]
        Hide errors attributes Show errors attributes object
        • key string

          Field name that failed validation

        • message string

          Error code or message

        • value string

          Value that failed validation

      • details

        Additional error details
GET /alerts/config/effective 
curl \
 --request GET 'https://api.your-domain.com/api/alerts/config/effective?organization_id=string' \
 --header "Authorization: Bearer $ACCESS_TOKEN"
Response examples (200) 
{
  "code": 200,
  "message": "effective alerting configuration retrieved successfully",
  "data": {
    "organization_id": "string",
    "chain": [
      {
        "organization_id": "string",
        "organization_name": "string",
        "organization_role": "owner",
        "has_layer": true,
        "layer": {
          "enabled": {
            "email": true,
            "webhook": true,
            "telegram": true
          },
          "email_recipients": [
            {
              "address": "hello@example.com",
              "severities": [
                "critical"
              ],
              "language": "en",
              "format": "html"
            }
          ],
          "webhook_recipients": [
            {
              "name": "string",
              "url": "https://example.com",
              "severities": [
                "critical"
              ]
            }
          ],
          "telegram_recipients": [
            {
              "bot_token": "123456:ABC-DEF1234ghIkl-zyx57W2v1u123ew11",
              "chat_id": -1001234567890,
              "severities": [
                "critical"
              ]
            }
          ]
        },
        "updated_by_name": "string",
        "updated_at": "2026-05-04T09:42:00Z"
      }
    ],
    "effective": {
      "enabled": {
        "email": true,
        "webhook": true,
        "telegram": true
      },
      "email_recipients": [
        {
          "address": "hello@example.com",
          "severities": [
            "critical"
          ],
          "language": "en",
          "format": "html"
        }
      ],
      "webhook_recipients": [
        {
          "name": "string",
          "url": "https://example.com",
          "severities": [
            "critical"
          ]
        }
      ],
      "telegram_recipients": [
        {
          "bot_token": "123456:ABC-DEF1234ghIkl-zyx57W2v1u123ew11",
          "chat_id": -1001234567890,
          "severities": [
            "critical"
          ]
        }
      ]
    },
    "yaml": "string"
  }
}
Response examples (400) 
{
  "code": 400,
  "message": "validation failed",
  "data": {
    "type": "validation_error",
    "errors": [
      {
        "key": "username",
        "message": "required",
        "value": "string"
      }
    ]
  }
}
Response examples (401) 
{
  "code": 401,
  "message": "invalid token",
  "data": {}
}
Response examples (403) 
{
  "code": 403,
  "message": "insufficient permissions",
  "data": {}
}
Response examples (422) 
{
  "code": 400,
  "message": "validation failed",
  "data": {
    "type": "validation_error",
    "errors": [
      {
        "key": "username",
        "message": "required",
        "value": "string"
      }
    ]
  }
}