Translation pending — read in English.

Platform beta

GA Flight for developers.

A read-only public API, outbound webhooks signed with HMAC-SHA256, and a small honest event catalog. If it is not on this page, we do not promise it yet.

Keys and webhook endpoints are managed inside the GA Flight console, under Settings → Integrations.

Translation pending — read in English.

Authentication

Mint an API key from the console. The raw token is shown exactly once; we store only a SHA-256 hash. Send it on every request:

GET /api/v1/public/flights
Authorization: Bearer gaf_pk_<your-token>
X-Org-Id: <your-organization-uuid>

Public endpoints

All read-only during beta. Each endpoint requires a scoped API key.

Endpoint	Required scope	Description
GET /api/v1/public/pilots	public.pilots:read	Pilot directory
GET /api/v1/public/flights	public.flights:read	Flight records
GET /api/v1/public/fleet	public.fleet:read	Fleet list
GET /api/v1/public/compliance	public.compliance:read	Compliance records
GET /api/v1/public/training-progress	public.training:read	Training progress
GET /api/v1/public/training/signoffs	public.signoffs:read	Training signoffs (filterable by student/program/period)
GET /api/v1/public/finance-summaries	public.finance:read	Finance summaries
GET /api/v1/public/invoices	public.invoices:read	Paginated list of invoices
GET /api/v1/public/invoices/{id}	public.invoices:read	Invoice detail with line items
GET /api/v1/public/maintenance/due	public.maintenance:read	Aircraft maintenance due summary (per-aircraft overdue/upcoming/ok counts)
GET /api/v1/public/maintenance/work-orders	public.maintenance:read	Work order list with status filter
GET /api/v1/public/maintenance/work-orders/{id}	public.maintenance:read	Work order detail
GET /api/v1/public/vtr	public.vtr:read	VTR list issued by the org
GET /api/v1/public/vtr/{id}	public.vtr:read	VTR detail (metadata only, no certificate content)
GET /api/v1/public/planning/sessions	public.planning:read	Planning sessions list (filterable by date range/aircraft/instructor)
GET /api/v1/public/planning/sessions/{id}	public.planning:read	Planning session detail with polymorphic resource reference
GET /api/v1/public/events	public.events:read	Event log

Download the full machine-readable spec: OpenAPI 3.1 specOAS 3.1

Webhook signing

Every delivery is signed with HMAC-SHA256 of the raw request body, using the signing secret the console revealed when you created the endpoint.

X-GA-Webhook-Delivery: <uuid>
X-GA-Webhook-Timestamp: 2026-04-24T12:03:11Z
X-GA-Webhook-Signature: sha256=<hex(hmac(secret, rawBody))>
Content-Type: application/json

Node.js verification example:

const crypto = require("crypto");
function verify(rawBody, headerSig, secret) {
  const expected =
    "sha256=" + crypto.createHmac("sha256", secret)
                      .update(rawBody)
                      .digest("hex");
  return crypto.timingSafeEqual(
    Buffer.from(expected),
    Buffer.from(headerSig),
  );
}

Deliveries are retried up to 5 times with exponential backoff starting at one second. We do not guarantee exactly-once delivery. Consumers must be idempotent — dedupe on the X-GA-Webhook-Delivery header.

Event catalog

Only the event types below are actually wired to transactional emission points. The console offers a Ping action on every endpoint that exercises the full signing and delivery path without depending on any of these.

Event	Stability	Fires when…
flight.submitted	stable	A flight is submitted for approval.
flight.approved	stable	A flight is approved and posted.
flight.rejected	beta	A flight submission is rejected.
maintenance.alert	beta	A maintenance due-item or work-order alert fires.
compliance.updated	beta	A compliance record is created or updated.
training.signoff.recorded	beta	A program item is signed off for a student.
webhook.test	stable	You click Ping on a webhook endpoint.

What we do not promise yet

If something is not on this page, assume it is not supported. We would rather undersell the beta than have partners build against surfaces we cannot keep stable.

Exactly-once delivery.
Guaranteed ordering across event types.
Write API endpoints — the v1 public API is read-only.
OAuth / user-delegated access — only org-scoped API keys today.
Packaged partner connectors — on the roadmap, not yet shipped.

Public endpoints

All read-only during beta. Each endpoint requires a scoped API key.

Endpoint	Required scope	Description
GET /api/v1/public/pilots	public.pilots:read	Pilot directory
GET /api/v1/public/flights	public.flights:read	Flight records
GET /api/v1/public/fleet	public.fleet:read	Fleet list
GET /api/v1/public/compliance	public.compliance:read	Compliance records
GET /api/v1/public/training-progress	public.training:read	Training progress
GET /api/v1/public/training/signoffs	public.signoffs:read	Training signoffs (filterable by student/program/period)
GET /api/v1/public/finance-summaries	public.finance:read	Finance summaries
GET /api/v1/public/invoices	public.invoices:read	Paginated list of invoices
GET /api/v1/public/invoices/{id}	public.invoices:read	Invoice detail with line items
GET /api/v1/public/maintenance/due	public.maintenance:read	Aircraft maintenance due summary (per-aircraft overdue/upcoming/ok counts)
GET /api/v1/public/maintenance/work-orders	public.maintenance:read	Work order list with status filter
GET /api/v1/public/maintenance/work-orders/{id}	public.maintenance:read	Work order detail
GET /api/v1/public/vtr	public.vtr:read	VTR list issued by the org
GET /api/v1/public/vtr/{id}	public.vtr:read	VTR detail (metadata only, no certificate content)
GET /api/v1/public/planning/sessions	public.planning:read	Planning sessions list (filterable by date range/aircraft/instructor)
GET /api/v1/public/planning/sessions/{id}	public.planning:read	Planning session detail with polymorphic resource reference
GET /api/v1/public/events	public.events:read	Event log

Download the full machine-readable spec: OpenAPI 3.1 specOAS 3.1

Webhook signing

Every delivery is signed with HMAC-SHA256 of the raw request body, using the signing secret the console revealed when you created the endpoint.

