Introduction - Guardhouse

The Guardhouse API gives external systems programmatic access to your incident reports, live operations, timesheets, staff, customers, sites, and webhook event subscriptions. It is a JSON REST API over HTTPS, secured with short-lived JWT bearer tokens that you obtain by exchanging an API key.

Base URLs

Use the base URL for your Guardhouse region:

Region	Base URL
AU	`https://gateway-api.guardhousehq.com`
UK	`https://gateway-api.guardhousehq.co.uk`

Authentication

All read endpoints expect a JWT bearer token sent as Authorization: Bearer <token>. The token-issuance endpoints are not yet documented in this reference — contact your Guardhouse representative for the current onboarding flow and to receive an API key.

Scopes and key types

Every API key is issued with a KeyType that controls which endpoints it can call:

`KeyType`	Endpoints
`incidentreport`	All `/api/external/incidentreport` and `/api/external/incidentreports/` endpoints
`liveops`	Live Operations endpoint
`webhook`	All `/api/webhook/*` endpoints

The remaining read endpoints (/api/external/staffs, /api/external/staffs/{id}/licenses, /api/external/customers, /api/external/sites) require any authenticated Public key today and are scoped by your CompanyId, CustomerId, and SiteId claims rather than by KeyType. A dedicated KeyType=timesheet is staged in the codebase but not yet enforced. Calling an endpoint with the wrong KeyType returns 403 Forbidden. Keys are also scoped by CompanyId, CustomerId, and SiteId claims — passing IDs outside that scope is also rejected with 403.

Response envelope

Every JSON endpoint returns the same wrapper:

{
  "status": { "code": 0, "errorMessage": "" },
  "data":   { /* endpoint payload */ },
  "count":  null,
  "message": "",
  "errors": []
}

Paginated incident-report endpoints add full cursor metadata:

{
  "status":            { "code": 0, "errorMessage": "" },
  "data":              [ /* items */ ],
  "recordCount":       100,
  "totalRecordCount":  4823,
  "prevPageEndpoint":  null,
  "prevPageParams":    null,
  "nextPageEndpoint":  "/api/external/incidentreports/getall",
  "nextPageParams":    "direction=next&referenceId=8429"
}

The newer paginated endpoints (/api/external/timesheets, /api/external/staffs, /api/external/customers, /api/external/sites) use a slimmer cursor envelope:

{
  "status":             { "code": 0, "errorMessage": "" },
  "data":               [ /* items */ ],
  "nextPageParameter":  "direction=next&referenceId=8429",
  "prevPageParameter":  null
}

The Live Operations endpoint uses its own envelope with isSuccess, numeric status, statusMessage, errorMessages, and errorMessagesAsString fields. See the Errors guide for the meaning of status.code and the shape of the errors array.

Pagination

List endpoints use cursor-based pagination. To page forward:

Issue the initial request with direction=next (the default).
Read the last item’s identifier from data (typically incidentReportId).
Pass that value as referenceId on the next request, keeping direction=next.

To page backward, set direction=prev and pass referenceId from the first item. The response’s nextPageParams and prevPageParams give you the exact query string to use for the next call — you can append them directly to the endpoint URL.

Rate limits

External and webhook endpoints are limited to 60 requests per minute per API key. Requests beyond the limit return 429 Too Many Requests. The token-issuance endpoints (/api/token/*) are not rate-limited.

Webhooks

If your KeyType=webhook key is provisioned, you can register subscribers and event subscriptions so Guardhouse pushes notifications to your systems when reports or timesheets change. See the Webhooks guide for the registration flow, signature validation, and the supported event catalog.

​Base URLs

​Authentication

​Scopes and key types

​Response envelope

​Pagination

​Rate limits

​Webhooks