List evidence

curl --request GET \
  --url https://api.example.com/v1/triage/{incidentId}/evidence \
  --header 'Authorization: <authorization>'

GET

triage

{incidentId}

evidence

List evidence

curl --request GET \
  --url https://api.example.com/v1/triage/{incidentId}/evidence \
  --header 'Authorization: <authorization>'

Overview

Returns the full set of evidence items gathered by the triage pipeline for an incident. Evidence includes logs, metrics, deployment events, and code changes correlated with the incident window. Required role: admin or member

Request headers

Authorization

string

required

JWT Bearer token. Format: Bearer <your-jwt>.

Path parameters

incidentId

string

required

The unique identifier of the incident. Example: inc_EXAMPLE_01JX.

Query parameters

type

string

Filter by evidence type. One of: log, metric, deployment, code_change, alert, runbook.

limit

integer

Maximum number of items to return. Default: 50. Maximum: 200.

cursor

string

Pagination cursor from a previous response nextCursor field.

Response

Returns 200 OK with a paginated list of evidence items.

{
  "items": [
    {
      "evidenceId": "evi_01HX9VTPQR3KF8MZWBYD5N6JCE",
      "type": "log",
      "source": "cloudwatch",
      "summary": "10,432 errors matching pattern 'connection refused' between 14:25–14:35 UTC",
      "severity": "critical",
      "timestamp": "2024-04-01T14:28:00Z",
      "rawSnippet": "FATAL: connection refused to payment-processor:5432 (timeout after 30s)"
    },
    {
      "evidenceId": "evi_01HX9VTPQR3KF8MZWBYD5N6JCF",
      "type": "deployment",
      "source": "github",
      "summary": "Deploy d9f3a21 pushed to production at 14:25 UTC — 3 minutes before incident",
      "severity": "high",
      "timestamp": "2024-04-01T14:25:00Z",
      "rawSnippet": "git push origin main @ d9f3a21 (checkout-service v2.4.1)"
    }
  ],
  "total": 14,
  "nextCursor": "eyJsYXN0SWQiOiJldmlfMDFIWDlWVFBRUjNLRjhNWldCWUQ1TjZKQ0YifQ"
}

Field	Type	Description
`evidenceId`	string	Unique identifier for this evidence item
`type`	string	Evidence category: `log`, `metric`, `deployment`, `code_change`, `alert`, `runbook`
`source`	string	System that produced this evidence (e.g. `cloudwatch`, `github`, `datadog`)
`summary`	string	AI-generated summary of the evidence item
`severity`	string	Relevance rating: `critical`, `high`, `medium`, `low`, `info`
`timestamp`	string	ISO 8601 timestamp of the evidence event
`rawSnippet`	string	Raw excerpt from the source system

Error responses

Status	Error code	Description
`401`	`unauthorized`	Missing or invalid JWT
`403`	`forbidden`	Caller lacks required role
`404`	`incident_not_found`	No incident with the given ID
`404`	`triage_not_started`	Triage has not yet run for this incident

Examples

curl "https://api.causeflow.ai/v1/triage/inc_EXAMPLE_01JX/evidence?type=deployment&limit=20" \
  -H "Authorization: Bearer eyJhbGc..."

Start triage

Trigger the triage pipeline for an incident

Add investigation context

Attach additional context to a running investigation

Get triage evidence Start investigation

Overview

Incidents

Triage

Investigation

Remediation

Memory and Chat

Skills

Triggers

Integrations

Knowledge

Graph

Billing

Notifications

Audit

Webhooks

GitHub

Tenants

API keys

Analytics

Health

Widget (roadmap)

List evidence

Overview

Request headers

Path parameters

Query parameters

Response

Error responses

Examples

Start triage

Add investigation context

Overview

Incidents

Triage

Investigation

Remediation

Memory and Chat

Skills

Triggers

Integrations

Knowledge

Graph

Billing

Notifications

Audit

Webhooks

GitHub

Tenants

API keys

Analytics

Health

Widget (roadmap)

​Overview

​Request headers

​Path parameters

​Query parameters

​Response

​Error responses

​Examples

Start triage

Add investigation context

Overview

Request headers

Path parameters

Query parameters

Response

Error responses

Examples