API reference
Every endpoint is documented via OpenAPI and rendered at api.manage365.com.au/docs. That's the source of truth — this page is the quick-start for auth and conventions.
Base URL
https://api.manage365.com.au/api/v1Authentication
Every non-public endpoint requires a Bearer token in the Authorization header. Two token types are accepted:
- JWT — obtained via
POST /auth/login, rotated viaPOST /auth/refresh. 15-minute expiry, used by the portal. - API key — prefix
m365_pk_. See API keys for lifecycle.
Error shape
{
"statusCode": 400,
"message": "title is required",
"errors": [
{ "path": "title", "message": "title is required" }
]
}Validation errors (Zod) return an errors array with path + message per field. Other errors follow Nest's default shape.
Tenant scoping
Resources scoped to a customer tenant live under /tenants/:tenantId/… — the ID is a Manage365 UUID, not a Microsoft tenant ID. The guard verifies the tenant belongs to your MSP before forwarding the call to Graph.
Rate limits
- Per-JWT: 1000 requests/minute
- Per-API-key: same as JWT limits (keys share the user quota)
- Graph calls: Manage365 tracks rate-limit headers from Microsoft and 429-retries with exponential backoff automatically
Common endpoints
| Method | Path | Purpose |
|---|---|---|
| GET | /tenants | List customer tenants |
| GET | /tenants/:id/users | List M365 users in a tenant |
| POST | /tenants/:id/standards/:stdId/apply | Apply a standard (<60s) |
| GET | /alerts?status=open | List open alerts across all tenants |
| POST | /inbound/:slug | Raise an alert from an external tool (Bearer = hook secret) |
For the full list, open the Swagger UI at api.manage365.com.au/docs.