X-GA-Webhook-Delivery: <uuid> X-GA-Webhook-Timestamp: 2026-04-24T12:03:11Z X-GA-Webhook-Signature: sha256=<hex(hmac(secret, rawBody))> Content-Type: application/json

Node.js verification example:

const crypto = require("crypto"); function verify(rawBody, headerSig, secret) { const expected = "sha256=" + crypto.createHmac("sha256", secret) .update(rawBody) .digest("hex"); return crypto.timingSafeEqual( Buffer.from(expected), Buffer.from(headerSig), ); }

Event catalog

Event	Stability	Fires when…
flight.submitted	stable	A flight is submitted for approval.
flight.approved	stable	A flight is approved and posted.
flight.rejected	beta	A flight submission is rejected.
maintenance.alert	beta	A maintenance due-item or work-order alert fires.
compliance.updated	beta	A compliance record is created or updated.
training.signoff.recorded	beta	A program item is signed off for a student.
webhook.test	stable	You click Ping on a webhook endpoint.

What we do not promise yet

If something is not on this page, assume it is not supported. We would rather undersell the beta than have partners build against surfaces we cannot keep stable.

Exactly-once delivery.

Guaranteed ordering across event types.

Write API endpoints — the v1 public API is read-only.

OAuth / user-delegated access — only org-scoped API keys today.

Packaged partner connectors — on the roadmap, not yet shipped.

Translation pending — read in English.

Voir la référence API →

Platform beta

GA Flight for developers.

A read-only public API, outbound webhooks signed with HMAC-SHA256, and a small honest event catalog. If it is not on this page, we do not promise it yet.

Keys and webhook endpoints are managed inside the GA Flight console, under Settings → Integrations.

Translation pending — read in English.

Authentication

Mint an API key from the console. The raw token is shown exactly once; we store only a SHA-256 hash. Send it on every request:

GET /api/v1/public/flights
Authorization: Bearer gaf_pk_<your-token>
X-Org-Id: <your-organization-uuid>

Public endpoints

All read-only during beta. Each endpoint requires a scoped API key.

Endpoint	Required scope	Description
GET /api/v1/public/pilots	public.pilots:read	Pilot directory
GET /api/v1/public/flights	public.flights:read	Flight records
GET /api/v1/public/fleet	public.fleet:read	Fleet list
GET /api/v1/public/compliance	public.compliance:read	Compliance records
GET /api/v1/public/training-progress	public.training:read	Training progress
GET /api/v1/public/training/signoffs	public.signoffs:read	Training signoffs (filterable by student/program/period)
GET /api/v1/public/finance-summaries	public.finance:read	Finance summaries
GET /api/v1/public/invoices	public.invoices:read	Paginated list of invoices
GET /api/v1/public/invoices/{id}	public.invoices:read	Invoice detail with line items
GET /api/v1/public/maintenance/due	public.maintenance:read	Aircraft maintenance due summary (per-aircraft overdue/upcoming/ok counts)
GET /api/v1/public/maintenance/work-orders	public.maintenance:read	Work order list with status filter
GET /api/v1/public/maintenance/work-orders/{id}	public.maintenance:read	Work order detail
GET /api/v1/public/vtr	public.vtr:read	VTR list issued by the org
GET /api/v1/public/vtr/{id}	public.vtr:read	VTR detail (metadata only, no certificate content)
GET /api/v1/public/planning/sessions	public.planning:read	Planning sessions list (filterable by date range/aircraft/instructor)
GET /api/v1/public/planning/sessions/{id}	public.planning:read	Planning session detail with polymorphic resource reference
GET /api/v1/public/events	public.events:read	Event log

Download the full machine-readable spec: OpenAPI 3.1 specOAS 3.1

Webhook signing

Every delivery is signed with HMAC-SHA256 of the raw request body, using the signing secret the console revealed when you created the endpoint.

X-GA-Webhook-Delivery: <uuid>
X-GA-Webhook-Timestamp: 2026-04-24T12:03:11Z
X-GA-Webhook-Signature: sha256=<hex(hmac(secret, rawBody))>
Content-Type: application/json

Node.js verification example:

const crypto = require("crypto");
function verify(rawBody, headerSig, secret) {
  const expected =
    "sha256=" + crypto.createHmac("sha256", secret)
                      .update(rawBody)
                      .digest("hex");
  return crypto.timingSafeEqual(
    Buffer.from(expected),
    Buffer.from(headerSig),
  );
}

Event catalog

Event	Stability	Fires when…
flight.submitted	stable	A flight is submitted for approval.
flight.approved	stable	A flight is approved and posted.
flight.rejected	beta	A flight submission is rejected.
maintenance.alert	beta	A maintenance due-item or work-order alert fires.
compliance.updated	beta	A compliance record is created or updated.
training.signoff.recorded	beta	A program item is signed off for a student.
webhook.test	stable	You click Ping on a webhook endpoint.

What we do not promise yet

If something is not on this page, assume it is not supported. We would rather undersell the beta than have partners build against surfaces we cannot keep stable.

Exactly-once delivery.
Guaranteed ordering across event types.
Write API endpoints — the v1 public API is read-only.
OAuth / user-delegated access — only org-scoped API keys today.
Packaged partner connectors — on the roadmap, not yet shipped.