> ## Documentation Index
> Fetch the complete documentation index at: https://docs.trusys.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure monitoring

> Creates or updates monitoring for an application.

First call — if no monitoring record exists yet, Trusys creates one with default sampling and no metrics or plugins configured.

Subsequent calls — merge updates into the existing configuration; fields you omit are left unchanged.

At least one field must be provided. Configure metrics and/or plugins before calling POST /applications/{applicationId}/evaluations — evaluations fail if neither is set.



## OpenAPI

````yaml /openapi.json put /applications/{applicationId}/monitoring
openapi: 3.0.0
info:
  title: Trusys API
  version: 1.0.0
  description: >-
    Programmatic access to Trusys for integrating AI quality monitoring,
    evaluation, and guardrails into your own systems — without using the Trusys
    UI.


    **Typical integration flow**


    1. `POST /applications` — register your application and get an id.

    2. `PUT /applications/{id}/monitoring` and/or `PUT
    /applications/{id}/guardrails` — configure which metrics, security plugins,
    and guardrails apply.

    3. `POST /applications/{id}/evaluations` — submit prompt/response traces to
    be scored as your application runs.

    4. `GET /applications/{id}/traces`, `GET /applications/{id}/evaluations`,
    and `POST /applications/{id}/widget-data` — pull results, trends, and
    dashboard-equivalent chart data back into your own tools.


    All requests require an `x-api-key` header (see Authentication). All
    timestamps are ISO 8601 UTC. Paginated endpoints default to 20 items per
    page (max 100).
servers:
  - url: https://app.trusys.ai/api/external
security:
  - ApiKeyAuth: []
paths:
  /applications/{applicationId}/monitoring:
    put:
      tags:
        - Monitoring
      summary: Configure monitoring
      description: >-
        Creates or updates monitoring for an application.


        First call — if no monitoring record exists yet, Trusys creates one with
        default sampling and no metrics or plugins configured.


        Subsequent calls — merge updates into the existing configuration; fields
        you omit are left unchanged.


        At least one field must be provided. Configure metrics and/or plugins
        before calling POST /applications/{applicationId}/evaluations —
        evaluations fail if neither is set.
      operationId: updateMonitoringConfig
      parameters:
        - $ref: '#/components/parameters/applicationId'
      requestBody:
        required: true
        description: >-
          Monitoring settings. Metric `type` values come from `GET
          /metrics/eval`; plugin IDs from `GET /metrics/security`.
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/PutMonitoringRequest'
            example:
              metrics:
                - type: answer-relevance
                  threshold: 0.7
              plugins:
                harmful:
                  - harmful:hate
              securityPurpose: Customer support chatbot handling account queries
              securityConfig:
                purpose: Customer support chatbot handling account queries
                hasAccessTo: >-
                  Help center knowledge base, customer profile metadata
                  (non-sensitive)
                userTypes: Retail customers, customer support agents
      responses:
        '200':
          description: Monitoring configuration saved.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/MonitoringConfigResponse'
        '400':
          $ref: '#/components/responses/ValidationError'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '404':
          $ref: '#/components/responses/NotFound'
components:
  parameters:
    applicationId:
      name: applicationId
      in: path
      required: true
      schema:
        type: string
        format: uuid
      description: >-
        Unique identifier (UUID) of the application. Returned by `POST
        /applications`.
  schemas:
    PutMonitoringRequest:
      type: object
      additionalProperties: false
      description: Monitoring configuration update. At least one field is required.
      properties:
        metrics:
          type: array
          description: >-
            Quality evaluation metrics to run. Each item is a metric object;
            include `type` from the eval catalog and any metric-specific options
            (for example `threshold`).
          items:
            type: object
        plugins:
          type: object
          description: >-
            Security plugins grouped by risk category. Values are arrays of
            plugin IDs (for example `harmful:hate`).
          additionalProperties:
            type: array
            items:
              type: string
        securityPurpose:
          type: string
          description: >-
            Shorthand for `securityConfig.purpose`. Prefer `securityConfig` when
            setting multiple security context fields. If both are provided,
            `securityPurpose` sets `purpose` after `securityConfig` is applied.
        securityConfig:
          $ref: '#/components/schemas/ExternalSecurityConfig'
    MonitoringConfigResponse:
      type: object
      properties:
        success:
          type: boolean
        data:
          $ref: '#/components/schemas/MonitoringConfigData'
    ExternalSecurityConfig:
      type: object
      additionalProperties: false
      description: >-
        Application security context used to tailor adversarial security
