Looking for the full interactive reference?
Open API Reference →GA Flight for developers.
A read-only public API, outbound webhooks signed with HMAC-SHA256, and a small honest event catalog. If it is not on this page, we do not promise it yet.
Keys and webhook endpoints are managed inside the GA Flight console, under Settings → Integrations.
Authentication
Mint an API key from the console. The raw token is shown exactly once; we store only a SHA-256 hash. Send it on every request:
GET /api/v1/public/flights Authorization: Bearer gaf_pk_<your-token> X-Org-Id: <your-organization-uuid>
Public endpoints
All read-only during beta. Each endpoint requires a scoped API key.
| Endpoint | Required scope | Description |
|---|---|---|
| GET /api/v1/public/pilots | public.pilots:read | Pilot directory |
| GET /api/v1/public/flights | public.flights:read | Flight records |
| GET /api/v1/public/fleet | public.fleet:read | Fleet list |
| GET /api/v1/public/compliance | public.compliance:read | Compliance records |
| GET /api/v1/public/training-progress | public.training:read | Training progress |
| GET /api/v1/public/training/signoffs | public.signoffs:read | Training signoffs (filterable by student/program/period) |
| GET /api/v1/public/finance-summaries | public.finance:read | Finance summaries |
| GET /api/v1/public/invoices | public.invoices:read | Paginated list of invoices |
| GET /api/v1/public/invoices/{id} | public.invoices:read | Invoice detail with line items |
| GET /api/v1/public/maintenance/due | public.maintenance:read | Aircraft maintenance due summary (per-aircraft overdue/upcoming/ok counts) |
| GET /api/v1/public/maintenance/work-orders | public.maintenance:read | Work order list with status filter |
| GET /api/v1/public/maintenance/work-orders/{id} | public.maintenance:read | Work order detail |
| GET /api/v1/public/vtr | public.vtr:read | VTR list issued by the org |
| GET /api/v1/public/vtr/{id} | public.vtr:read | VTR detail (metadata only, no certificate content) |
| GET /api/v1/public/planning/sessions | public.planning:read | Planning sessions list (filterable by date range/aircraft/instructor) |
| GET /api/v1/public/planning/sessions/{id} | public.planning:read | Planning session detail with polymorphic resource reference |
| GET /api/v1/public/events | public.events:read | Event log |
| POST /api/v1/public/events/{id}/replay | public.events:replay | Replay a single event delivery |
Download the full machine-readable spec: OpenAPI 3.1 specOAS 3.1
Webhook signing
Every delivery is signed with HMAC-SHA256 of the raw request body, using the signing secret the console revealed when you created the endpoint.
X-GA-Webhook-Delivery: <uuid> X-GA-Webhook-Timestamp: 2026-04-24T12:03:11Z X-GA-Webhook-Signature: sha256=<hex(hmac(secret, rawBody))> Content-Type: application/json
Node.js verification example:
const crypto = require("crypto");
function verify(rawBody, headerSig, secret) {
const expected =
"sha256=" + crypto.createHmac("sha256", secret)
.update(rawBody)
.digest("hex");
return crypto.timingSafeEqual(
Buffer.from(expected),
Buffer.from(headerSig),
);
}Deliveries are retried up to 5 times with exponential backoff starting at one second. We do not guarantee exactly-once delivery. Consumers must be idempotent — dedupe on the X-GA-Webhook-Delivery header.
Event catalog
Only the event types below are actually wired to transactional emission points. The console offers a Ping action on every endpoint that exercises the full signing and delivery path without depending on any of these.
| Event | Stability | Fires when… |
|---|---|---|
| flight.submitted | stable | A flight is submitted for approval. |
| flight.approved | stable | A flight is approved and posted. |
| flight.rejected | beta | A flight submission is rejected. |
| maintenance.alert | beta | A maintenance due-item or work-order alert fires. |
| compliance.updated | beta | A compliance record is created or updated. |
| training.signoff.recorded | beta | A program item is signed off for a student. |
| webhook.test | stable | You click Ping on a webhook endpoint. |
What we do not promise yet
If something is not on this page, assume it is not supported. We would rather undersell the beta than have partners build against surfaces we cannot keep stable.
- Exactly-once delivery.
- Guaranteed ordering across event types.
- Write API endpoints — the v1 public API is read-only.
- OAuth / user-delegated access — only org-scoped API keys today.
- Packaged partner connectors — on the roadmap, not yet shipped.