        testing. All fields are optional on update; omitted keys are left
        unchanged. Provide `purpose` (or top-level `securityPurpose`) to
        describe what the AI application does.
      properties:
        purpose:
          type: string
          description: The primary objective of the AI in this application.
        hasAccessTo:
          type: string
          description: >-
            Systems, data, or resources the application legitimately has access
            to (RBAC and data-scope context for security testing).
        doesNotHaveAccessTo:
          type: string
          description: >-
            Systems and data the application should not access (unauthorized
            access and exfiltration scenarios).
        userTypes:
          type: string
          description: >-
            User roles and permissions that interact with the application
            (privilege escalation and role abuse scenarios).
        securityRequirements:
          type: string
          description: >-
            Security and compliance requirements (for example HIPAA, audit
            logging) for policy enforcement tests.
        sensitiveDataTypes:
          type: string
          description: >-
            Sensitive data categories handled by the application
            (privacy-related attack scenarios).
        exampleIdentifiers:
          type: string
          description: >-
            Example identifiers, names, or data points used by the application
            (exposure and pattern leak tests).
        criticalActions:
          type: string
          description: >-
            High-risk operations the application can perform (misuse and
            escalation tests).
        forbiddenTopics:
          type: string
          description: >-
            Content or topics the application must never discuss (content-policy
            bypass and prompt-injection tests).
        competitors:
          type: string
          description: Competitor names that should not be endorsed or promoted.
        redteamUser:
          type: string
          description: Persona used during adversarial security testing.
    MonitoringConfigData:
      type: object
      description: >-
        Monitoring evaluation metrics, security plugins, and application
        security context.
      properties:
        metrics:
          type: array
          description: Quality metrics to run on ingested traces.
          items:
            type: object
        plugins:
          type: object
          description: Enabled security plugins grouped by risk category.
          additionalProperties:
            type: array
            items:
              type: string
        securityPurpose:
          type: string
          description: Same as `securityConfig.purpose` when present.
        securityConfig:
          $ref: '#/components/schemas/ExternalSecurityConfig'
        logLocation:
          type: string
          description: Where traces are ingested from (for example `sdk`).
    ValidationErrorResponse:
      type: object
      description: Returned when request body or query parameters fail validation.
      properties:
        success:
          type: boolean
          example: false
        message:
          type: string
          example: Invalid request body
          description: Summary of the validation failure.
        errors:
          type: array
          description: Per-field validation errors.
          items:
            type: object
            properties:
              path:
                type: string
                description: >-
                  JSON path to the invalid field (for example
                  `traces.0.prompt`).
              message:
                type: string
                description: Why the field failed validation.
    ErrorResponse:
      type: object
      description: Standard error envelope for non-validation failures.
      properties:
        success:
          type: boolean
          example: false
          description: Always `false` for errors.
        message:
          type: string
          description: Human-readable explanation of the error.
      required:
        - success
        - message
  responses:
    ValidationError:
      description: >-
        The request body or query parameters are invalid. See the `errors` array
        for field-level detail.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ValidationErrorResponse'
          example:
            success: false
            message: Invalid request body
            errors:
              - path: name
                message: name is required
    Unauthorized:
      description: >-
        The API key is missing, invalid, or revoked. Verify the `x-api-key`
        header and that the key is active in Trusys settings.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
          example:
            message: Error while verifying api key
    NotFound:
      description: The requested resource does not exist, or your API key cannot access it.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
          example:
            success: false
            message: Application not found
  securitySchemes:
    ApiKeyAuth:
      type: apiKey
      in: header
      name: x-api-key
      description: >-
        Your Trusys API key. Create and manage keys in the Trusys UI under
        **Settings → API Keys**.


        Include the key on every request:


        ```

        x-api-key: <your-api-key>

        ```

````